$schema: config.schema.json # # A B O U T N A M I N G # # For Azure resource names that need to be unique within a cloud, use {{ .ctx }} variables to ensure uniqueness, e.g. # - for global, regional and SC naming use {{ .ctx.regionShort }} or {{ .ctx.region }} # - for MGMT naming additionally use {{ .ctx.stamp }} # # We have different requirements for naming uniqueness for Azure resources # # - [globally-unique] - a resource needs to be unique within the Azure cloud. # This is a technical requirement of Azure for certain resource types # - [env-unique] - a resource needs to be unique within an ARO HCP environment, # so accross all regions of ARO HCP in the same environment. # An environment unique names does not need to be unique within the Azure cloud # # To implement names, we leverate static strings combined with the {{ .ctx }} variables, e.g. # - {{ .ctx.regionShort }} length: 2-4 / starts with a character, may end with a digit # - {{ .ctx.region }} very long, up to 20 characters / starts with a character, may end with a digit # - {{ .ctx.stamp }} used for for uniqueness for MGMT stamps within a region / digits only defaults: # # All defaults mentioned in this section need to be environment and region agnostic. # releaseApprover: id: feca6a27-8f05-4abe-b9e4-e1185f5833ab name: TM-AzureRedHatOpenShift-HCP-Leads # The long Azure region name region: "{{ .ctx.region }}" regionRG: "{{ .ctx.region }}-shared-resources" global: rg: global-shared-resources subscription: hcp-global globalMSIName: "global-ev2-identity" safeDnsIntAppObjectId: "" # intentionally blank - only required in INT keyVault: private: false softDelete: true secretsToSyncDir: "none" # ACR acr: svc: zoneRedundantMode: Enabled ocp: zoneRedundantMode: Enabled # ACR Pull acrPull: image: registry: mcr.microsoft.com repository: aks/msi-acrpull digest: sha256:c802a91b3b0fe4a3875a03904140a14eb54c8b94db1d510946c9c438d28689c0 #v0.1.14 backplaneAPI: image: registry: quay.io repository: app-sre/backplane-api # Logs logs: mdsd: namespace: logs msiName: logs-mdsd serviceAccountName: genevabit-aggregator cert: name: logs-mdsd type: x-pem-file # GCS certificate file in PEM format issuer: OneCertV2-PrivateCA loganalytics: enable: false # Hypershift hypershift: namespace: hypershift additionalInstallArg: '--limit-crd-install=Azure' image: registry: quay.io repository: acm-d/rhtap-hypershift-operator # OIDC oidcZoneRedundantMode: Auto # FPA certificate settings firstPartyAppCertificate: issuer: OneCertV2-PrivateCA manage: true # SVC cluster specifics svc: subscription: "hcp-{{ .ctx.region }}" rg: "hcp-underlay-{{ .ctx.region }}-svc" nsp: name: nsp-{{ .ctx.regionShort }}-svc accessMode: 'Learning' aks: name: "{{ .ctx.region }}-svc-1" # [env-unique] vnetAddressPrefix: "10.128.0.0/14" subnetPrefix: "10.128.8.0/21" podSubnetPrefix: "10.128.64.0/18" kubernetesVersion: 1.31.6 networkDataplane: "cilium" networkPolicy: "cilium" systemAgentPool: vmSize: 'Standard_D2s_v3' osDiskSizeGB: 32 userAgentPool: vmSize: 'Standard_D2s_v3' osDiskSizeGB: 32 infraAgentPool: minCount: 1 maxCount: 3 vmSize: 'Standard_D2s_v3' osDiskSizeGB: 128 azCount: 3 etcd: kvSoftDelete: true clusterOutboundIPAddressIPTags: "FirstPartyUsage:/aro-hcp-prod-outbound-svc" istio: istioctlVersion: "1.24.1" tag: "prod-stable" targetVersion: "asm-1-23" versions: "asm-1-23" ingressGatewayIPAddressName: "aro-hcp-istio-ingress" ingressGatewayIPAddressIPTags: "FirstPartyUsage:/aro-hcp-prod-inbound-svc" logs: namespace: HCPServiceLogs prometheus: namespace: prometheus namespaceLabel: "" prometheusOperator: image: registry: mcr.microsoft.com/oss/v2 repository: prometheus/prometheus-operator digest: a5bf4407cb83dc93d4e29ef680e0a4d621256e0f004822f53b2ff1c592bf2a82 version: "" prometheusSpec: image: registry: mcr.microsoft.com/oss/v2 repository: prometheus/prometheus digest: 2dcc22f4a8ea5c198e1c9eb6e7f04d127c55924da72e0f4334e659633185283c version: "" replicas: 2 shards: 1 # MGMT cluster specifics mgmt: subscription: "hcp-{{ .ctx.region }}" rg: "hcp-underlay-{{ .ctx.region }}-mgmt-{{ .ctx.stamp }}" nsp: name: nsp-{{ .ctx.regionShort }}-mgmt accessMode: 'Learning' aks: name: "{{ .ctx.region }}-mgmt-{{ .ctx.stamp }}" # [env-unique] vnetAddressPrefix: "10.128.0.0/14" subnetPrefix: "10.128.8.0/21" podSubnetPrefix: "10.128.64.0/18" kubernetesVersion: 1.31.6 # CNI networkDataplane: "azure" networkPolicy: "azure" systemAgentPool: vmSize: 'Standard_E8s_v3' osDiskSizeGB: 128 userAgentPool: vmSize: 'Standard_D16s_v3' osDiskSizeGB: 128 infraAgentPool: minCount: 1 maxCount: 3 vmSize: 'Standard_D2s_v3' osDiskSizeGB: 128 azCount: 3 etcd: kvSoftDelete: true clusterOutboundIPAddressIPTags: "FirstPartyUsage:/aro-hcp-prod-outbound-cx" enableSwiftV2: true applyKubeletFixes: true logs: namespace: HCPCustomerLogs prometheus: namespace: prometheus namespaceLabel: network.openshift.io/policy-group=monitoring prometheusOperator: image: registry: mcr.microsoft.com/oss/v2 repository: prometheus/prometheus-operator digest: a5bf4407cb83dc93d4e29ef680e0a4d621256e0f004822f53b2ff1c592bf2a82 version: "" prometheusSpec: image: registry: mcr.microsoft.com/oss/v2 repository: prometheus/prometheus digest: 2dcc22f4a8ea5c198e1c9eb6e7f04d127c55924da72e0f4334e659633185283c version: "v2.55.1-3" replicas: 2 shards: 2 # RP Frontend frontend: image: registry: arohcpsvcdev.azurecr.io repository: arohcpfrontend cert: name: frontend-cert issuer: OneCertV2-PublicCA cosmosDB: deploy: true disableLocalAuth: true private: true zoneRedundantMode: Auto tracing: address: "" exporter: "" # Mise mise: deploy: true image: repository: mise # RP Backend backend: image: registry: arohcpsvcdev.azurecr.io repository: arohcpbackend # Maestro maestro: server: mqttClientName: maestro-server loglevel: 4 managedIdentityName: maestro-server k8s: namespace: maestro serviceAccountName: maestro agent: consumerName: "hcp-underlay-{{ .ctx.regionShort }}-mgmt-{{ .ctx.stamp }}" # [env-unique] loglevel: 4 sidecar: image: registry: mcr.microsoft.com repository: azurelinux/base/nginx digest: sha256:f203d7e49ce778f8464f403d2558c5d7162b1b9189657c6b32d4f70a99e0fe83 eventGrid: maxClientSessionsPerAuthName: 6 private: false certDomain: "" certIssuer: OneCertV2-PrivateCA postgres: serverVersion: '15' serverStorageSizeGB: 32 deploy: true private: false minTLSVersion: 'TLSV1.2' databaseName: maestro zoneRedundantMode: 'Auto' restrictIstioIngress: true image: registry: quay.io repository: redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro # Cluster Service clustersService: image: registry: quay.io repository: app-sre/uhc-clusters-service azureOperatorsManagedIdentities: cloudControllerManager: roleName: Azure Red Hat OpenShift Cloud Controller Manager ingress: roleName: Azure Red Hat OpenShift Cluster Ingress Operator diskCsiDriver: roleName: Azure Red Hat OpenShift Disk Storage Operator fileCsiDriver: roleName: Azure Red Hat OpenShift File Storage Operator imageRegistry: roleName: Azure Red Hat OpenShift Image Registry Operator cloudNetworkConfig: roleName: Azure Red Hat OpenShift Network Operator kms: roleName: Key Vault Crypto User # below two are supposed to be replaced with ARO-specific builtin roles clusterApiAzure: roleName: Contributor controlPlane: roleName: Contributor postgres: deploy: true private: false minTLSVersion: 'TLSV1.2' zoneRedundantMode: 'Auto' managedIdentityName: clusters-service k8s: namespace: clusters-service serviceAccountName: clusters-service tracing: address: "" exporter: "" # Image Sync imageSync: environmentName: aro-hcp-image-sync outboundServiceTags: "FirstPartyUsage:/Unprivileged" componentSync: enabled: false # we rely on on-demand sync within the respective pipelines image: registry: arohcpsvcdev.azurecr.io repository: image-sync/component-sync repositories: "" secrets: "" pullSecretName: component-sync-pull-secret ocMirror: enabled: true image: registry: arohcpsvcdev.azurecr.io repository: image-sync/oc-mirror pullSecretName: ocmirror-pull-secret # MCE mce: clcStateMetrics: imageDigest: bf5bb514e4d8af5e38317c3727d4cd9f90c22b293fe3e2367f9f0e179e0ee0c7 # SVC KV serviceKeyVault: rg: "hcp-underlay-{{ .ctx.region }}-svc" region: "{{ .ctx.region }}" softDelete: false private: false # Management Cluster KV cxKeyVault: softDelete: false private: false msiKeyVault: softDelete: false private: false mgmtKeyVault: softDelete: false private: false # DNS dns: baseDnsZoneRG: global-shared-resources regionalSubdomain: "{{ .ctx.region }}" # Metrics monitoring: grafanaZoneRedundantMode: Disabled grafanaMajorVersion: "11" workspaceName: "arohcp-{{ .ctx.regionShort }}" # Mock Managed Identities - not relevant for most MSFT envs miMockClientId: "" miMockPrincipalId: "" miMockCertName: "" armHelperClientId: "" armHelperFPAPrincipalId: "" armHelperCertName: "" clouds: public: defaults: imageSync: componentSync: image: digest: sha256:d838c4910bc53a5583dd501ed7e3ab08aa7c08b45b5997c90764c65ceef01a8f ocMirror: image: digest: sha256:92dc2b18de0126caa2212f62c54023f6e8ecf12e2025c37a5f4151d0253ae14e mise: azureAdInstance: https://login.microsoftonline.com/ armInstance: https://management.azure.com environments: int: # this is the MSFT INT environment defaults: # Region for global resources in INT is uksouth global: region: uksouth safeDnsIntAppObjectId: "c54b6bce-1cd3-4d37-bebe-aa22f4ce4fbc" keyVault: name: arohcpint-global # [globally-unique] secretsToSyncDir: "msft-int/arohcpint-global" # Cluster Service clustersService: environment: "arohcpint" postgres: name: "arohcpint-csdb-{{ .ctx.regionShort }}" # [globally-unique] image: digest: sha256:777e6f7be92f113b9c188de36b6925dff2537c23fd2efca115b21d42fa9d29e5 # Geneva Actions genevaActions: serviceTag: GenevaActionsNonProd # OIDC oidcStorageAccountName: "arohcpintoidc{{ .ctx.regionShort }}" # [globally-unique] # SVC KV serviceKeyVault: name: "arohcpint-svc-{{ .ctx.regionShort }}" # [globally-unique] # Management Cluster KV cxKeyVault: name: "arohcpint-cx-{{ .ctx.regionShort }}-{{ .ctx.stamp }}" # [globally-unique] msiKeyVault: name: "arohcpint-msi-{{ .ctx.regionShort }}-{{ .ctx.stamp }}" # [globally-unique] mgmtKeyVault: name: "arohcpint-mgmt-{{ .ctx.regionShort }}-{{ .ctx.stamp }}" # [globally-unique] # SVC cluster settings svc: aks: systemAgentPool: minCount: 1 maxCount: 3 userAgentPool: minCount: 1 maxCount: 3 azCount: 3 clusterOutboundIPAddressIPTags: "FirstPartyUsage:/NonProd" etcd: kvName: "arohcpint-etcd-{{ .ctx.regionShort }}" # [globally-unique] istio: ingressGatewayIPAddressIPTags: "FirstPartyUsage:/NonProd" logs: san: SVC.GENEVA.KEYVAULT.ARO-HCP-INT.AZURE.COM configVersion: "1.0" # MC cluster settings mgmt: aks: # MGMTM AKS nodepools systemAgentPool: minCount: 1 maxCount: 4 userAgentPool: minCount: 1 maxCount: 12 azCount: 3 clusterOutboundIPAddressIPTags: "FirstPartyUsage:/NonProd" etcd: kvName: "arohcpint-etcd-{{ .ctx.regionShort }}-{{ .ctx.stamp }}" # [globally-unique] logs: san: MGMT.GENEVA.KEYVAULT.ARO-HCP-INT.AZURE.COM configVersion: "1.0" # DNS dns: cxParentZoneName: aroapp-hcp.azure-test.net cxParentZoneDelegation: true svcParentZoneName: aro-hcp.azure-test.net parentZoneName: azure-test.net # ACR acr: svc: name: arohcpsvcint # [globally-unique] ocp: name: arohcpocpint # [globally-unique] # RP Frontend frontend: cosmosDB: name: "arohcpint-rp-{{ .ctx.regionShort }}" # [globally-unique] private: false image: digest: sha256:aa1ae769ca6318aab0c9fe6cb2772416430aa5adb69eb69623d6198e580e08c3 # Mise mise: firstPartyAppId: 5bc505bc-50ef-4be9-9a82-2ed7973f1c37 # This is the aro-hcp-fp-int app in the MSIT Tenant. armAppId: e2c2ff5c-e5b4-4e79-8c3e-1da8c48461e7 tenantId: 33e01921-4d64-4f8c-a055-5bdaffd5e33d image: digest: sha256:d56506305ea64f368c920e5e4bce6ee44415d4133559a548b82a81bbd1828f9b # RP Backend backend: image: digest: sha256:02a32af8d34c5725d0096ee7f94adf2ef151d0634e8682fe7517e6f9ebba9bdc # Hypershift hypershift: additionalInstallArg: '' image: digest: sha256:930a2851e0ed5144901eabdb1247096fea527231a990ea764b27754b766ef821 # Maestro maestro: eventGrid: name: "arohcpint-maestro-{{ .ctx.regionShort }}" # [globally-unique] postgres: name: "arohcpint-maestrodb-{{ .ctx.regionShort }}" # [globally-unique] image: digest: sha256:f64ad21dcbe40ed7d29aff7d2d7320c0a5ee18c6bfabfef9486550a96ff27141 # 1P app - from RH Tenant firstPartyAppClientId: b3cb2fab-15cb-4583-ad06-f91da9bfe2d1 firstPartyAppCertificate: name: firstPartyCert2 manage: false # we have the cert from RH for int # Mock Managed Identities Service Princiapl - from RH Tenant miMockClientId: e8723db7-9b9e-46a4-9f7d-64d75c3534f0 miMockPrincipalId: d6b62dfa-87f5-49b3-bbcb-4a687c4faa96 miMockCertName: msiMockCert2 # ARM Helper - from RH Tenant armHelperClientId: 3331e670-0804-48e8-a086-6241671ddc93 armHelperFPAPrincipalId: 47f69502-0065-4d9a-b19b-d403e183d2f4 armHelperCertName: armHelperCert2 # Grafana monitoring: grafanaName: "arohcp-int" grafanaAdminGroupPrincipalId: "2fdb57d4-3fd3-415d-b604-1d0e37a188fe" # Azure Red Hat OpenShift MSFT Engineering. # Global MSI aroDevopsMsiId: "/subscriptions/5299e6b7-b23b-46c8-8277-dc1147807117/resourcegroups/global-shared-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-ev2-identity" # Cert Officer used for KV signer registration kvCertOfficerPrincipalId: "32af88de-a61c-4f71-b709-50538598c4f2" # aro-ev2-admin-int-sp # Logs logs: mdsd: subscriptions: - 5299e6b7-b23b-46c8-8277-dc1147807117 stg: # this is the MSFT STAGE environment defaults: # Region for global resources in STAGE is uksouth global: region: uksouth keyVault: name: arohcpstg-global # [globally-unique] secretsToSyncDir: "msft-stg/arohcpstg-global" # Cluster Service clustersService: environment: "arohcpstg" postgres: name: "arohcpstg-cs-{{ .ctx.regionShort }}" # [globally-unique] image: digest: sha256:777e6f7be92f113b9c188de36b6925dff2537c23fd2efca115b21d42fa9d29e5 # Geneva Actions genevaActions: serviceTag: GenevaActions # OIDC oidcStorageAccountName: "arohcpstgoidc{{ .ctx.regionShort }}" # [globally-unique] # SVC KV serviceKeyVault: name: "arohcpstg-svc-{{ .ctx.regionShort }}" # [globally-unique] # Management Cluster KV cxKeyVault: name: "arohcpstg-cx-{{ .ctx.regionShort }}-{{ .ctx.stamp }}" # [globally-unique] msiKeyVault: name: "arohcpstg-msi-{{ .ctx.regionShort }}-{{ .ctx.stamp }}" # [globally-unique] mgmtKeyVault: name: "arohcpstg-mgmt-{{ .ctx.regionShort }}-{{ .ctx.stamp }}" # [globally-unique] # SVC cluster settings svc: subscription: "hcp-stg-svc-{{ .ctx.region }}" aks: systemAgentPool: minCount: 1 maxCount: 3 userAgentPool: minCount: 1 maxCount: 3 azCount: 3 etcd: kvName: "arohcpstg-etcd-{{ .ctx.regionShort }}" # [globally-unique] logs: san: SVC.GENEVA.KEYVAULT.ARO-HCP-STG.AZURE.COM # TBD configVersion: "1.0" # MC cluster settings mgmt: subscription: "hcp-stg-mgmt-{{ .ctx.region }}-{{ .ctx.stamp }}" aks: # MGMTM AKS nodepools systemAgentPool: minCount: 1 maxCount: 4 userAgentPool: minCount: 1 maxCount: 12 azCount: 3 etcd: kvName: "arohcpstg-etcd-{{ .ctx.regionShort }}-{{ .ctx.stamp }}" # [globally-unique] logs: san: MGMT.GENEVA.KEYVAULT.ARO-HCP-STG.AZURE.COM # TBD configVersion: "1.0" # DNS dns: # we share the same DNS zones between staging and production # therefore it is crucial to use the staging suffix on the regional subdomain # in order to avoid a conflict with the production environment regionalSubdomain: "{{ .ctx.region }}staging" cxParentZoneName: aroapp-hcp.io cxParentZoneDelegation: false svcParentZoneName: aro-hcp.azure.com parentZoneName: azure.com # ACR acr: svc: name: arohcpsvcstg # [globally-unique] ocp: name: arohcpocpstg # [globally-unique] # RP Frontend frontend: cosmosDB: name: "arohcpstg-rp-{{ .ctx.regionShort }}" # [globally-unique] private: false image: digest: sha256:aa1ae769ca6318aab0c9fe6cb2772416430aa5adb69eb69623d6198e580e08c3 cert: issuer: OneCertV2-PrivateCA # let's use private until we have approval for public # Mise mise: firstPartyAppId: 7f4a113a-c61d-412a-bea1-85dee5baf4a8 armAppId: e2c2ff5c-e5b4-4e79-8c3e-1da8c48461e7 tenantId: 33e01921-4d64-4f8c-a055-5bdaffd5e33d image: digest: sha256:d56506305ea64f368c920e5e4bce6ee44415d4133559a548b82a81bbd1828f9b # RP Backend backend: image: digest: sha256:02a32af8d34c5725d0096ee7f94adf2ef151d0634e8682fe7517e6f9ebba9bdc # Hypershift hypershift: image: digest: sha256:930a2851e0ed5144901eabdb1247096fea527231a990ea764b27754b766ef821 # Maestro maestro: eventGrid: name: "arohcpstg-maestro-{{ .ctx.regionShort }}" # [globally-unique] postgres: name: "arohcpstg-maestro-{{ .ctx.regionShort }}" # [globally-unique] image: digest: sha256:f64ad21dcbe40ed7d29aff7d2d7320c0a5ee18c6bfabfef9486550a96ff27141 # 1P app - from RH Tenant firstPartyAppClientId: "7f4a113a-c61d-412a-bea1-85dee5baf4a8" firstPartyAppCertificate: name: tmp-rp-firstparty # Grafana monitoring: grafanaName: 'arohcp-stg' grafanaAdminGroupPrincipalId: '' # object id for group 'RH-AROAPPR'. EV2 currently only allows service principal role assignment, so leave it empty for now # Global MSI aroDevopsMsiId: '/subscriptions/9a53d80e-dae0-4c8a-af90-30575d253127/resourceGroups/global-shared-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-ev2-identity' # Cert Officer used for KV signer registration kvCertOfficerPrincipalId: ce4e50ef-1059-4b6f-a53a-53001d517513 # objectId for 'aro-ev2-admin-prod-sp' # Logs logs: mdsd: subscriptions: [] # TBD