diff --git a/hack/devtools/deploy-shared-env.sh b/hack/devtools/deploy-shared-env.sh index e43dfe9749c..cb6909b44a3 100644 --- a/hack/devtools/deploy-shared-env.sh +++ b/hack/devtools/deploy-shared-env.sh @@ -83,6 +83,40 @@ deploy_aks_dev() { "sshRSAPublicKey=$(/dev/null } +deploy_hive_acr_dev() { + echo "########## Deploying Hive ACR in RG $RESOURCEGROUP ##########" + local acr_name="${HIVE_ACR_NAME:-arolocaldev${LOCATION}}" + az deployment group create \ + -g "$RESOURCEGROUP" \ + -n hive-acr \ + --template-file pkg/deploy/assets/ci-development.json \ + --parameters "acrName=$acr_name" >/dev/null + echo "########## Created ACR: $acr_name ##########" +} + +deploy_hive_acr_cache_and_access() { + echo "########## Deploying Hive artifact cache and AKS access in RG $RESOURCEGROUP ##########" + local acr_name="${HIVE_ACR_NAME:-arolocaldev${LOCATION}}" + local aks_cluster="${AKS_CLUSTER_NAME:-aro-aks-cluster-001}" + + if [ -z "$HIVE_PULL_USERNAME" ] || [ -z "$HIVE_PULL_PASSWORD" ]; then + echo "ERROR: HIVE_PULL_USERNAME and HIVE_PULL_PASSWORD must be set" + echo "See team wiki for Hive pull secret credentials" + return 1 + fi + + az deployment group create \ + -g "$RESOURCEGROUP" \ + -n hive-acr-cache-and-access \ + --template-file pkg/deploy/assets/hive-acr-cache-and-access.bicep \ + --parameters \ + "acrName=$acr_name" \ + "aksClusterName=$aks_cluster" \ + "hiveRegistryUsername=$HIVE_PULL_USERNAME" \ + "hiveRegistryPassword=$HIVE_PULL_PASSWORD" >/dev/null + echo "########## Hive artifact cache and AKS access configured for $acr_name ##########" +} + deploy_vpn_for_dedicated_rp() { echo "########## Deploying Dev VPN in RG $RESOURCEGROUP ##########" az deployment group create \ diff --git a/hack/hive/hive-generate-config.sh b/hack/hive/hive-generate-config.sh index 1380c4405e9..578e5bdbb2d 100755 --- a/hack/hive/hive-generate-config.sh +++ b/hack/hive/hive-generate-config.sh @@ -9,14 +9,17 @@ main() { trap "cleanup $tmpdir" EXIT # This is the commit sha that the image was built from and ensures we use the correct configs for the release - local -r default_commit="8796c4f534" + local -r default_commit="f84d11f6765b20de5a6c66998f2114b6855e94e0" local -r hive_image_commit_hash="${1:-$default_commit}" log "Using hive commit: $hive_image_commit_hash" # shellcheck disable=SC2034 local -r hive_operator_namespace="hive" + # Hive images pulled from ACR via artifact cache rules + # Override with HIVE_ACR_REGISTRY (e.g., arosvcdev.azurecr.io for E2E) # shellcheck disable=SC2034 - local -r hive_image="arointsvc.azurecr.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive:${hive_image_commit_hash}" + local -r acr_registry="${HIVE_ACR_REGISTRY:-arolocaldeveastus.azurecr.io}" + local -r hive_image="${acr_registry}/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive:${hive_image_commit_hash}" # shellcheck disable=SC2034 diff --git a/pkg/deploy/assets/hive-acr-cache-and-access.bicep b/pkg/deploy/assets/hive-acr-cache-and-access.bicep new file mode 100644 index 00000000000..d9cdbfe3235 --- /dev/null +++ b/pkg/deploy/assets/hive-acr-cache-and-access.bicep @@ -0,0 +1,77 @@ +// Combined Bicep template for Hive ACR artifact cache and AKS access +// Deploys credential set, cache rules, and AKS role assignment together + +@description('Name of the Azure Container Registry') +param acrName string + +@description('Name of the AKS cluster to grant pull access') +param aksClusterName string = 'aro-aks-cluster-001' + +@description('Username or client ID for Quay.io authentication') +@secure() +param hiveRegistryUsername string + +@description('Password or client secret for Quay.io authentication') +@secure() +param hiveRegistryPassword string + +@description('Source repository for Hive images') +param sourceRepository string = 'quay.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive' + +@description('Target repository name in ACR') +param targetRepository string = 'redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive' + +var credentialSetName = 'hive-pull-credentials' +var cacheRuleName = 'hive-cache-rule' +var aksClusterId = resourceId('Microsoft.ContainerService/managedClusters', aksClusterName) +var acrResourceId = resourceId('Microsoft.ContainerRegistry/registries', acrName) +var acrPullRoleDefinitionId = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d') + +resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = { + name: acrName +} + +resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-01-01' existing = { + name: aksClusterName +} + +resource credentialSet 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = { + parent: acr + name: credentialSetName + properties: { + authCredentials: [ + { + name: 'Credential1' + usernameSecretIdentifier: hiveRegistryUsername + passwordSecretIdentifier: hiveRegistryPassword + } + ] + loginServer: 'quay.io' + } +} + +resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01-preview' = { + parent: acr + name: cacheRuleName + properties: { + sourceRepository: sourceRepository + targetRepository: targetRepository + credentialSetResourceId: credentialSet.id + } +} + +resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(aksClusterId, acrResourceId, acrPullRoleDefinitionId) + scope: acr + properties: { + roleDefinitionId: acrPullRoleDefinitionId + principalId: aksCluster.properties.identityProfile.kubeletidentity.objectId + principalType: 'ServicePrincipal' + description: 'Allows AKS cluster to pull Hive images from ACR' + } +} + +output credentialSetId string = credentialSet.id +output cacheRuleId string = cacheRule.id +output roleAssignmentId string = acrPullRoleAssignment.id +