# # Purpose: Manage service cluster and supporting infra for its services # Managed Resources: # * AKS SVC cluster # * SVC Key Vault with OneCert registration # * MIs, CosmosDB and RBAC for the RP # * MIs, Postgres DB, OIDC storage and RBAC for Cluster Service # * MIs, Postgres DB, certificates and RBAC for the Maestro Server # * MIs and RBAC for ACRPull # * metrics collection # Managed Processes: # * Manage ACRPull # * Configure and upgrade Istio # $schema: "pipeline.schema.v1" serviceGroup: Microsoft.Azure.ARO.HCP.Service.Infra rolloutName: Service Cluster Rollout resourceGroups: # Query parameters from global deployment, e.g. ACR resource IDs - name: '{{ .global.rg }}' subscription: '{{ .global.subscription }}' steps: - name: global-output action: ARM template: templates/output-global.bicep parameters: configurations/output-global.tmpl.bicepparam deploymentLevel: ResourceGroup outputOnly: true # Query parameters from regional deployment, e.g. Azure Monitor workspace ID - name: '{{ .regionRG }}' subscription: '{{ .svc.subscription }}' steps: - name: region-output action: ARM template: templates/output-region.bicep parameters: configurations/output-region.tmpl.bicepparam deploymentLevel: ResourceGroup outputOnly: true - name: '{{ .svc.rg }}' subscription: '{{ .svc.subscription }}' steps: # Create SVC KV - name: svc-infra action: ARM template: templates/svc-infra.bicep parameters: configurations/svc-infra.tmpl.bicepparam deploymentLevel: ResourceGroup variables: - name: logAnalyticsWorkspaceId input: step: region-output name: logAnalyticsWorkspaceId dependsOn: - region-output # Configure certificate issuers for the SVC KV - name: svc-oncert-private-kv-issuer action: SetCertificateIssuer dependsOn: - svc-infra vaultBaseUrl: input: name: svcKeyVaultUrl step: svc-infra issuer: value: OneCertV2-PrivateCA - name: svc-oncert-public-kv-issuer action: SetCertificateIssuer dependsOn: - svc-infra vaultBaseUrl: input: name: svcKeyVaultUrl step: svc-infra issuer: value: OneCertV2-PublicCA # Create SVC cluster - name: svc action: ARM template: templates/svc-cluster.bicep parameters: configurations/svc-cluster.tmpl.bicepparam deploymentLevel: ResourceGroup variables: - name: ocpAcrResourceId input: step: global-output name: ocpAcrResourceId - name: svcAcrResourceId input: step: global-output name: svcAcrResourceId - name: azureMonitoringWorkspaceId input: step: region-output name: azureMonitoringWorkspaceId - name: logAnalyticsWorkspaceId input: step: region-output name: logAnalyticsWorkspaceId dependsOn: - svc-oncert-private-kv-issuer - svc-oncert-public-kv-issuer - global-output - region-output # Deploy prometheus first since istio depends on it's CRDs - name: '{{ .svc.rg }}' subscription: '{{ .svc.subscription }}' aksCluster: '{{ .svc.aks.name }}' steps: - name: prometheus action: Shell command: make -C ../observability/prometheus deploy dryRun: variables: - name: DRY_RUN value: "true" variables: - name: PROMETHEUS_OPERATOR_REGISTRY configRef: svc.prometheus.prometheusOperator.image.registry - name: PROMETHEUS_OPERATOR_REPOSITORY configRef: svc.prometheus.prometheusOperator.image.repository - name: PROMETHEUS_OPERATOR_DIGEST configRef: svc.prometheus.prometheusOperator.image.digest - name: PROMETHEUS_SPEC_REGISTRY configRef: svc.prometheus.prometheusSpec.image.registry - name: PROMETHEUS_SPEC_REPOSITORY configRef: svc.prometheus.prometheusSpec.image.repository - name: PROMETHEUS_SPEC_DIGEST configRef: svc.prometheus.prometheusSpec.image.digest - name: PROMETHEUS_SPEC_REPLICAS configRef: svc.prometheus.prometheusSpec.replicas - name: PROMETHEUS_SPEC_SHARDS configRef: svc.prometheus.prometheusSpec.shards - name: PROMETHEUS_SPEC_VERSION configRef: svc.prometheus.prometheusSpec.version - name: PROMETHEUS_NAMESPACE_LABEL configRef: svc.prometheus.namespaceLabel - name: RESOURCE_GROUP configRef: svc.rg dependsOn: - svc # configure istio - name: istio-config action: Shell command: make -C ../istio deploy dryRun: variables: - name: DRY_RUN value: "true" variables: - name: ISTIO_VERSIONS configRef: svc.istio.versions dependsOn: - prometheus # - updates workload to use istio on version svc.istio.targetVersion # - configures istio IP tag usage - name: istio-upgrade action: Shell command: scripts/istio.sh variables: - name: TARGET_VERSION configRef: svc.istio.targetVersion - name: ISTIOCTL_VERSION configRef: svc.istio.istioctlVersion - name: ISTIO_INGRESS_GATEWAY_IP_ADDRESS_NAME configRef: svc.istio.ingressGatewayIPAddressName - name: TAG configRef: svc.istio.tag - name: SVC_RESOURCEGROUP configRef: svc.rg dependsOn: - istio-config # Install ACRpull - name: acrpull action: Shell command: make -C ../acrpull deploy dryRun: variables: - name: DRY_RUN value: "true" variables: - name: ACRPULL_DIGEST configRef: acrPull.image.digest - name: ACRPULL_REPO configRef: acrPull.image.repository - name: ACRPULL_REGISTRY configRef: acrPull.image.registry dependsOn: - prometheus - svc