event grid namespaces infrastructure and access #86
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Please rebase pull request. |
geoberle
force-pushed
the
maestro-eventgrid
branch
from
8519aac to
a4de6d6
Compare
|
@microsoft-github-policy-service agree company="Red Hat" |
geoberle
force-pushed
the
maestro-eventgrid
branch
from
a4de6d6 to
0b85144
Compare
|
Please rebase pull request. |
geoberle
requested review from
bennerv,
petrkotas,
s-amann,
UlrichSchlueter,
mjlshen and
tonytheleg
as code owners
geoberle
force-pushed
the
maestro-eventgrid
branch
from
4170632 to
600a7b0
Compare
tonytheleg
reviewed
May 8, 2024
geoberle
force-pushed
the
maestro-eventgrid
branch
from
96632dc to
e19d68c
Compare
geoberle
changed the title
geoberle
force-pushed
the
maestro-eventgrid
branch
4 times, most recently
from
09e0f73 to
11c7d56
Compare
this PR introduces a bicep templates to create the regional cloud infrastructure required by maestro and defined in [SD-DDR-0024](https://docs.google.com/document/d/1JUbv0Zco--SPpWH7pIsuzuKTUtq2S4WovAoPuAt5PPI/edit). the general infrastructure part is managed in the `maestro-infra.bicep` module. it is included into the `svc-cluster.bicep` template as proposed in SD-DDR-0030. * create an eventgrid MQTT broker * creates a keyvault for the client certificates that are used for authentication * right now, only self-signed certificates are supported, which is fine for DEV * for int/prod OneCertV2 will be used * defines the basic authentication configuration for eventgrid (MQTT client groups, topic spaces, topic access templates) authentication and authorization for a maestro server or consumer is managed via the `maestro-eventgrid-access.bicep` module. it is responsible for: * creating a client certificate for authn in key vault * grants key vault access to the certificate to a managed identity (used for CSI secret store to access the secret from the cluster) * registers an MQTT client in the EventGrid client registry and assigns proper access the `maestro-server.bicep` module dresses up a Service Cluster for the installation of the Maestro server. it leverages `maestro-eventgrid-access.bicep` to define the broker access and places some manifests on the AKS cluster: * a `Secret` containing EventGrid details like the hostname * a CSI `SecretProviderClass` CR to access the client certificate for broker access part of https://issues.redhat.com/browse/ARO-7244 Signed-off-by: Gerd Oberlechner <[email protected]>
geoberle
force-pushed
the
maestro-eventgrid
branch
from
11c7d56 to
83eeac6
Compare
mjlshen
previously approved these changes
May 16, 2024
| @@ -253,7 +253,7 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = { | |||
| enabled: true | |||
| config: { | |||
| enableSecretRotation: 'true' | |||
| rotationPollInterval: '24h' | |||
| rotationPollInterval: '5m' | |||
There was a problem hiding this comment.
Is this an intentional change? The change makes sense to me, I don't know why it was 24h previously, but just want to make sure
There was a problem hiding this comment.
we can discuss around the value. i think the default is 2m
Signed-off-by: Gerd Oberlechner <[email protected]>
mjlshen
approved these changes
May 16, 2024
tonytheleg
approved these changes
May 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
this PR introduces a bicep templates to create the regional cloud infrastructure required by maestro and defined in SD-DDR-0024.
the general infrastructure part is managed in the
maestro-infra.bicepmodule. it is included into thesvc-cluster.biceptemplate as proposed in SD-DDR-0030.authentication and authorization for a maestro server or consumer is managed via the
maestro-eventgrid-access.bicepmodule. it is responsible for:the
maestro-server.bicepmodule dresses up a Service Cluster for the installation of the Maestro server. it leveragesmaestro-eventgrid-access.bicepto define the broker access and places some manifests on the AKS cluster:Secretcontaining EventGrid details like the hostnameSecretProviderClassCR to access the client certificate for broker accesspart of https://issues.redhat.com/browse/ARO-7244
What this PR does
introduce bicep config for maestro regional infrastructure.
Jira: https://issues.redhat.com/browse/ARO-7244
Special notes for your reviewer
Checklist
This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.