Hive upgrade artifact cache

hack/devtools/deploy-shared-env.sh

@@ -83,6 +83,79 @@ deploy_aks_dev() {
             "sshRSAPublicKey=$(<secrets/proxy_id_rsa.pub)" >/dev/null
 }
 
+deploy_hive_acr_dev() {
+    echo "########## Deploying Hive ACR in RG $RESOURCEGROUP ##########"
+    local acr_name="arolocaldev${LOCATION}"
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-acr \
+        --template-file pkg/deploy/assets/ci-development.json \
+        --parameters "acrName=$acr_name" >/dev/null
+    echo "########## Created ACR: $acr_name ##########"
+}
+
+deploy_hive_artifact_cache_credentials() {
+    echo "########## Deploying Hive artifact cache credentials in RG $RESOURCEGROUP ##########"
+    local acr_name="arolocaldev${LOCATION}"
+
+    if [ -z "$HIVE_PULL_USERNAME" ] || [ -z "$HIVE_PULL_PASSWORD" ]; then
+        echo "ERROR: HIVE_PULL_USERNAME and HIVE_PULL_PASSWORD must be set"
+        echo "Contact Kipp/Adam for Hive pull secret credentials"
+        return 1
+    fi
+
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-artifact-cache-credentials \
+        --template-file pkg/deploy/assets/artifact-cache-credential-set.bicep \
+        --parameters \
+            "acrName=$acr_name" \
+            "username=$HIVE_PULL_USERNAME" \
+            "password=$HIVE_PULL_PASSWORD" >/dev/null
+    echo "########## Credential set created for $acr_name ##########"
+}
+
+deploy_hive_artifact_cache_rules() {
+    echo "########## Deploying Hive artifact cache rules in RG $RESOURCEGROUP ##########"
+    local acr_name="arolocaldev${LOCATION}"
+
+    local credential_set_id=$(az acr credential-set show \
+        --registry "$acr_name" \
+        --name hive-pull-credentials \
+        --query id -o tsv 2>/dev/null)
+
+    if [ -z "$credential_set_id" ]; then
+        echo "ERROR: Credential set not found for $acr_name"
+        echo "Run deploy_hive_artifact_cache_credentials first"
+        return 1
+    fi
+
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-artifact-cache-rules \
+        --template-file pkg/deploy/assets/artifact-cache-rules.bicep \
+        --parameters \
+            "acrName=$acr_name" \
+            "credentialSetResourceId=$credential_set_id" >/dev/null
+    echo "########## Artifact cache rules created for $acr_name ##########"
+}
+
+deploy_hive_aks_acr_pull_role() {
+    echo "########## Granting AKS cluster ACR pull access for Hive in RG $RESOURCEGROUP ##########"
+    local aks_cluster="${AKS_CLUSTER_NAME:-aro-aks-cluster-001}"
+    local acr_name="arolocaldev${LOCATION}"
+
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-aks-acr-pull-role \
+        --template-file pkg/deploy/assets/aks-acr-pull-role.json \
+        --parameters \
+            "aksClusterName=$aks_cluster" \
+            "acrName=$acr_name" \
+            "acrResourceGroup=$RESOURCEGROUP" >/dev/null
+    echo "########## AKS cluster $aks_cluster granted pull access to $acr_name ##########"
+}
+
 deploy_vpn_for_dedicated_rp() {
     echo "########## Deploying Dev VPN in RG $RESOURCEGROUP ##########"
     az deployment group create \

hack/hive/hive-generate-config.sh

@@ -9,14 +9,17 @@ main() {
     trap "cleanup $tmpdir" EXIT
 
     # This is the commit sha that the image was built from and ensures we use the correct configs for the release
-    local -r default_commit="8796c4f534"
+    local -r default_commit="f84d11f6765b20de5a6c66998f2114b6855e94e0"
     local -r hive_image_commit_hash="${1:-$default_commit}"
     log "Using hive commit: $hive_image_commit_hash"
     # shellcheck disable=SC2034
     local -r hive_operator_namespace="hive"
 
+    # Hive images pulled from ACR via artifact cache rules
+    # Override with HIVE_ACR_REGISTRY (e.g., arosvcdev.azurecr.io for E2E)
     # shellcheck disable=SC2034
-    local -r hive_image="arointsvc.azurecr.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive:${hive_image_commit_hash}"
+    local -r acr_registry="${HIVE_ACR_REGISTRY:-arolocaldeveastus.azurecr.io}"
+    local -r hive_image="${acr_registry}/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive:${hive_image_commit_hash}"
 
 
     # shellcheck disable=SC2034

pkg/deploy/assets/aks-acr-pull-role.json

@@ -0,0 +1,52 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "aksClusterName": {
+            "type": "string",
+            "metadata": {
+                "description": "Name of the AKS cluster"
+            }
+        },
+        "acrName": {
+            "type": "string",
+            "metadata": {
+                "description": "Name of the ACR to grant pull access to"
+            }
+        },
+        "acrResourceGroup": {
+            "type": "string",
+            "defaultValue": "[resourceGroup().name]",
+            "metadata": {
+                "description": "Resource group containing the ACR"
+            }
+        }
+    },
+    "variables": {
+        "aksClusterId": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))]",
+        "acrResourceId": "[resourceId(parameters('acrResourceGroup'), 'Microsoft.ContainerRegistry/registries', parameters('acrName'))]",
+        "acrPullRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]",
+        "roleAssignmentName": "[guid(variables('aksClusterId'), variables('acrResourceId'), variables('acrPullRoleDefinitionId'))]"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentName')]",
+            "scope": "[variables('acrResourceId')]",
+            "properties": {
+                "roleDefinitionId": "[variables('acrPullRoleDefinitionId')]",
+                "principalId": "[reference(variables('aksClusterId'), '2023-01-01', 'Full').properties.identityProfile.kubeletidentity.objectId]",
+                "principalType": "ServicePrincipal",
+                "description": "Allows AKS cluster to pull images from ACR for Hive deployment"
+            }
+        }
+    ],
+    "outputs": {
+        "roleAssignmentId": {
+            "type": "string",
+            "value": "[resourceId('Microsoft.Authorization/roleAssignments', variables('roleAssignmentName'))]"
+        }
+    }
+}
+

pkg/deploy/assets/artifact-cache-credential-set.bicep

@@ -0,0 +1,39 @@
+// Credential Set for Artifact Cache
+// Stores credentials needed to pull from the new Hive repository
+
+@description('Name of the Azure Container Registry')
+param acrName string
+
+@description('Name for the credential set')
+param credentialSetName string = 'hive-pull-credentials'
+
+@description('Username or client ID for authentication')
+@secure()
+param username string
+
+@description('Password or client secret for authentication')
+@secure()
+param password string
+
+resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
+  name: acrName
+}
+
+resource credentialSet 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = {
+  parent: acr
+  name: credentialSetName
+  properties: {
+    authCredentials: [
+      {
+        name: 'Credential1'
+        usernameSecretIdentifier: username
+        passwordSecretIdentifier: password
+      }
+    ]
+    loginServer: 'quay.io'
+  }
+}
+
+output credentialSetResourceId string = credentialSet.id
+output credentialSetName string = credentialSet.name
+

pkg/deploy/assets/artifact-cache-rules.bicep

@@ -0,0 +1,32 @@
+// Artifact Cache Rules for Hive Images
+// Based on https://msazure.visualstudio.com/AzureRedHatOpenShift/_git/sdp-pipelines?path=/classic/global/infra/Templates/artifact-cache.bicep
+
+@description('Name of the Azure Container Registry')
+param acrName string
+
+@description('Source repository for Hive images')
+param sourceRepository string = 'quay.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive'
+
+@description('Target repository name in ACR')
+param targetRepository string = 'redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive'
+
+@description('Credential set resource ID for pull authentication')
+param credentialSetResourceId string
+
+resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
+  name: acrName
+}
+
+resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01-preview' = {
+  parent: acr
+  name: 'hive-cache-rule'
+  properties: {
+    sourceRepository: sourceRepository
+    targetRepository: targetRepository
+    credentialSetResourceId: credentialSetResourceId
+  }
+}
+
+output cacheRuleName string = cacheRule.name
+output cacheRuleId string = cacheRule.id
+