remove rpMdmCertificateVaultId and rpMdsdCertificateVaultId parameters

deploy/rp-production-parameters.json

@@ -35,9 +35,6 @@
         "rpImageAuth": {
             "value": ""
         },
-        "rpMdmCertificateVaultId": {
-            "value": ""
-        },
         "rpMdmFrontendUrl": {
             "value": ""
         },
@@ -50,9 +47,6 @@
         "rpMdsdAccount": {
             "value": ""
         },
-        "rpMdsdCertificateVaultId": {
-            "value": ""
-        },
         "rpMdsdConfigVersion": {
             "value": ""
         },

docs/prepare-a-shared-rp-development-environment.md

@@ -334,6 +334,10 @@ If you encounter "VirtualNetworkGatewayCannotUseStandardPublicIP" error when dep
      >/dev/null
    ```
 
+   Note: in production, two additional keys/certificates (rp-mdm and rp-mdsd)
+   are also required in the $KEYVAULT_PREFIX-svc key vault.  These are client
+   certificates for metric and log forwarding (respectively) to Geneva.
+
 1. Create nameserver records in the parent DNS zone:
 
    ```

pkg/deploy/rp.go

@@ -327,12 +327,10 @@ func (g *generator) vmss() *arm.Resource {
 		"pullSecret",
 		"rpImage",
 		"rpImageAuth",
-		"rpMdmCertificateVaultId",
 		"rpMdmFrontendUrl",
 		"rpMdmMetricNamespace",
 		"rpMdmMonitoringAccount",
 		"rpMdsdAccount",
-		"rpMdsdCertificateVaultId",
 		"rpMdsdConfigVersion",
 		"rpMdsdEnvironment",
 		"rpMdsdNamespace",
@@ -351,6 +349,12 @@ func (g *generator) vmss() *arm.Resource {
 		"''')\n'",
 	)
 
+	parts = append(parts,
+		fmt.Sprintf("'RESOURCEGROUPNAME=$(base64 -d <<<'''"),
+		fmt.Sprintf("base64(resourceGroup().name)"),
+		"''')\n'",
+	)
+
 	trailer := base64.StdEncoding.EncodeToString([]byte(`yum -y update -x WALinuxAgent
 
 # avoid "error: db5 error(-30969) from dbenv->open: BDB0091 DB_VERSION_MISMATCH: Database environment version mismatch"
@@ -414,10 +418,11 @@ EOF
 
 az login -i --allow-no-subscriptions
 
-az keyvault secret download --file /etc/mdm.pem --id "$RPMDMCERTIFICATEVAULTID"
+SVCVAULTURI="$(az keyvault list -g "$RESOURCEGROUPNAME" --query "[?tags.vault=='service'].properties.vaultUri" -o tsv)"
+az keyvault secret download --file /etc/mdm.pem --id "${SVCVAULTURI}secrets/rp-mdm"
 chmod 0600 /etc/mdm.pem
 
-az keyvault secret download --file /etc/mdsd.pem --id "$RPMDSDCERTIFICATEVAULTID"
+az keyvault secret download --file /etc/mdsd.pem --id "${SVCVAULTURI}secrets/rp-mdsd"
 chown syslog:syslog /etc/mdsd.pem
 chmod 0600 /etc/mdsd.pem
 
@@ -1102,12 +1107,10 @@ func (g *generator) template() *arm.Template {
 			"pullSecret",
 			"rpImage",
 			"rpImageAuth",
-			"rpMdmCertificateVaultId",
 			"rpMdmFrontendUrl",
 			"rpMdmMetricNamespace",
 			"rpMdmMonitoringAccount",
 			"rpMdsdAccount",
-			"rpMdsdCertificateVaultId",
 			"rpMdsdConfigVersion",
 			"rpMdsdEnvironment",
 			"rpMdsdNamespace",