Add a sops-key in the deployment

infrastructure/Cluster.bicep

@@ -170,8 +170,8 @@ var deploymentName = deployment().name
 // }
 
 // The actual cluster's identity does not need federation
-module uai 'modules/userAssignedIdentity.bicep' = {
-  name: '${deploymentName}_uai'
+module kubeletId 'modules/userAssignedIdentity.bicep' = {
+  name: '${deploymentName}_uai_kubelet'
   params: {
     baseName: baseName
     location: location
@@ -209,7 +209,7 @@ module aks 'modules/managedCluster.bicep' = {
     identity: {
       type: 'UserAssigned'
       userAssignedIdentities: {
-        '${uai.outputs.id}': {}
+        '${kubeletId.outputs.id}': {}
       }
     }
     controlPlaneUpgradeChannel: controlPlaneUpgradeChannel
@@ -230,6 +230,20 @@ module aks 'modules/managedCluster.bicep' = {
   }
 }
 
+module fluxId 'modules/userAssignedIdentity.bicep' = {
+  name: '${deploymentName}_uai_flux_crypto'
+  params: {
+    baseName: 'flux_crypto'
+    location: location
+    tags: tags
+    azureADTokenExchangeFederatedIdentityCredentials: {
+      '${aks.outputs.oidcIssuerUrl}': 'system:serviceaccount:flux-system:source-controller'
+      '${aks.outputs.oidcIssuerUrl}': 'system:serviceaccount:flux-system:helm-controller'
+      '${aks.outputs.oidcIssuerUrl}': 'system:serviceaccount:flux-system:image-reflector-controller'
+    }
+  }
+}
+
 module flux 'modules/flux.bicep' = {
   name: '${deploymentName}_flux'
   params: {
@@ -249,55 +263,37 @@ module flux 'modules/flux.bicep' = {
 //   }
 // }
 
-module aks_iam1 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_aks_iam1'
+module iam_admin_aks 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_iam_admin_aks'
   params: {
     principalIds: [ adminId ]
     resourceId: aks.outputs.id
     roleName: 'Azure Kubernetes Service RBAC Cluster Admin'
   }
 }
 
-module aks_iam2 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_aks_iam2'
-  params: {
-    principalIds: [ adminId ]
-    resourceId: aks.outputs.id
-    roleName: 'Azure Kubernetes Service RBAC Reader'
-  }
-}
-
-module keyvault_devops_secrets 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akvdvo_secrets'
+module iam_admin_kv_secrets 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_iam_admin_kv_secrets'
   params: {
     principalIds: [ adminId ]
     resourceId: keyVault.outputs.id
     roleName: 'Key Vault Secrets Officer'
   }
 }
 
-module keyvault_devops_crypto 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akvdvo_crypto'
+module iam_admin_kv_crypto 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_iam_admin_kv_crypto'
   params: {
     principalIds: [ adminId ]
     resourceId: keyVault.outputs.id
-    roleName: 'Key Vault Crypto User'
-  }
-}
-
-module keyvault_kubelet_secrets 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akv2k8s_secrets'
-  params: {
-    principalIds: [ aks.outputs.kubeletIdentityObjectId ]
-    resourceId: keyVault.outputs.id
-    roleName: 'Key Vault Secrets User'
+    roleName: 'Key Vault Crypto Officer'
   }
 }
 
-module keyvault_kubelet_crypto 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akv2k8s_crypto'
+module iam_flux_crypto 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_iam_flux_crypto'
   params: {
-    principalIds: [ aks.outputs.kubeletIdentityObjectId ]
+    principalIds: [ fluxId.outputs.principalId ]
     resourceId: keyVault.outputs.id
     roleName: 'Key Vault Crypto User'
   }
@@ -310,13 +306,13 @@ output fluxReleaseNamespace string = flux.outputs.fluxReleaseNamespace
 output clusterId string = aks.outputs.id
 
 @description('User Assigned Identity Resource ID, required by deployment scripts')
-output userAssignedResourceID string = uai.outputs.id
+output userAssignedResourceID string = kubeletId.outputs.id
 
 @description('User Assigned Identity Object ID, used for Azure Role assignement')
-output userAssignedIdentityPrincipalId string = uai.outputs.principalId
+output userAssignedIdentityPrincipalId string = kubeletId.outputs.principalId
 
 @description('User Assigned Identity Client ID, used for application config (so we can use this identity from code)')
-output userAssignedIdentityClientId string = uai.outputs.clientId
+output userAssignedIdentityClientId string = kubeletId.outputs.clientId
 
 // output LogAnalyticsName string = logAnalytics.name
 // output LogAnalyticsGuid string = logAnalytics.properties.customerId

infrastructure/modules/keyVault.bicep

@@ -38,6 +38,7 @@ resource sopsKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
   parent: vault
   name: 'sops-key'
   properties: {
+    kty: 'RSA'
     keyOps: [
       'decrypt'
       'encrypt'

infrastructure/modules/managedCluster.bicep

@@ -445,3 +445,6 @@ output id string = cluster.id
 
 @description('User Assigned Object ID for the Kubelet Identity used to access the ACR. Used for Azure Role assignement for AcrPull to the ACR, and for granting Akv2K8s access to KeyVaults')
 output kubeletIdentityObjectId string = cluster.properties.identityProfile.kubeletidentity.objectId
+
+@description('The OIDC Issuer URL for federated credentials (Workload Identity)')
+output oidcIssuerUrl string = cluster.properties.oidcIssuerProfile.issuerURL

infrastructure/modules/resourceRoleAssignment.bicep

@@ -382,9 +382,9 @@ var builtInRoles = json(loadTextContent('roles.jsonc'))
 
 // pull the subscription id and resourceGroup name from the resource Id:
 // Input: /subscriptions/<id>/resourceGroups/<rg-name>/<resource-type>/<resource-id>
-var subscription = split(resourceId, '/resourceGroups/')
-var subscriptionId = split(subscription[0], 'subscriptions/')[1]
-var resourceGroupName = split(subscription[1], '/')[0]
+var splits = split(substring(resourceId, 1, length(resourceId) - 1), '/')
+var subscriptionId = splits[1]
+var resourceGroupName = splits[3]
 
 // For subdeployments, prefix our name (which is hopefully unique/time-stamped)
 var deploymentName = deployment().name