# # Purpose: Manage management cluster and supporting infra for its services # Managed Resources: # * AKS MGMT cluster # * MSI, CX and MGMT Key Vaults with OneCert registration # * metrics collection # * MI, certificate and RBAC for Maestro # $schema: "pipeline.schema.v1" serviceGroup: Microsoft.Azure.ARO.HCP.Management.Infra rolloutName: Management Cluster Rollout resourceGroups: - name: '{{ .global.rg }}' subscription: '{{ .global.subscription }}' steps: - name: global-output action: ARM template: templates/output-global.bicep parameters: configurations/output-global.tmpl.bicepparam deploymentLevel: ResourceGroup outputOnly: true - name: '{{ .svc.rg }}' subscription: '{{ .svc.subscription }}' steps: - name: svc-output action: ARM template: templates/output-svc.bicep parameters: configurations/output-svc.tmpl.bicepparam deploymentLevel: ResourceGroup outputOnly: true - name: '{{ .regionRG }}' subscription: '{{ .svc.subscription }}' steps: - name: region-output action: ARM template: templates/output-region.bicep parameters: configurations/output-region.tmpl.bicepparam deploymentLevel: ResourceGroup outputOnly: true - name: '{{ .mgmt.rg }}' subscription: '{{ .mgmt.subscription }}' steps: - name: rpRegistration action: ResourceProviderRegistration resourceProviderNamespaces: value: - Microsoft.Storage # for deployment scripts - name: mgmt-infra action: ARM template: templates/mgmt-infra.bicep parameters: configurations/mgmt-infra.tmpl.bicepparam deploymentLevel: ResourceGroup variables: - name: clusterServiceMIResourceId input: step: svc-output name: cs - name: logAnalyticsWorkspaceId input: step: region-output name: logAnalyticsWorkspaceId dependsOn: - region-output - svc-output - rpRegistration # Configure certificate issuers for the MC KVs - name: cx-oncert-public-kv-issuer action: SetCertificateIssuer dependsOn: - mgmt-infra vaultBaseUrl: input: name: cxKeyVaultUrl step: mgmt-infra issuer: value: OneCertV2-PublicCA - name: mgmt-oncert-private-kv-issuer action: SetCertificateIssuer dependsOn: - mgmt-infra vaultBaseUrl: input: name: mgmtKeyVaultUrl step: mgmt-infra issuer: value: OneCertV2-PrivateCA - name: mgmt-oncert-public-kv-issuer action: SetCertificateIssuer dependsOn: - mgmt-infra vaultBaseUrl: input: name: mgmtKeyVaultUrl step: mgmt-infra issuer: value: OneCertV2-PublicCA # Build the MC - name: mgmt-cluster action: ARM template: templates/mgmt-cluster.bicep parameters: configurations/mgmt-cluster.tmpl.bicepparam deploymentLevel: ResourceGroup variables: - name: ocpAcrResourceId input: step: global-output name: ocpAcrResourceId - name: svcAcrResourceId input: step: global-output name: svcAcrResourceId - name: azureMonitoringWorkspaceId input: step: region-output name: azureMonitoringWorkspaceId - name: maestroEventGridNamespaceId input: step: region-output name: maestroEventGridNamespaceId - name: logAnalyticsWorkspaceId input: step: region-output name: logAnalyticsWorkspaceId dependsOn: - cx-oncert-public-kv-issuer - mgmt-oncert-private-kv-issuer - mgmt-oncert-public-kv-issuer - global-output - region-output - name: mgmt-nsp action: ARM template: templates/mgmt-nsp.bicep parameters: configurations/mgmt-nsp.tmpl.bicepparam deploymentLevel: ResourceGroup dependsOn: - mgmt-cluster - mgmt-infra - name: '{{ .mgmt.rg }}' subscription: '{{ .mgmt.subscription }}' aksCluster: '{{ .mgmt.aks.name }}' steps: - name: prometheus action: Shell command: make -C ../observability/prometheus deploy dryRun: variables: - name: DRY_RUN value: "true" variables: - name: PROMETHEUS_OPERATOR_REGISTRY configRef: mgmt.prometheus.prometheusOperator.image.registry - name: PROMETHEUS_OPERATOR_REPOSITORY configRef: mgmt.prometheus.prometheusOperator.image.repository - name: PROMETHEUS_OPERATOR_DIGEST configRef: mgmt.prometheus.prometheusOperator.image.digest - name: PROMETHEUS_SPEC_REGISTRY configRef: mgmt.prometheus.prometheusSpec.image.registry - name: PROMETHEUS_SPEC_REPOSITORY configRef: mgmt.prometheus.prometheusSpec.image.repository - name: PROMETHEUS_SPEC_DIGEST configRef: mgmt.prometheus.prometheusSpec.image.digest - name: PROMETHEUS_SPEC_REPLICAS configRef: mgmt.prometheus.prometheusSpec.replicas - name: PROMETHEUS_SPEC_SHARDS configRef: mgmt.prometheus.prometheusSpec.shards - name: PROMETHEUS_SPEC_VERSION configRef: mgmt.prometheus.prometheusSpec.version - name: PROMETHEUS_NAMESPACE_LABEL configRef: mgmt.prometheus.namespaceLabel - name: RESOURCE_GROUP configRef: mgmt.rg dependsOn: - mgmt-cluster # Install ACRpull - name: acrpull action: Shell command: make -C ../acrpull deploy dryRun: variables: - name: DRY_RUN value: "true" variables: - name: ACRPULL_DIGEST configRef: acrPull.image.digest - name: ACRPULL_REPO configRef: acrPull.image.repository - name: ACRPULL_REGISTRY configRef: acrPull.image.registry dependsOn: - prometheus # Install cluster patches - name: mgmt-fixes action: Shell command: make -C ../mgmt-fixes deploy dryRun: variables: - name: DRY_RUN value: "true" variables: - name: APPLY_KUBELET_FIXES configRef: mgmt.applyKubeletFixes dependsOn: - mgmt-cluster