createUpdateTriggers were taking time. Reduced poll fequency time

Azure · May 28, 2024 · d507229 · d507229
1 parent 97d99c6
commit d507229
Show file tree

Hide file tree

Showing 14 changed files with 352 additions and 408 deletions.
diff --git a/cmd/aro/gateway.go b/cmd/aro/gateway.go
@@ -51,7 +51,7 @@ func gateway(ctx context.Context, log *logrus.Entry) error {
 	}
 
 	dbAccountName := os.Getenv(envDatabaseAccountName)
-	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffix)}
+	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffixScope)}
 	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
 	if err != nil {
 		return err

diff --git a/cmd/aro/monitor.go b/cmd/aro/monitor.go
@@ -94,7 +94,7 @@ func monitor(ctx context.Context, log *logrus.Entry) error {
 		ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,
 	}
 	logrusEntry := log.WithField("component", "database")
-	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffix)}
+	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffixScope)}
 	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
 	if err != nil {
 		return err

diff --git a/cmd/aro/portal.go b/cmd/aro/portal.go
@@ -104,7 +104,7 @@ func portal(ctx context.Context, log *logrus.Entry, audit *logrus.Entry) error {
 		ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,
 	}
 	logrusEntry := log.WithField("component", "database")
-	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffix)}
+	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffixScope)}
 	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
 	if err != nil {
 		return err

diff --git a/cmd/aro/rp.go b/cmd/aro/rp.go
@@ -113,8 +113,9 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 	clientOptions := &policy.ClientOptions{
 		ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,
 	}
+
 	logrusEntry := log.WithField("component", "database")
-	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffix)}
+	scope := []string{fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffixScope)}
 	dbAuthorizer, err := database.NewTokenAuthorizer(ctx, logrusEntry, msiToken, dbAccountName, scope)
 	if err != nil {
 		return err
@@ -168,6 +169,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 	if err != nil {
 		return err
 	}
+
 	go database.EmitMetrics(ctx, log, dbOpenShiftClusters, metrics)
 
 	feAead, err := encryption.NewMulti(ctx, _env.ServiceKeyvault(), env.FrontendEncryptionSecretV2Name, env.FrontendEncryptionSecretName)
@@ -178,6 +180,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 	if err != nil {
 		return err
 	}
+
 	f, err := frontend.NewFrontend(ctx, audit, log.WithField("component", "frontend"), _env, dbAsyncOperations, dbClusterManagerConfiguration, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, api.APIs, metrics, clusterm, feAead, hiveClusterManager, adminactions.NewKubeActions, adminactions.NewAzureActions, clusterdata.NewParallelEnricher(metrics, _env))
 	if err != nil {
 		return err

diff --git a/docs/deploy-full-rp-service-in-dev.md b/docs/deploy-full-rp-service-in-dev.md
diff --git a/docs/keyvaults.md b/docs/keyvaults.md
@@ -1,50 +1,47 @@
 # Certificates and Secrets Explained
 
 ## Overview
-
 This walks through all the keyvaults and explains the usage of the certificates and secrets used throughout.
 
 ## MDM/MDSD
-
-Majority of the certificates below are mdm/mdsd related. These certificates are certificates signed by the AME.GBL certificate authority and are vital to ensuring the necessary ingestion of metrics and logs within the ARO RP service and clusters.
+Majority of the certificates below are mdm/mdsd related.  These certificates are certificates signed by the AME.GBL certificate authority and are vital to ensuring the necessary ingestion of metrics and logs within the ARO RP service and clusters.
 
 More information about Geneva Monitoring can be found [here](https://eng.ms/docs/products/geneva/getting_started/newgettingstarted/overview).
 
-## Certificates
 
-Majority of the certificates are configured for auto-renewal to ensure that when nearing expiration, they are updated and rotated. More information about certificate rotation can be found [here](./certificate-rotation.md)
+## Certificates
+Majority of the certificates are configured for auto-renewal to ensure that when nearing expiration, they are updated and rotated.  More information about certificate rotation can be found [here](./certificate-rotation.md)
 
 ## RP Keyvaults
 
 1. Cluster (cls)
-
-   - Certificates:
-     - This keyvault contains all cluster `api` and `*.apps` certificates used within OpenShift. These certificates are auto-rotated and pushed to clusters during AdminUpdates in the `configureAPIServerCertificate` and `configureIngressCertificate` steps. These certificates will not be generated if the `DisableSignedCertificates` [feature flag](./feature-flags.md) is set within the RP config.
+    - Certificates:
+        - This keyvault contains all cluster `api` and `*.apps` certificates used within OpenShift.  These certificates are auto-rotated and pushed to clusters during AdminUpdates in the `configureAPIServerCertificate` and `configureIngressCertificate` steps.  These certificates will not be generated if the `DisableSignedCertificates` [feature flag](./feature-flags.md) is set within the RP config.
 
 1. Portal (por)
-
-   - Certificates:
-     - `portal-client` is a certificate which is used within the aro-portal app registration. The subject of this certificate must match that within the `trustedSubjects` section of the app registration manifest within the Azure portal, otherwise callbacks from the Microsoft AAD login service will not function correctly.
-     - `portal-server` is a TLS certificate used in the SRE portal to access clusters
-   - Secrets:
-     - `portal-session-key` is a secret used to encrypt the session cookie when logging into the SRE portal. When logging in, the SRE portal will encrypt a session cookie with this secret and push it to persist in your web browser. Requests to the SRE portal then use this cookie to confirm authentication to the SRE portal.
+    - Certificates:
+        - `portal-client` is a certificate which is used within the aro-portal app registration.  The subject of this certificate must match that within the `trustedSubjects` section of the app registration manifest within the Azure portal, otherwise callbacks from the Microsoft AAD login service will not function correctly.
+        - `portal-server` is a TLS certificate used in the SRE portal to access clusters
+    - Secrets:
+        - `portal-session-key` is a secret used to encrypt the session cookie when logging into the SRE portal.  When logging in, the SRE portal will encrypt a session cookie with this secret and push it to persist in your web browser.  Requests to the SRE portal then use this cookie to confirm authentication to the SRE portal.
 
 1. Service (svc)
-   - Certificates:
-     - `cluster-mdsd` is the certificate persisted for logging for every ARO cluster
-     - `rp-firstparty` is the certificate for the First Party service principal credentials
-     - `rp-mdm` is the MDM certificate the RP uses to emit cluster metrics within the monitor and RP metrics within the RP processes
-     - `rp-mdsd` is the MDSD certificate the RP uses to emit logs to the Geneva/MDSD service
-     - `rp-server` is the TLS certificate used for RP RESTful HTTPS calls
-   - Secrets:
-     - `encryption-key` a legacy secret which uses the old encryption suites to encrypt secure strings and secure bytes within the cluster document
-     - `encryption-key-v2` the new secret used to encrypt secure strings and secure bytes within the cluster document
-     - `fe-encryption-key` a legacy secret used to encrypt `skipTokens` for paging OpenShiftCluster List requests. Uses an older encryption suite.
-     - `fe-encryption-key-v2` a new secret used to encrypt `skipTokens` for paging OpenShiftCluster List requests
+    - Certificates:
+        - `cluster-mdsd` is the certificate persisted for logging for every ARO cluster
+        - `rp-firstparty` is the certificate for the First Party service principal credentials
+        - `rp-mdm` is the MDM certificate the RP uses to emit cluster metrics within the monitor and RP metrics within the RP processes
+        - `rp-mdsd` is the MDSD certificate the RP uses to emit logs to the Geneva/MDSD service
+        - `rp-server` is the TLS certificate used for RP RESTful HTTPS calls
+    - Secrets:
+        - `encryption-key` a legacy secret which uses the old encryption suites to encrypt secure strings and secure bytes within the cluster document
+        - `encryption-key-v2` the new secret used to encrypt secure strings and secure bytes within the cluster document
+        - `fe-encryption-key` a legacy secret used to encrypt `skipTokens` for paging OpenShiftCluster List requests.  Uses an older encryption suite.
+        - `fe-encryption-key-v2` a new secret used to encrypt `skipTokens` for paging OpenShiftCluster List requests
 
 ## Gateway Keyvaults
 
 1. Gateway (gwy)
-   - Certificates:
-     - `gwy-mdm` the certificate used for emitting metrics to the Geneva/MDM service
-     - `gwy-mdsd` the certificate used for emitting logs to the Geneva/MDSD service
+    - Certificates:
+        - `gwy-mdm` the certificate used for emitting metrics to the Geneva/MDM service
+        - `gwy-mdsd` the certificate used for emitting logs to the Geneva/MDSD service
+