add onecert signer to SVC KV

* provide cert officer permissions to devops MSI (so EV2 can act on the KV) * expose SVC KV url on svc-infra.bicep ... * ... so it can be consumed by the issuer setup set Signed-off-by: Gerd Oberlechner <[email protected]>
Azure · Jan 13, 2025 · 955acfd · 955acfd
1 parent c95f4f0
commit 955acfd
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/dev-infrastructure/modules/keyvault/keyvault.bicep b/dev-infrastructure/modules/keyvault/keyvault.bicep
@@ -38,3 +38,5 @@ resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
 output kvId string = keyVault.id
 
 output kvName string = keyVault.name
+
+output kvUrl string = keyVault.properties.vaultUri
diff --git a/dev-infrastructure/svc-pipeline.yaml b/dev-infrastructure/svc-pipeline.yaml
@@ -11,13 +11,24 @@ resourceGroups:
     template: templates/svc-infra.bicep
     parameters: configurations/svc-infra.tmpl.bicepparam
     deploymentLevel: ResourceGroup
+  - name: svc-kv-issuer
+    action: SetCertificateIssuer
+    dependsOn:
+      - svc-infra
+    vaultBaseUrl:
+      input:
+        name: svcKeyVaultUrl
+        step: svc-infra
+    provider:
+      name: provider
+      value: OneCertV2-PrivateCA
   - name: svc
     action: ARM
     template: templates/svc-cluster.bicep
     parameters: configurations/svc-cluster.tmpl.bicepparam
     deploymentLevel: ResourceGroup
     dependsOn:
-    - svc-infra
+    - svc-kv-issuer
   - name: istio
     action: Shell
     command: scripts/istio.sh
@@ -29,4 +40,4 @@ resourceGroups:
     - name: TAG
       configRef: svc.istio.tag
     dependsOn:
-    - enable-metrics
+    - svc
diff --git a/dev-infrastructure/templates/svc-infra.bicep b/dev-infrastructure/templates/svc-infra.bicep
@@ -51,7 +51,22 @@ module serviceKeyVault '../modules/keyvault/keyvault.bicep' = {
     purpose: 'service'
   }
 }
+
+module serviceKeyVaultDevopsCertOfficer '../modules/keyvault/keyvault-secret-access.bicep' = {
+  name: '${deployment().name}-svc-kv-cert-officer'
+  scope: resourceGroup(serviceKeyVaultResourceGroup)
+  params: {
+    keyVaultName: serviceKeyVaultName
+    roleName: 'Key Vault Certificates Officer'
+    managedIdentityPrincipalId: reference(aroDevopsMsiId, '2023-01-31').principalId
+  }
+  dependsOn: [
+    serviceKeyVault
+  ]
+}
+
 output svcKeyVaultName string = serviceKeyVault.outputs.kvName
+output svcKeyVaultUrl string = serviceKeyVault.outputs.kvUrl
 
 //
 //   C E R T I F I C A T E   C R E A T I O N
Original file line number	Diff line number	Diff line change
Expand Up		@@ -38,3 +38,5 @@ resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
		output kvId string = keyVault.id

		output kvName string = keyVault.name

		output kvUrl string = keyVault.properties.vaultUri