Add support into the deployment scripts

2020-03-12 15:01:54 +10:00 · 2020-03-12 15:01:54 +10:00 · f196a7ce91
--- a/.pipelines/deploy-int-env.yml
+++ b/.pipelines/deploy-int-env.yml
@ -34,6 +34,7 @@ jobs:
          mdsdConfigVersion: $(MDSD-CONFIG-VERSION)
          rpMode: "int"
          pullSecret: $(aro-pullsecret)
+          acrResourceId: "/subscriptions/0cc1cafa-578f-4fa5-8d6b-ddfd8d82e6ea/resourceGroups/global-infra/providers/Microsoft.ContainerRegistry/registries/arointsvc"
          sshPublicKey: $(int-ssh-public-key)
          subscriptionId: "0cc1cafa-578f-4fa5-8d6b-ddfd8d82e6ea"
          azureDevOpsJSONSPN: $(aro-v4-ci-devops-spn)
--- a/.pipelines/templates/template-deploy-int-env.yml
+++ b/.pipelines/templates/template-deploy-int-env.yml
@ -13,6 +13,7 @@ parameters:
  rpMode: ""
  sshPublicKey: ""
  pullSecret: ""
+  acrResourceId: ""
  subscriptionId: ""
  adminApiCaBundle: ""
  adminApiClientCertCN: ""
@ -20,7 +21,7 @@ steps:
  - script: |
      set -eu
      cd ${{ parameters.workingDirectory }}
-      
+
      COMMIT=$(git rev-parse --short HEAD)$([[ $(git status --porcelain) = "" ]] || echo -dirty)

      echo ${{ parameters.rpImagePullJSONSPN }} | base64 -d -w 0 > pull-spn.json
@ -50,9 +51,10 @@ steps:

      echo ${{ parameters.azureDevOpsJSONSPN }} | base64 -d -w 0 > devops-spn.json
      export AZURE_SUBSCRIPTION_ID="${{ parameters.subscriptionId }}"
-      export AZURE_CLIENT_ID=$(cat devops-spn.json | jq -r '.clientId') 
-      export AZURE_CLIENT_SECRET=$(cat devops-spn.json | jq -r '.clientSecret') 
+      export AZURE_CLIENT_ID=$(cat devops-spn.json | jq -r '.clientId')
+      export AZURE_CLIENT_SECRET=$(cat devops-spn.json | jq -r '.clientSecret')
      export AZURE_TENANT_ID=$(cat devops-spn.json | jq -r '.tenantId')
+      export ACR_RESOURCE_ID="${{ parameters.acrResourceId }}"
      rm devops-spn.json

      ./hack/deploy/prepare-int-parameters.sh
--- a/deploy/rp-development-predeploy.json
+++ b/deploy/rp-development-predeploy.json
@ -17,6 +17,28 @@
        }
    },
    "resources": [
+        {
+            "name": "[guid(resourceGroup().id, 'Token Contributor')]",
+            "type": "Microsoft.Authorization/roleDefinitions",
+            "properties": {
+                "roleName": "ARO v4 ContainerRegistry Token Contributor",
+                "permissions": [
+                    {
+                        "actions": [
+                            "Microsoft.ContainerRegistry/registries/tokens/write",
+                            "Microsoft.ContainerRegistry/registries/tokens/read",
+                            "Microsoft.ContainerRegistry/registries/tokens/delete",
+                            "Microsoft.ContainerRegistry/registries/scopeMaps/read",
+                            "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
+                            "Microsoft.ContainerRegistry/registries/generateCredentials/action"
+                        ]
+                    }
+                ],
+                "assignableScopes": [
+                    "[concat('/subscriptions/', subscription().subscriptionId)]"
+                ]
+            }
+        },
        {
            "properties": {
                "securityRules": [
--- a/deploy/rp-production-parameters.json
+++ b/deploy/rp-production-parameters.json
@ -2,6 +2,9 @@
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
+        "acrResourceId": {
+            "value": ""
+        },
        "adminApiCaBundle": {
            "value": ""
        },
--- a/deploy/rp-production-predeploy.json
+++ b/deploy/rp-production-predeploy.json
@ -46,6 +46,28 @@
        }
    },
    "resources": [
+        {
+            "name": "[guid(resourceGroup().id, 'Token Contributor')]",
+            "type": "Microsoft.Authorization/roleDefinitions",
+            "properties": {
+                "roleName": "ARO v4 ContainerRegistry Token Contributor",
+                "permissions": [
+                    {
+                        "actions": [
+                            "Microsoft.ContainerRegistry/registries/tokens/write",
+                            "Microsoft.ContainerRegistry/registries/tokens/read",
+                            "Microsoft.ContainerRegistry/registries/tokens/delete",
+                            "Microsoft.ContainerRegistry/registries/scopeMaps/read",
+                            "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
+                            "Microsoft.ContainerRegistry/registries/generateCredentials/action"
+                        ]
+                    }
+                ],
+                "assignableScopes": [
+                    "[concat('/subscriptions/', subscription().subscriptionId)]"
+                ]
+            }
+        },
        {
            "properties": {
                "securityRules": [
--- a/deploy/rp-production.json
+++ b/deploy/rp-production.json
--- a/hack/deploy/prepare-int-parameters.sh
+++ b/hack/deploy/prepare-int-parameters.sh
@ -26,6 +26,9 @@ cat >secrets/parameters.json <<EOF
        "pullSecret": {
            "value": "$PULL_SECRET"
        },
+        "acrResourceId": {
+            "value": "$ACR_RESOURCE_ID"
+        },
        "rpImage": {
            "value": "$RP_IMAGE"
        },
--- a/pkg/deploy/bindata.go
+++ b/pkg/deploy/bindata.go
--- a/pkg/deploy/generator/resources.go
+++ b/pkg/deploy/generator/resources.go
@ -566,6 +566,7 @@ func (g *generator) vmss() *arm.Resource {
 		"mdsdConfigVersion",
 		"mdsdEnvironment",
 		"pullSecret",
+		"acrResourceId",
 		"rpImage",
 		"rpImageAuth",
 		"rpMode",
@ -755,6 +756,7 @@ cat >/etc/sysconfig/aro-rp <<EOF
 MDM_ACCOUNT=AzureRedHatOpenShiftRP
 MDM_NAMESPACE=RP
 PULL_SECRET='$PULLSECRET'
+ACR_RESOURCE_ID='$ACRRESOURCEID'
 ADMIN_API_CLIENT_CERT_COMMON_NAME='$ADMINAPICLIENTCERTCOMMONNAME'
 RPIMAGE='$RPIMAGE'
 RP_MODE='$RPMODE'
@ -1306,6 +1308,31 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 	return rs
 }

+func (g *generator) rbacPredeploy() *arm.Resource {
+	return &arm.Resource{
+		Resource: &mgmtauthorization.RoleDefinition{
+			Name: to.StringPtr("[guid(resourceGroup().id, 'Token Contributor')]"),
+			Type: to.StringPtr("Microsoft.Authorization/roleDefinitions"),
+			RoleDefinitionProperties: &mgmtauthorization.RoleDefinitionProperties{
+				RoleName:         to.StringPtr("ARO v4 ContainerRegistry Token Contributor"),
+				AssignableScopes: &[]string{"[concat('/subscriptions/', subscription().subscriptionId)]"},
+				Permissions: &[]mgmtauthorization.Permission{
+					{
+						Actions: &[]string{
+							"Microsoft.ContainerRegistry/registries/tokens/write",
+							"Microsoft.ContainerRegistry/registries/tokens/read",
+							"Microsoft.ContainerRegistry/registries/tokens/delete",
+							"Microsoft.ContainerRegistry/registries/scopeMaps/read",
+							"Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
+							"Microsoft.ContainerRegistry/registries/generateCredentials/action",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func (g *generator) rbac() []*arm.Resource {
 	return []*arm.Resource{
 		{
--- a/pkg/deploy/generator/templates.go
+++ b/pkg/deploy/generator/templates.go
@ -45,6 +45,7 @@ func (g *generator) rpTemplate() *arm.Template {
 			"mdsdConfigVersion",
 			"mdsdEnvironment",
 			"pullSecret",
+			"acrResourceId",
 			"rpImage",
 			"rpImageAuth",
 			"rpMode",
@ -150,6 +151,7 @@ func (g *generator) preDeployTemplate() *arm.Template {
 	}

 	t.Resources = append(t.Resources,
+		g.rbacPredeploy(),
 		g.securityGroupRP(),
 		g.securityGroupPE(),
 		// clustersKeyvault must preceed serviceKeyvault due to terrible
--- a/pkg/env/env.go
+++ b/pkg/env/env.go
@ -39,6 +39,7 @@ type Interface interface {
 	ManagedDomain(string) (string, error)
 	MetricsSocketPath() string
 	Zones(vmSize string) ([]string, error)
+	ACRResourceID() string
 }

 func NewEnv(ctx context.Context, log *logrus.Entry) (Interface, error) {
--- a/pkg/env/prod.go
+++ b/pkg/env/prod.go
@ -143,6 +143,10 @@ func (p *prod) AdminClientAuthorizer() clientauthorizer.ClientAuthorizer {
 	return p.adminClientAuthorizer
 }

+func (p *prod) ACRResourceID() string {
+	return os.Getenv("ACR_RESOURCE_ID")
+}
+
 func (p *prod) populateCosmosDB(ctx context.Context, rpAuthorizer autorest.Authorizer) error {
 	databaseaccounts := documentdb.NewDatabaseAccountsClient(p.SubscriptionID(), rpAuthorizer)

--- a/pkg/env/test.go
+++ b/pkg/env/test.go
@ -88,3 +88,7 @@ func (t *Test) ResourceGroup() string {
 func (t *Test) SubscriptionID() string {
 	return t.TestSubscriptionID
 }
+
+func (t *Test) ACRResourceID() string {
+	return "/subscriptions/93aeba23-2f76-4307-be82-02921df010cf/resourceGroups/global/providers/Microsoft.ContainerRegistry/registries/arosvc"
+}