introduce MGMT and CX KeyVaults (Azure#796)

https://issues.redhat.com/browse/ARO-9956 https://issues.redhat.com/browse/ARO-10289 https://issues.redhat.com/browse/ARO-10288 Signed-off-by: Gerd Oberlechner <[email protected]>
ahitacat · Nov 4, 2024 · beab4da · beab4da
1 parent 8812cb0
commit beab4da
Show file tree

Hide file tree

Showing 6 changed files with 130 additions and 1 deletion.
diff --git a/config/config.yaml b/config/config.yaml
@@ -60,12 +60,23 @@ defaults:
   ocMirrorImageTag: 7abc8af
 
   # Service KeyVault
-  serviceKeyVaultName: {{ azureKeyVaultName "svc-kv" 5 .ctx.region .ctx.regionStamp }}
+  serviceKeyVaultName: {{ azureKeyVaultName "aro-hcp-svc" 5 .ctx.region .ctx.regionStamp }}
   serviceKeyVaultRG: hcp-underlay-{{ .ctx.region }}-svc-{{ .ctx.regionStamp }}
   serviceKeyVaultRegion: {{ .ctx.region }}
   serviceKeyVaultSoftDelete: true
   serviceKeyVaultPrivate: true
 
+  # Management Cluster KV
+  cxKeyVaultName: {{ azureKeyVaultName "aro-hcp-cx" 5 .ctx.region .ctx.regionStamp .ctx.cxStamp }}
+  cxKeyVaultSoftDelete: true
+  cxKeyVaultPrivate: true
+  msiKeyVaultName: {{ azureKeyVaultName "aro-hcp-msi" 5 .ctx.region .ctx.regionStamp .ctx.cxStamp }}
+  msiKeyVaultSoftDelete: true
+  msiKeyVaultPrivate: true
+  mgmtKeyVaultName: {{ azureKeyVaultName "aro-hcp-mgmt" 5 .ctx.region .ctx.regionStamp .ctx.cxStamp }}
+  mgmtKeyVaultSoftDelete: true
+  mgmtKeyVaultPrivate: true
+
   # DNS
   baseDnsZoneRG: 'global'
 clouds:
@@ -102,6 +113,13 @@ clouds:
       serviceKeyVaultRG: 'global'
       serviceKeyVaultRegion: 'westus3'
       serviceKeyVaultPrivate: false
+      # Management Cluster KVs
+      cxKeyVaultSoftDelete: false
+      cxKeyVaultPrivate: false
+      msiKeyVaultSoftDelete: false
+      msiKeyVaultPrivate: false
+      mgmtKeyVaultSoftDelete: false
+      mgmtKeyVaultPrivate: false
       # disable soft delete on etcd KVs in DEV
       svcEtcdKVSoftDelete: false
       mgmtEtcdKVSoftDelete: false

diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -10,6 +10,9 @@
   "clusterServicePostgresDeploy": true,
   "clusterServicePostgresName": "cs-9c782",
   "clusterServicePostgresPrivate": false,
+  "cxKeyVaultName": "aro-hcp-cx-1abb8",
+  "cxKeyVaultPrivate": false,
+  "cxKeyVaultSoftDelete": false,
   "externalDNSImageTag": "v0.14.2",
   "firstPartyAppClientId": "57e54810-3138-4f38-bd3b-29cb33f4c358",
   "frontendCosmosDBDeploy": true,
@@ -43,6 +46,9 @@
   "managementClusterRG": "hcp-underlay-westus3-cs-pr-mgmt-1",
   "mgmtEtcdKVName": "aro-hcp-etcd-1abb8",
   "mgmtEtcdKVSoftDelete": false,
+  "mgmtKeyVaultName": "aro-hcp-mgmt-1abb8",
+  "mgmtKeyVaultPrivate": false,
+  "mgmtKeyVaultSoftDelete": false,
   "mgmtSystemAgentPoolMaxCount": 4,
   "mgmtSystemAgentPoolMinCount": 1,
   "mgmtSystemAgentPoolOsDiskSizeGB": 32,
@@ -54,6 +60,9 @@
   "mgmtUserAgentPoolVmSize": "Standard_D4s_v3",
   "monitoringMsiName": "aro-hcp-metrics-msi-9c782",
   "monitoringWorkspaceName": "aro-hcp-monitor-9c782",
+  "msiKeyVaultName": "aro-hcp-msi-1abb8",
+  "msiKeyVaultPrivate": false,
+  "msiKeyVaultSoftDelete": false,
   "ocMirrorImageRepo": "image-sync/oc-mirror",
   "ocMirrorImageTag": "7abc8af",
   "ocpAcrName": "arohcpocpdev",

diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -10,6 +10,9 @@
   "clusterServicePostgresDeploy": true,
   "clusterServicePostgresName": "cs-157ff",
   "clusterServicePostgresPrivate": false,
+  "cxKeyVaultName": "aro-hcp-cx-08101",
+  "cxKeyVaultPrivate": false,
+  "cxKeyVaultSoftDelete": false,
   "externalDNSImageTag": "v0.14.2",
   "firstPartyAppClientId": "57e54810-3138-4f38-bd3b-29cb33f4c358",
   "frontendCosmosDBDeploy": true,
@@ -43,6 +46,9 @@
   "managementClusterRG": "hcp-underlay-westus3-dev-mgmt-1",
   "mgmtEtcdKVName": "aro-hcp-etcd-08101",
   "mgmtEtcdKVSoftDelete": false,
+  "mgmtKeyVaultName": "aro-hcp-mgmt-08101",
+  "mgmtKeyVaultPrivate": false,
+  "mgmtKeyVaultSoftDelete": false,
   "mgmtSystemAgentPoolMaxCount": 4,
   "mgmtSystemAgentPoolMinCount": 1,
   "mgmtSystemAgentPoolOsDiskSizeGB": 32,
@@ -54,6 +60,9 @@
   "mgmtUserAgentPoolVmSize": "Standard_D4s_v3",
   "monitoringMsiName": "aro-hcp-metrics-msi-157ff",
   "monitoringWorkspaceName": "aro-hcp-monitor-157ff",
+  "msiKeyVaultName": "aro-hcp-msi-08101",
+  "msiKeyVaultPrivate": false,
+  "msiKeyVaultSoftDelete": false,
   "ocMirrorImageRepo": "image-sync/oc-mirror",
   "ocMirrorImageTag": "7abc8af",
   "ocpAcrName": "arohcpocpdev",

diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -10,6 +10,9 @@
   "clusterServicePostgresDeploy": false,
   "clusterServicePostgresName": "cs-76fc6",
   "clusterServicePostgresPrivate": false,
+  "cxKeyVaultName": "aro-hcp-cx-85fcc",
+  "cxKeyVaultPrivate": false,
+  "cxKeyVaultSoftDelete": false,
   "externalDNSImageTag": "v0.14.2",
   "firstPartyAppClientId": "57e54810-3138-4f38-bd3b-29cb33f4c358",
   "frontendCosmosDBDeploy": true,
@@ -43,6 +46,9 @@
   "managementClusterRG": "hcp-underlay-westus3-tst-mgmt-1",
   "mgmtEtcdKVName": "aro-hcp-etcd-85fcc",
   "mgmtEtcdKVSoftDelete": false,
+  "mgmtKeyVaultName": "aro-hcp-mgmt-85fcc",
+  "mgmtKeyVaultPrivate": false,
+  "mgmtKeyVaultSoftDelete": false,
   "mgmtSystemAgentPoolMaxCount": 4,
   "mgmtSystemAgentPoolMinCount": 1,
   "mgmtSystemAgentPoolOsDiskSizeGB": 32,
@@ -54,6 +60,9 @@
   "mgmtUserAgentPoolVmSize": "Standard_D4s_v3",
   "monitoringMsiName": "aro-hcp-metrics-msi-76fc6",
   "monitoringWorkspaceName": "aro-hcp-monitor-76fc6",
+  "msiKeyVaultName": "aro-hcp-msi-85fcc",
+  "msiKeyVaultPrivate": false,
+  "msiKeyVaultSoftDelete": false,
   "ocMirrorImageRepo": "image-sync/oc-mirror",
   "ocMirrorImageTag": "7abc8af",
   "ocpAcrName": "arohcpocpdev",

diff --git a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam
@@ -1,5 +1,6 @@
 using '../templates/mgmt-cluster.bicep'
 
+// AKS
 param kubernetesVersion = '{{ .kubernetesVersion}}'
 param vnetAddressPrefix = '{{ .vnetAddressPrefix }}'
 param subnetPrefix = '{{ .subnetPrefix }}'
@@ -17,13 +18,32 @@ param userAgentVMSize = '{{ .mgmtUserAgentPoolVmSize }}'
 param aksUserOsDiskSizeGB = {{ .mgmtUserAgentPoolOsDiskSizeGB }}
 param userAgentPoolAZCount = {{ .mgmtUserAgentPoolAzCount }}
 
+// Maestro
 param maestroConsumerName = '{{ .maestroConsumerName }}'
 param maestroKeyVaultName = '{{ .maestroKeyVaultName }}'
 param maestroEventGridNamespacesName = '{{ .maestroEventgridName }}'
 param maestroCertDomain = '{{ .maestroCertDomain }}'
 
+// DNS
 param regionalDNSZoneName = '{{ .regionalDNSSubdomain}}.{{ .baseDnsZoneName }}'
 
+// ACR
 param acrPullResourceGroups = ['{{ .serviceComponentAcrResourceGroups }}']
 
+// Region
 param regionalResourceGroup = '{{ .regionRG }}'
+
+// CX KV
+param cxKeyVaultName = '{{ .cxKeyVaultName }}'
+param cxKeyVaultPrivate = {{ .cxKeyVaultPrivate }}
+param cxKeyVaultSoftDelete = {{ .cxKeyVaultSoftDelete }}
+
+// MSI KV
+param msiKeyVaultName = '{{ .msiKeyVaultName }}'
+param msiKeyVaultPrivate = {{ .msiKeyVaultPrivate }}
+param msiKeyVaultSoftDelete = {{ .msiKeyVaultSoftDelete }}
+
+// MGMT KV
+param mgmtKeyVaultName = '{{ .mgmtKeyVaultName }}'
+param mgmtKeyVaultPrivate = {{ .mgmtKeyVaultPrivate }}
+param mgmtKeyVaultSoftDelete = {{ .mgmtKeyVaultSoftDelete }}
diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep
@@ -80,6 +80,33 @@ param regionalDNSZoneName string
 @description('The resource group that hosts the regional zone')
 param regionalResourceGroup string
 
+@description('The name of the CX KeyVault')
+param cxKeyVaultName string
+
+@description('Defines if the CX KeyVault is private')
+param cxKeyVaultPrivate bool
+
+@description('Defines if the CX KeyVault has soft delete enabled')
+param cxKeyVaultSoftDelete bool
+
+@description('The name of the MSI KeyVault')
+param msiKeyVaultName string
+
+@description('Defines if the MSI KeyVault is private')
+param msiKeyVaultPrivate bool
+
+@description('Defines if the MSI KeyVault has soft delete enabled')
+param msiKeyVaultSoftDelete bool
+
+@description('The name of the MGMT KeyVault')
+param mgmtKeyVaultName string
+
+@description('Defines if the MGMT KeyVault is private')
+param mgmtKeyVaultPrivate bool
+
+@description('Defines if the MGMT KeyVault has soft delete enabled')
+param mgmtKeyVaultSoftDelete bool
+
 // Tags the resource group
 resource subscriptionTags 'Microsoft.Resources/tags@2024-03-01' = {
   name: 'default'
@@ -172,3 +199,40 @@ module dnsZoneContributor '../modules/dns/zone-contributor.bicep' = {
     zoneContributerManagedIdentityPrincipalId: externalDnsManagedIdentityPrincipalId
   }
 }
+
+//
+//   K E Y V A U L T S
+//
+
+module cxKeyVault '../modules/keyvault/keyvault.bicep' = {
+  name: '${deployment().name}-cx-kv'
+  params: {
+    location: location
+    keyVaultName: cxKeyVaultName
+    private: cxKeyVaultPrivate
+    enableSoftDelete: cxKeyVaultSoftDelete
+    purpose: 'cx'
+  }
+}
+
+module msiKeyVault '../modules/keyvault/keyvault.bicep' = {
+  name: '${deployment().name}-msi-kv'
+  params: {
+    location: location
+    keyVaultName: msiKeyVaultName
+    private: msiKeyVaultPrivate
+    enableSoftDelete: msiKeyVaultSoftDelete
+    purpose: 'msi'
+  }
+}
+
+module mgmtKeyVault '../modules/keyvault/keyvault.bicep' = {
+  name: '${deployment().name}-mgmt-kv'
+  params: {
+    location: location
+    keyVaultName: mgmtKeyVaultName
+    private: mgmtKeyVaultPrivate
+    enableSoftDelete: mgmtKeyVaultSoftDelete
+    purpose: 'mgmt'
+  }
+}