prepare global resources pipeline (#909)

* introduce a `global` section in the config schema
* refine config for image sync
* define a pipeline yaml for the global ACRs and image sync
* introduce a KV for imagesync secrets living in the global context
* rework custom token management role code
  * make it optional (quota issues in other tenants)
  * ... and fallback to a wider role in that case

.github/workflows/aro-hcp-cd.yml

@@ -70,7 +70,7 @@
             cd dev-infrastructure/
 
             # Manage ACR
-            make acr-svc acr-ocp
+            make acr acr-svc-cfg acr-ocp-cfg
 
             # Setup operator roles for platform workload identity
             make operator-roles

config/config.msft.yaml

@@ -1,10 +1,16 @@
 $schema: config.schema.json
 defaults:
   region: {{ .ctx.region }}
+
   # Resourcegroups
-  globalRG: global-shared-resources
   regionRG: '{{ .ctx.region }}-shared-resources'
 
+  global:
+    rg: global-shared-resources
+    subscription: hcp-{{ .ctx.region }}
+    manageTokenCustomRole: false
+    region: uksouth
+
   # General AKS config
   kubernetesVersion: 1.30.6
   istioVersion: "asm-1-22"
@@ -13,9 +19,6 @@ defaults:
   podSubnetPrefix: "10.128.64.0/18"
   aksName: aro-hcp-aks
 
-  # ACR
-  serviceComponentAcrResourceGroups: '{{ .ctx.region }}-shared-resources'
-
   # Hypershift
   hypershift:
     namespace: hypershift
@@ -66,8 +69,7 @@ defaults:
 
   # Cluster Service
   clusterService:
-    #acrRG: '{{ .ctx.region }}-shared-resources'
-    acrRG: ''
+    acrRG: 'global-shared-resources'
     postgres:
       name: arohcp-cs-{{ .ctx.regionShort }}
       deploy: true
@@ -77,14 +79,19 @@ defaults:
   # Image Sync
   imageSync:
     rg: hcp-underlay-imagesync
-    acrRG: '{{ .ctx.region }}-shared-resources'
-    environmentName: aro-hcp-image-sync
-    repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
-    imageRepo: image-sync/component-sync
-    imageTag: latest
-  ocMirror:
-    imageRepo: image-sync/oc-mirror
-    imageTag: 7abc8af
+    acrRG: global-shared-resources
+    environmentName: global-shared-resources
+    componentSync:
+      enabled: true
+      imageRepo: image-sync/component-sync
+      repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
+    ocMirror:
+      enabled: true
+      imageRepo: image-sync/oc-mirror
+    keyVault:
+      name: arohcp-imagesync-int
+      private: false
+      softDelete: true
 
   serviceKeyVault:
     name: arohcp-svc-{{ .ctx.regionShort }}
@@ -108,7 +115,7 @@ defaults:
     private: false
 
   # DNS
-  baseDnsZoneRG: '{{ .ctx.region }}-shared-resources'
+  baseDnsZoneRG: global-shared-resources
   regionalDNSSubdomain: '{{ .ctx.region }}'
 
   # Metrics
@@ -129,6 +136,11 @@ clouds:
         imageRepo: app-sre/uhc-clusters-service
       hypershiftOperator:
         imageTag: 9aca808
+      imageSync:
+        componentSync:
+          imageTag: 0b3c08f
+        ocMirror:
+          imageTag: 0b3c08f
 
     environments:
       int:
@@ -159,11 +171,10 @@ clouds:
               osDiskSizeGB: 100
               azCount: 3
           # DNS
-          baseDnsZoneName: aro-hcp.azure-test.net
+          baseDnsZoneName: aroapp-hcp.azure-test.net
           regionalDNSSubdomain: '{{ .ctx.region }}'
 
           # ACR
-          acrName: arohcpint
           svcAcrName: arohcpsvcint
           ocpAcrName: arohcpocpint
 

config/config.schema.json

@@ -3,9 +3,6 @@
     "title": "Generated schema for Root",
     "type": "object",
     "properties": {
-      "acrName": {
-        "type": "string"
-      },
       "aksName": {
         "type": "string"
       },
@@ -136,8 +133,28 @@
           "cosmosDB"
         ]
       },
-      "globalRG": {
-        "type": "string"
+      "global": {
+        "type": "object",
+        "properties": {
+          "rg": {
+            "type": "string"
+          },
+          "subscription": {
+            "type": "string"
+          },
+          "manageTokenCustomRole": {
+            "type": "boolean"
+          },
+          "region": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "rg",
+          "subscription",
+          "manageTokenCustomRole",
+          "region"
+        ]
       },
       "hypershift": {
         "type": "object",
@@ -176,14 +193,69 @@
           "environmentName": {
             "type": "string"
           },
-          "imageRepo": {
-            "type": "string"
+          "componentSync": {
+            "type": "object",
+            "properties": {
+              "enabled": {
+                "type": "boolean"
+              },
+              "imageRepo": {
+                "type": "string"
+              },
+              "imageTag": {
+                "type": "string"
+              },
+              "repositories": {
+                "type": "string"
+              }
+            },
+            "additionalProperties": false,
+            "required": [
+              "enabled",
+              "imageRepo",
+              "imageTag",
+              "repositories"
+            ]
           },
-          "imageTag": {
-            "type": "string"
+          "ocMirror": {
+            "type": "object",
+            "properties": {
+              "enabled": {
+                "type": "boolean"
+              },
+              "imageRepo": {
+                "type": "string"
+              },
+              "imageTag": {
+                "type": "string"
+              }
+            },
+            "additionalProperties": false,
+            "required": [
+              "enabled",
+              "imageRepo",
+              "imageTag"
+            ]
           },
-          "repositories": {
-            "type": "string"
+          "keyVault": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string"
+              },
+              "private": {
+                "type": "boolean"
+              },
+              "softDelete": {
+                "type": "boolean"
+              }
+            },
+            "additionalProperties": false,
+            "required": [
+              "name",
+              "private",
+              "softDelete"
+            ]
           },
           "rg": {
             "type": "string"
@@ -193,9 +265,9 @@
         "required": [
           "acrRG",
           "environmentName",
-          "imageRepo",
-          "imageTag",
-          "repositories",
+          "componentSync",
+          "ocMirror",
+          "keyVault",
           "rg"
         ]
       },
@@ -447,22 +519,6 @@
           "softDelete"
         ]
       },
-      "ocMirror": {
-        "type": "object",
-        "properties": {
-          "imageRepo": {
-            "type": "string"
-          },
-          "imageTag": {
-            "type": "string"
-          }
-        },
-        "additionalProperties": false,
-        "required": [
-          "imageRepo",
-          "imageTag"
-        ]
-      },
       "ocpAcrName": {
         "type": "string"
       },
@@ -481,9 +537,6 @@
       "regionalDNSSubdomain": {
         "type": "string"
       },
-      "serviceComponentAcrResourceGroups": {
-        "type": "string"
-      },
       "serviceKeyVault": {
         "type": "object",
         "properties": {
@@ -586,7 +639,6 @@
     },
     "additionalProperties": false,
     "required": [
-      "acrName",
       "aksName",
       "aroDevopsMsiId",
       "baseDnsZoneName",
@@ -595,7 +647,7 @@
       "cxKeyVault",
       "firstPartyAppClientId",
       "frontend",
-      "globalRG",
+      "global",
       "hypershift",
       "hypershiftOperator",
       "imageSync",
@@ -606,14 +658,12 @@
       "mgmtKeyVault",
       "monitoring",
       "msiKeyVault",
-      "ocMirror",
       "ocpAcrName",
       "oidcStorageAccountName",
       "podSubnetPrefix",
       "region",
       "regionRG",
       "regionalDNSSubdomain",
-      "serviceComponentAcrResourceGroups",
       "serviceKeyVault",
       "subnetPrefix",
       "svc",

config/config.yaml

@@ -1,10 +1,14 @@
 $schema: config.schema.json
 defaults:
   region: {{ .ctx.region }}
-  # Resourcegroups
-  globalRG: global
   regionRG: hcp-underlay-{{ .ctx.regionShort }}
 
+  global:
+    rg: global
+    subscription: hcp-{{ .ctx.region }}
+    manageTokenCustomRole: true
+    region: westus3
+
   # General AKS config
   kubernetesVersion: 1.30.6
   istioVersion: "asm-1-22"
@@ -13,9 +17,6 @@ defaults:
   podSubnetPrefix: "10.128.64.0/18"
   aksName: aro-hcp-aks
 
-  # ACR
-  serviceComponentAcrResourceGroups: global
-
   # Hypershift
   hypershift:
     namespace: hypershift
@@ -78,12 +79,19 @@ defaults:
     rg: hcp-underlay-{{ .ctx.regionShort }}-imagesync
     acrRG: global
     environmentName: aro-hcp-image-sync
-    repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
-    imageRepo: image-sync/component-sync
-    imageTag: latest
-  ocMirror:
-    imageRepo: image-sync/oc-mirror
-    imageTag: 7abc8af
+    componentSync:
+      enabled: true
+      imageRepo: image-sync/component-sync
+      imageTag: latest
+      repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
+    ocMirror:
+      enabled: true
+      imageRepo: image-sync/oc-mirror
+      imageTag: 0b3c08f
+    keyVault:
+      name: arohcp-imagesync-dev
+      private: false
+      softDelete: false
 
   serviceKeyVault:
     name: arohcp-svc-{{ .ctx.regionShort }}
@@ -179,7 +187,6 @@ clouds:
           kvSoftDelete: false
         subscription: ARO Hosted Control Planes (EA Subscription 1)
       # Shared ACRs
-      acrName: arohcpdev
       svcAcrName: arohcpsvcdev
       ocpAcrName: arohcpocpdev
       # Shared Image Sync