From 955acfd6b4a6ba0c715b9d1ae3f56f7b6256aa9a Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Mon, 13 Jan 2025 15:25:57 +0100 Subject: [PATCH] add onecert signer to SVC KV * provide cert officer permissions to devops MSI (so EV2 can act on the KV) * expose SVC KV url on svc-infra.bicep ... * ... so it can be consumed by the issuer setup set Signed-off-by: Gerd Oberlechner --- .../modules/keyvault/keyvault.bicep | 2 ++ dev-infrastructure/svc-pipeline.yaml | 15 +++++++++++++-- dev-infrastructure/templates/svc-infra.bicep | 15 +++++++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/dev-infrastructure/modules/keyvault/keyvault.bicep b/dev-infrastructure/modules/keyvault/keyvault.bicep index 169996e73..360a4dc38 100644 --- a/dev-infrastructure/modules/keyvault/keyvault.bicep +++ b/dev-infrastructure/modules/keyvault/keyvault.bicep @@ -38,3 +38,5 @@ resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = { output kvId string = keyVault.id output kvName string = keyVault.name + +output kvUrl string = keyVault.properties.vaultUri diff --git a/dev-infrastructure/svc-pipeline.yaml b/dev-infrastructure/svc-pipeline.yaml index 041a0f7e8..fbbb75a84 100644 --- a/dev-infrastructure/svc-pipeline.yaml +++ b/dev-infrastructure/svc-pipeline.yaml @@ -11,13 +11,24 @@ resourceGroups: template: templates/svc-infra.bicep parameters: configurations/svc-infra.tmpl.bicepparam deploymentLevel: ResourceGroup + - name: svc-kv-issuer + action: SetCertificateIssuer + dependsOn: + - svc-infra + vaultBaseUrl: + input: + name: svcKeyVaultUrl + step: svc-infra + provider: + name: provider + value: OneCertV2-PrivateCA - name: svc action: ARM template: templates/svc-cluster.bicep parameters: configurations/svc-cluster.tmpl.bicepparam deploymentLevel: ResourceGroup dependsOn: - - svc-infra + - svc-kv-issuer - name: istio action: Shell command: scripts/istio.sh @@ -29,4 +40,4 @@ resourceGroups: - name: TAG configRef: svc.istio.tag dependsOn: - - enable-metrics + - svc diff --git a/dev-infrastructure/templates/svc-infra.bicep b/dev-infrastructure/templates/svc-infra.bicep index 9eb64ac76..2ca22796c 100644 --- a/dev-infrastructure/templates/svc-infra.bicep +++ b/dev-infrastructure/templates/svc-infra.bicep @@ -51,7 +51,22 @@ module serviceKeyVault '../modules/keyvault/keyvault.bicep' = { purpose: 'service' } } + +module serviceKeyVaultDevopsCertOfficer '../modules/keyvault/keyvault-secret-access.bicep' = { + name: '${deployment().name}-svc-kv-cert-officer' + scope: resourceGroup(serviceKeyVaultResourceGroup) + params: { + keyVaultName: serviceKeyVaultName + roleName: 'Key Vault Certificates Officer' + managedIdentityPrincipalId: reference(aroDevopsMsiId, '2023-01-31').principalId + } + dependsOn: [ + serviceKeyVault + ] +} + output svcKeyVaultName string = serviceKeyVault.outputs.kvName +output svcKeyVaultUrl string = serviceKeyVault.outputs.kvUrl // // C E R T I F I C A T E C R E A T I O N