Hive upgrade artifact cache

hack/devtools/deploy-shared-env.sh

@@ -83,6 +83,40 @@ deploy_aks_dev() {
             "sshRSAPublicKey=$(<secrets/proxy_id_rsa.pub)" >/dev/null
 }
 
+deploy_hive_acr_dev() {
+    echo "########## Deploying Hive ACR in RG $RESOURCEGROUP ##########"
+    local acr_name="${HIVE_ACR_NAME:-arolocaldev${LOCATION}}"
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-acr \
+        --template-file pkg/deploy/assets/ci-development.json \
+        --parameters "acrName=$acr_name" >/dev/null
+    echo "########## Created ACR: $acr_name ##########"
+}
+
+deploy_hive_acr_cache_and_access() {
+    echo "########## Deploying Hive artifact cache and AKS access in RG $RESOURCEGROUP ##########"
+    local acr_name="${HIVE_ACR_NAME:-arolocaldev${LOCATION}}"
+    local aks_cluster="${AKS_CLUSTER_NAME:-aro-aks-cluster-001}"
+
+    if [ -z "$HIVE_PULL_USERNAME" ] || [ -z "$HIVE_PULL_PASSWORD" ]; then
+        echo "ERROR: HIVE_PULL_USERNAME and HIVE_PULL_PASSWORD must be set"
+        echo "See team wiki for Hive pull secret credentials"
+        return 1
+    fi
+
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-acr-cache-and-access \
+        --template-file pkg/deploy/assets/hive-acr-cache-and-access.bicep \
+        --parameters \
+            "acrName=$acr_name" \
+            "aksClusterName=$aks_cluster" \
+            "hiveRegistryUsername=$HIVE_PULL_USERNAME" \
+            "hiveRegistryPassword=$HIVE_PULL_PASSWORD" >/dev/null
+    echo "########## Hive artifact cache and AKS access configured for $acr_name ##########"
+}
+
 deploy_vpn_for_dedicated_rp() {
     echo "########## Deploying Dev VPN in RG $RESOURCEGROUP ##########"
     az deployment group create \

hack/hive/hive-generate-config.sh

@@ -9,14 +9,17 @@ main() {
     trap "cleanup $tmpdir" EXIT
 
     # This is the commit sha that the image was built from and ensures we use the correct configs for the release
-    local -r default_commit="8796c4f534"
+    local -r default_commit="f84d11f6765b20de5a6c66998f2114b6855e94e0"
     local -r hive_image_commit_hash="${1:-$default_commit}"
     log "Using hive commit: $hive_image_commit_hash"
     # shellcheck disable=SC2034
     local -r hive_operator_namespace="hive"
 
+    # Hive images pulled from ACR via artifact cache rules
+    # Override with HIVE_ACR_REGISTRY (e.g., arosvcdev.azurecr.io for E2E)
     # shellcheck disable=SC2034
-    local -r hive_image="arointsvc.azurecr.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive:${hive_image_commit_hash}"
+    local -r acr_registry="${HIVE_ACR_REGISTRY:-arolocaldeveastus.azurecr.io}"
+    local -r hive_image="${acr_registry}/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive:${hive_image_commit_hash}"
 
 
     # shellcheck disable=SC2034

pkg/deploy/assets/hive-acr-cache-and-access.bicep

@@ -0,0 +1,77 @@
+// Combined Bicep template for Hive ACR artifact cache and AKS access
+// Deploys credential set, cache rules, and AKS role assignment together
+
+@description('Name of the Azure Container Registry')
+param acrName string
+
+@description('Name of the AKS cluster to grant pull access')
+param aksClusterName string = 'aro-aks-cluster-001'
+
+@description('Username or client ID for Quay.io authentication')
+@secure()
+param hiveRegistryUsername string
+
+@description('Password or client secret for Quay.io authentication')
+@secure()
+param hiveRegistryPassword string
+
+@description('Source repository for Hive images')
+param sourceRepository string = 'quay.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive'
+
+@description('Target repository name in ACR')
+param targetRepository string = 'redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive'
+
+var credentialSetName = 'hive-pull-credentials'
+var cacheRuleName = 'hive-cache-rule'
+var aksClusterId = resourceId('Microsoft.ContainerService/managedClusters', aksClusterName)
+var acrResourceId = resourceId('Microsoft.ContainerRegistry/registries', acrName)
+var acrPullRoleDefinitionId = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
+
+resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
+  name: acrName
+}
+
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-01-01' existing = {
+  name: aksClusterName
+}
+
+resource credentialSet 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = {
+  parent: acr
+  name: credentialSetName
+  properties: {
+    authCredentials: [
+      {
+        name: 'Credential1'
+        usernameSecretIdentifier: hiveRegistryUsername
+        passwordSecretIdentifier: hiveRegistryPassword
+      }
+    ]
+    loginServer: 'quay.io'
+  }
+}
+
+resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01-preview' = {
+  parent: acr
+  name: cacheRuleName
+  properties: {
+    sourceRepository: sourceRepository
+    targetRepository: targetRepository
+    credentialSetResourceId: credentialSet.id
+  }
+}
+
+resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(aksClusterId, acrResourceId, acrPullRoleDefinitionId)
+  scope: acr
+  properties: {
+    roleDefinitionId: acrPullRoleDefinitionId
+    principalId: aksCluster.properties.identityProfile.kubeletidentity.objectId
+    principalType: 'ServicePrincipal'
+    description: 'Allows AKS cluster to pull Hive images from ACR'
+  }
+}
+
+output credentialSetId string = credentialSet.id
+output cacheRuleId string = cacheRule.id
+output roleAssignmentId string = acrPullRoleAssignment.id
+