dev-infrastructure/global-pipeline.yaml (95 lines of code) (raw):
#
# Purpose: Manage global infrastructure for ARO HCP
# Managed Resources:
# * global ARO HCP parent zones and ensures proper delegation
# * global Grafana instance
# * global MSI for Shell Step executions
# * SVC and OCP ACRs
# * image mirroring jobs
#
$schema: "pipeline.schema.v1"
serviceGroup: Microsoft.Azure.ARO.HCP.Global
rolloutName: Global Resource Rollout
resourceGroups:
- name: '{{ .global.rg }}'
subscription: '{{ .global.subscription }}'
steps:
# creates global infra
# * the parent DNS zones for the ARO HCP services
# * the global KV
# * the global Grafana instance
- name: global-infra
action: ARM
template: templates/global-infra.bicep
parameters: configurations/global-infra.tmpl.bicepparam
deploymentLevel: ResourceGroup
- name: grafana-dashboards
action: Shell
command: cd ../observability/grafana && ./deploy.sh
dependsOn:
- global-infra
dryRun:
variables:
- name: DRY_RUN
value: "true"
variables:
- name: GRAFANA_NAME
configRef: monitoring.grafanaName
- name: GLOBAL_RESOURCEGROUP
configRef: global.rg
# creates DNS delegation for the ARO HCP global SVC zone
- name: svcChildZone
action: DelegateChildZone
parentZone:
configRef: dns.parentZoneName
childZone:
configRef: dns.svcParentZoneName
dependsOn:
- global-infra
# creates DNS delegation for the ARO HCP global CX zone
{{- if .dns.cxParentZoneDelegation }}
- name: cxChildZone
action: DelegateChildZone
parentZone:
configRef: dns.parentZoneName
childZone:
configRef: dns.cxParentZoneName
dependsOn:
- global-infra
{{- end }}
# create global ARO HCP ACRs for OCP and SVC images
- name: global-acrs
action: ARM
template: templates/global-acr.bicep
parameters: configurations/global-acr.tmpl.bicepparam
deploymentLevel: ResourceGroup
dependsOn:
- global-infra
# ingests secrets into the global KV
- name: decrypt-and-ingest-secrets
action: Shell
command: ../tooling/secret-sync/decrypt-all.sh
dryRun:
variables:
- name: DRY_RUN
value: "true"
variables:
- name: KEYVAULT
configRef: global.keyVault.name
- name: SECRETFOLDER
configRef: global.secretsToSyncDir
dependsOn:
- global-infra
# mirror oc-mirror image
- name: mirror-oc-mirror-image
action: Shell
command: ../image-sync/on-demand/sync.sh
dryRun:
variables:
- name: DRY_RUN
value: "true"
variables:
- name: TARGET_ACR
configRef: 'acr.svc.name'
- name: SOURCE_REGISTRY
configRef: imageSync.ocMirror.image.registry
- name: REPOSITORY
configRef: imageSync.ocMirror.image.repository
- name: DIGEST
configRef: imageSync.ocMirror.image.digest
- name: PULL_SECRET_KV
configRef: global.keyVault.name
- name: PULL_SECRET
configRef: imageSync.componentSync.pullSecretName
dependsOn:
- global-acrs
- decrypt-and-ingest-secrets
# deploys the image mirror for the ACRs
- name: imagemirror
action: ARM
template: templates/global-image-sync.bicep
parameters: configurations/global-image-sync.tmpl.bicepparam
deploymentLevel: ResourceGroup
dependsOn:
- mirror-oc-mirror-image