Use new SP

cluster-service/Makefile

@@ -8,7 +8,7 @@ deploy: provision-shard
 	kubectl create namespace cluster-service --dry-run=client -o json | kubectl apply -f - && \
 	kubectl label namespace cluster-service "istio.io/rev=$${ISTO_VERSION}" --overwrite=true && \
 	AZURE_CS_MI_CLIENT_ID=$(shell az identity show -g ${RESOURCEGROUP} -n clusters-service --query clientId -o tsv) && \
-	CS_SERVICE_PRINCIPAL_CREDS_BASE64='$(shell az keyvault secret show --vault-name "${SERVICE_KV}" --name "aro-hcp-dev-sp-cs" | jq .value -r | base64 | tr -d '\n')' && \
+	CS_SERVICE_PRINCIPAL_CREDS_BASE64='$(shell az keyvault secret show --vault-name "${SERVICE_KV}" --name "aro-hcp-dev-sp-new-cs" | jq .value -r | base64 | tr -d '\n')' && \
 	TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
 	OIDC_BLOB_SERVICE_ENDPOINT=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${RESOURCEGROUP} --query primaryEndpoints.blob -o tsv) && \
 	OIDC_ISSUER_BASE_ENDPOINT=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${RESOURCEGROUP} --query primaryEndpoints.web -o tsv) && \

dev-infrastructure/Makefile

@@ -87,6 +87,13 @@ create-mock-identities:
 	ROLE_DEFINITION_NAME=Contributor \
 	SUBSCRIPTION_ID=$(shell az account show --query id --output tsv) \
 	./scripts/create-sp-for-rbac.sh
+
+	APPLICATION_NAME=aro-hcp-dev-sp-new \
+	KEY_VAULT_NAME=aro-hcp-dev-svc-kv \
+	CERTIFICATE_NAME=aro-hcp-dev-sp-new \
+	ROLE_DEFINITION_NAME=Contributor \
+	SUBSCRIPTION_ID=$(shell az account show --query id --output tsv) \
+	./scripts/create-sp-for-rbac.sh
 .PHONY: create-mock-identities
 
 #

dev-infrastructure/docs/development-setup.md

@@ -63,13 +63,13 @@ Every developer creates their own set of service/management clusters, including
   what: base64 encoded access token for the `quay.io/app-sre` organization
   purposes: used by image-sync to mirror component images
 
-* `aro-hcp-dev-sp`
+* `aro-hcp-dev-sp-new`
   what: Azure SP credentials to be used for HCPs
   purpose: until managed identities are available for HCPs, this is the auth creds
     for controlplane operators to interact with Azure. This SP has contributer
     permissions in the subscription
 
-* `aro-hcp-dev-sp-cs`
+* `aro-hcp-dev-sp-new-cs`
   what: the same Azure SP credentials as `aro-hcp-dev-sp` but formatted for CS
   purpose: until the 1P mock certificate is going to be used by CS to interact
     with Azure, it will use these static creds instead
@@ -505,13 +505,13 @@ Users require membership in the `aro-hcp-engineering` group to read secrets.  Th
 * Azure SP credentials in the format HyperShift Operator requires it (line format)
 
   ```sh
-  az keyvault secret show --vault-name "aro-hcp-dev-svc-kv" --name "aro-hcp-dev-sp" | jq .value -r > azure-creds
+  az keyvault secret show --vault-name "aro-hcp-dev-svc-kv" --name "aro-hcp-dev-sp-new" | jq .value -r > azure-creds
   ```
 
 * Azure SP credentials in the format CS requires it (json format)
 
   ```sh
-  az keyvault secret show --vault-name "aro-hcp-dev-svc-kv" --name "aro-hcp-dev-sp-cs" | jq .value -r > azure-creds.json
+  az keyvault secret show --vault-name "aro-hcp-dev-svc-kv" --name "aro-hcp-dev-sp-new-cs" | jq .value -r > azure-creds.json
   ```
 
 ### Access integrated DEV environment

dev-infrastructure/local_CS.sh

@@ -7,8 +7,8 @@ make db/teardown
 # Obtain Azure credentials from keyvault
 VAULTNAME=aro-hcp-dev-svc-kv
 az keyvault secret show --vault-name $VAULTNAME --name "aro-hcp-dev-pull-secret" | jq .value -r > pull-secret.json
-az keyvault secret show --vault-name $VAULTNAME --name "aro-hcp-dev-sp" | jq .value -r > azure-creds
-az keyvault secret show --vault-name $VAULTNAME --name "aro-hcp-dev-sp-cs" | jq .value -r > azure-creds.json
+az keyvault secret show --vault-name $VAULTNAME --name "aro-hcp-dev-sp-new" | jq .value -r > azure-creds
+az keyvault secret show --vault-name $VAULTNAME --name "aro-hcp-dev-sp-new-cs" | jq .value -r > azure-creds.json
 
 # Setup the development.yml
 cp ./configs/development.yml .