sync: stage to production (#1650)

sync-branches: New code has just landed in stage, so let's bring
production up to speed!

Author: stehessel

.gitattributes

@@ -0,0 +1 @@
+internal/dinosaur/pkg/api/admin/private/api/openapi.yaml linguist-generated

.github/workflows/deploy-data-plane.yaml

@@ -18,10 +18,6 @@ on:
         description: 'Name of the environment defined in GitHub.'
         required: true
         type: string
-      deploy_clusters:
-        description: 'Names of clusters to deploy to, space separated.'
-        required: true
-        type: string
       probe_clusters:
         description: 'Name of clusters to deploy probe to, space separated.'
         required: true
@@ -34,45 +30,8 @@ on:
 
 env:
   HELM_DRY_RUN: ${{ inputs.dry_run }}
-  # Credentials are populated by explicit `configure-aws-credentials` jobs in
-  # the workflow, so loading additional credentials in the terraform_cluster.sh
-  # script is not necessary.
-  AWS_AUTH_HELPER: none
 
 jobs:
-  terraform:
-    name: Re-terraform ${{ inputs.acs_environment }} clusters
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    environment: ${{ inputs.github_environment }}
-    steps:
-      - name: Set up Go 1.20
-        uses: actions/setup-go@v3
-        with:
-          go-version: "1.20"
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0  # Critical for correct image detection in deploy script
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
-        with:
-          aws-region: ${{ secrets.AWS_REGION }}
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github
-      - name: Run terraforming on ${{ inputs.deploy_clusters }}
-        working-directory: ./dp-terraform/helm/rhacs-terraform
-        run: |
-          set -euo pipefail
-          # shellcheck disable=SC2043
-          for cluster in ${{ inputs.deploy_clusters }}
-          do
-            echo "Running script terraform_cluster.sh on ${cluster}"
-            ./terraform_cluster.sh ${{ inputs.acs_environment }} "${cluster}"
-            echo "Script terraform_cluster.sh on ${cluster} succeeded"
-          done
-
   deploy-probe:
     name: Deploy blackbox monitoring probe service to ${{ inputs.acs_environment }}
     runs-on: ubuntu-latest

.github/workflows/deploy-dev.yaml

@@ -17,6 +17,5 @@ jobs:
     with:
       acs_environment: dev
       github_environment: development
-      deploy_clusters: ""
       probe_clusters: "acs-dev-dp-01"
       dry_run: true

.github/workflows/deploy-integration.yaml

@@ -12,5 +12,4 @@ jobs:
     with:
       acs_environment: integration
       github_environment: integration
-      deploy_clusters: ""
       probe_clusters: "acs-int-us-01"

.github/workflows/deploy-production.yaml

@@ -12,5 +12,4 @@ jobs:
     with:
       acs_environment: prod
       github_environment: production
-      deploy_clusters: "acs-prod-dp-01 acs-prod-eu-01"
       probe_clusters: "acs-prod-dp-01 acs-prod-eu-01"

.github/workflows/deploy-stage.yaml

@@ -12,5 +12,4 @@ jobs:
     with:
       acs_environment: stage
       github_environment: stage
-      deploy_clusters: "acs-stage-dp-02 acs-stage-eu-02"
       probe_clusters: "acs-stage-dp-02 acs-stage-eu-02"

.secrets.baseline

@@ -351,7 +351,7 @@
         "filename": "internal/dinosaur/pkg/api/public/api/openapi.yaml",
         "hashed_secret": "5b455797b93de5b6a19633ba22127c8a610f5c1b",
         "is_verified": false,
-        "line_number": 1531
+        "line_number": 1535
       }
     ],
     "internal/dinosaur/pkg/services/dinosaurservice_moq.go": [

config/admin-authz-roles-dev.yaml

@@ -19,3 +19,8 @@
   roles:
     - "acs-general-engineering"
     - "acs-fleet-manager-admin-full"
+- method: PUT
+  roles:
+    - "acs-general-engineering"           # Will include all of ACS engineering. Available also within staging environment.
+    - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
+    - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.

config/admin-authz-roles-prod.yaml

@@ -15,3 +15,7 @@
 - method: POST
   roles:
     - "acs-fleet-manager-admin-full"
+- method: PUT
+  roles:
+    - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
+    - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.

dev/env/manifests/shared/03-configmap-config.yaml

@@ -223,6 +223,11 @@ data:
         - "acs-general-engineering"           # Will include all of ACS engineering. Available also within staging environment.
         - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
         - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.
+    - method: PUT
+      roles:
+        - "acs-general-engineering"           # Will include all of ACS engineering. Available also within staging environment.
+        - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
+        - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.
   admin-authz-roles-prod.yaml: |-
     ---
     - method: GET
@@ -241,6 +246,10 @@ data:
       roles:
         - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
         - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.
+    - method: PUT
+      roles:
+        - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
+        - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.
 kind: ConfigMap
 metadata:
   name: config