Skip to content

Commit

Permalink
ARO-8948 Update ARO HCP template with CSI Driver
Browse files Browse the repository at this point in the history
Signed-off-by: Alba Hita Catala <[email protected]>
  • Loading branch information
ahitacat committed Sep 4, 2024
1 parent d9fb062 commit d78b67d
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 0 deletions.
4 changes: 4 additions & 0 deletions cluster-service/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,13 @@ deploy:
-n clusters-service \
--query clientId) && \
CS_SERVICE_PRINCIPAL_CREDS_BASE64='$(shell az keyvault secret show --vault-name "service-kv-aro-hcp-dev" --name "aro-hcp-dev-sp-cs" | jq .value -r | base64 | tr -d '\n')' && \
TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
KEYVAULT_NAME=$(shell az keyvault list --query "[?starts_with(name, 'service-kv')].name" -g ${REGIONAL_RESOURCEGROUP} --output tsv) && \
oc process --local -f deploy/openshift-templates/arohcp-service-template.yml \
-p AZURE_CS_MI_CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} \
-p TENANT_ID=$${TENANT_ID} \
-p REGION=${REGION} \
-p KEYVAULT_NAME=${KEYVAULT_NAME}
-p CS_SERVICE_PRINCIPAL_CREDS_BASE64=$${CS_SERVICE_PRINCIPAL_CREDS_BASE64} \
-p IMAGE_REGISTRY=${ARO_HCP_IMAGE_ACR}.azurecr.io \
-p IMAGE_REPOSITORY=app-sre/uhc-clusters-service \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -222,8 +222,35 @@ parameters:
- name: CS_SERVICE_PRINCIPAL_CREDS_BASE64
description: Base64 encoded service principal credentials for CS. This is temporary for P1
required: true
- name: KEYVAULT_NAME
description: The name of the Key Vault where the first party credentials are stored.
value: ""
- name: TENANT_ID
description: The Tenant ID of Key Vault.
value: ""

objects:

- apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: cs-keyvault
namespace: ${NAMESPACE}
spec:
parameters:
clientID: ${AZURE_CS_MI_CLIENT_ID}
cloudName: AzurePublicCloud
keyvaultName: ${KEYVAULT_NAME}
objects: |-
array:
- |
objectName: firstPartyMock
objectType: secret
objectAlias: "firstPartyMock"
tenantId: ${TENANT_ID}
usePodIdentity: "false"
provider: azure

- apiVersion: v1
kind: ConfigMap
metadata:
Expand Down Expand Up @@ -409,6 +436,12 @@ objects:
- name: azure-credentials
secret:
secretName: azure-credentials
- name: keyvault
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: cs-keyvault
initContainers:
- name: init
image: ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}:${IMAGE_TAG}
Expand Down Expand Up @@ -465,6 +498,9 @@ objects:
subPath: cloud-region-constraints.yaml
- name: azure-credentials
mountPath: /secrets/azure-credentials
- name: keyvault
mountPath: "/secrets/keyvault"
readOnly: true
env:
- name: NAMESPACE
valueFrom:
Expand Down

0 comments on commit d78b67d

Please sign in to comment.