Azure · mhsreddy · Nov 6, 2025 · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025
@@ -17,6 +17,9 @@
         "databaseAccountName": {
             "value": ""
         },
+        "environment": {
+            "value": ""
+        },
         "fluentbitImage": {
             "value": ""
         },

@@ -66,6 +66,9 @@
         "disableCosmosDBFirewall": {
             "value": false
         },
+        "environment": {
+            "value": ""
+        },
         "fluentbitImage": {
             "value": ""
         },

@@ -106,6 +106,7 @@ type Configuration struct {
 	MsiRpEndpoint                      *string                `json:"msiRpEndpoint,omitempty" value:"required"`
 	TokenContributorRoleID             *string                `json:"tokenContributorRoleID,omitempty" value:"required"`
 	TokenContributorRoleName           *string                `json:"tokenContributorRoleName,omitempty" value:"required"`
+	Environment                        *string                `json:"environment,omitempty" value:"required"`
 
 	// Log levels for ARO services running on the VMSSes
 	RPLogLevel           *string `json:"rpLogLevel,omitempty"`

@@ -199,6 +199,7 @@ func (g *generator) gatewayVMSS() *arm.Resource {
 		"azureSecPackQualysUrl",
 		"azureSecPackVSATenantId",
 		"databaseAccountName",
+		"environment",
 		"fluentbitImage",
 		"gatewayDomains",
 		"gatewayFeatures",

@@ -400,6 +400,7 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"otelAuditQueueSize",
 		"tokenContributorRoleID",
 		"tokenContributorRoleName",
+		"environment",
 
 		// Log levels
 		"rpLogLevel",

@@ -89,6 +89,11 @@ main() {
 	Systemd_Filter _COMM=aro
 	DB /var/lib/fluent/journaldb
 
+[FILTER]
+	Name modify
+	Match journald
+	Add ENVIRONMENT \${ENVIRONMENT}
+
 [FILTER]
 	Name modify
 	Match journald
@@ -107,7 +112,8 @@ MDM_ACCOUNT='$RPMDMACCOUNT'
 MDM_NAMESPACE='${role_gateway^}'
 GATEWAY_DOMAINS='$GATEWAYDOMAINS'
 GATEWAY_FEATURES='$GATEWAYFEATURES'
-RPIMAGE='$rpimage'"
+RPIMAGE='$rpimage'
+ENVIRONMENT='$ENVIRONMENT'"
 
     # shellcheck disable=SC2034
     local -r mdsd_config_version="$GATEWAYMDSDCONFIGVERSION"

@@ -106,6 +106,11 @@ main() {
 	Systemd_Filter _SYSTEMD_UNIT=aro-otel-collector.service
 	DB /var/lib/fluent/journaldb
 
+[FILTER]
+	Name modify
+	Match journald
+	Add ENVIRONMENT \${ENVIRONMENT}
+
 [FILTER]
 	Name modify
 	Match journald
@@ -188,6 +193,7 @@ OIDC_AFD_ENDPOINT='$LOCATION.oic.$RPPARENTDOMAINNAME'
 OIDC_STORAGE_ACCOUNT_NAME='$OIDCSTORAGEACCOUNTNAME'
 OTEL_AUDIT_QUEUE_SIZE='$OTELAUDITQUEUESIZE'
 MSI_RP_ENDPOINT='$MSIRPENDPOINT'
+ENVIRONMENT='$ENVIRONMENT'
 "
 
     configure_vmss_aro_services role_rp \

@@ -38,7 +38,8 @@ configure_service_aro_gateway() {
     local -r add_conf_file="PODMAN_NETWORK='podman'
 IPADDRESS='$ipaddress'
 ROLE='${role,,}'
-ARO_LOG_LEVEL='$GATEWAYLOGLEVEL'"
+ARO_LOG_LEVEL='$GATEWAYLOGLEVEL'
+ENVIRONMENT='$ENVIRONMENT'"
 
     write_file aro_gateway_conf_filename conf_file true
     write_file aro_gateway_conf_filename add_conf_file false
@@ -68,6 +69,7 @@ ExecStart=/usr/bin/podman run \
   -e MDM_ACCOUNT \
   -e MDM_NAMESPACE \
   -e ARO_LOG_LEVEL \
+  -e ENVIRONMENT \
   -m 2g \
   --network=${PODMAN_NETWORK} \
   --ip ${IPADDRESS} \
@@ -108,6 +110,7 @@ configure_service_aro_rp() {
     local -r aro_rp_conf_filename='/etc/sysconfig/aro-rp'
     local -r add_conf_file="PODMAN_NETWORK='podman'
 IPADDRESS='$ipaddress'
+ENVIRONMENT='$ENVIRONMENT'
 ROLE='${role,,}'
 ARO_LOG_LEVEL='$RPLOGLEVEL'"
 
@@ -159,6 +162,7 @@ ExecStart=/usr/bin/podman run \
   -e OTEL_AUDIT_QUEUE_SIZE \
   -e MISE_ADDRESS \
   -e ARO_LOG_LEVEL \
+  -e ENVIRONMENT \
   -m 2g \
   --network=${PODMAN_NETWORK} \
   --ip ${IPADDRESS} \
@@ -207,6 +211,7 @@ CLUSTER_MDSD_NAMESPACE='$CLUSTERMDSDNAMESPACE'
 CLUSTER_MDM_ACCOUNT='$CLUSTERMDMACCOUNT'
 CLUSTER_MDM_NAMESPACE=BBM
 DATABASE_ACCOUNT_NAME='$DATABASEACCOUNTNAME'
+ENVIRONMENT='$ENVIRONMENT'
 KEYVAULT_PREFIX='$KEYVAULTPREFIX'
 MDM_ACCOUNT='$RPMDMACCOUNT'
 MDM_NAMESPACE=BBM
@@ -257,6 +262,7 @@ ExecStart=/usr/bin/podman run \
   -e ARO_HIVE_DEFAULT_INSTALLER_PULLSPEC \
   -e ARO_ADOPT_BY_HIVE \
   -e ARO_LOG_LEVEL \
+  -e ENVIRONMENT \
   -m 2.5g \
   -v /run/systemd/journal:/run/systemd/journal \
   -v /var/etw:/var/etw:z \
@@ -293,6 +299,7 @@ KEYVAULT_PREFIX='$KEYVAULTPREFIX'
 MDM_ACCOUNT='$RPMDMACCOUNT'
 MDM_NAMESPACE=Portal
 PORTAL_HOSTNAME='$LOCATION.admin.$RPPARENTDOMAINNAME'
+ENVIRONMENT='$ENVIRONMENT'
 OTEL_AUDIT_QUEUE_SIZE='$OTELAUDITQUEUESIZE'
 RPIMAGE='$image'
 PODMAN_NETWORK='podman'
@@ -331,6 +338,7 @@ ExecStart=/usr/bin/podman run \
   -e PORTAL_HOSTNAME \
   -e OTEL_AUDIT_QUEUE_SIZE \
   -e ARO_LOG_LEVEL \
+  -e ENIVRONMETN_TYPE \
   -m 2g \
   -p 444:8444 \
   -p 2222:2222 \
@@ -397,6 +405,7 @@ ExecStart=/usr/bin/podman run \
   -e CLUSTER_MDSD_NAMESPACE \
   -e DATABASE_ACCOUNT_NAME \
   -e DOMAIN_NAME \
+  -e ENVIRONMENT \
   -e GATEWAY_DOMAINS \
   -e GATEWAY_RESOURCEGROUP \
   -e KEYVAULT_PREFIX \
@@ -456,7 +465,8 @@ MISEVALIDAUDIENCES='$MISEVALIDAUDIENCES'
 MISEVALIDAPPIDS='$MISEVALIDAPPIDS'
 LOGININSTANCE='$LOGININSTANCE'
 PODMAN_NETWORK='podman'
-IPADDRESS='$ipaddress'"
+IPADDRESS='$ipaddress'
+ENVIRONMENT='$ENVIRONMENT'"
 
     write_file aro_mise_service_conf_filename aro_mise_service_conf_file true
 
@@ -550,6 +560,7 @@ ExecStart=/usr/bin/podman run \
   --network=${PODMAN_NETWORK} \
   --ip ${IPADDRESS} \
   --rm \
+  -e ENVIRONMENT \
   ${MISEIMAGE}
 ExecStop=/usr/bin/podman stop %N
 Restart=always
@@ -578,7 +589,8 @@ configure_service_aro_otel_collector() {
     local -r aro_otel_collector_service_conf_file="GOMEMLIMIT=1000MiB
 OTELIMAGE='$image'
 PODMAN_NETWORK='podman'
-IPADDRESS='$ipaddress'"
+IPADDRESS='$ipaddress'
+ENVIRONMENT='$ENVIRONMENT'"
 
     write_file aro_otel_collector_service_conf_filename aro_otel_collector_service_conf_file true
 
@@ -648,6 +660,7 @@ ExecStart=/usr/bin/podman run \
   --network=${PODMAN_NETWORK} \
   --ip ${IPADDRESS} \
   -m 2g \
+  -e ENVIRONMENT \
   -v /app/otel/config.yaml:/etc/otelcol-contrib/config.yaml:z \
   ${OTELIMAGE}
 ExecStop=/usr/bin/podman stop %N
@@ -698,10 +711,10 @@ export MONITORING_GCS_AUTH_ID='$mdsd_certificate_san'
 export MONITORING_GCS_NAMESPACE='$RPMDSDNAMESPACE'
 export MONITORING_CONFIG_VERSION='$monitor_config_version'
 export MONITORING_USE_GENEVA_CONFIG_SERVICE=true
-
 export MONITORING_TENANT='$LOCATION'
 export MONITORING_ROLE='$role'
 export MONITORING_ROLE_INSTANCE=\"$(hostname)\"
+export MONITORING_ENVIRONMENT='$ENVIRONMENT'
 
 export MDSD_MSGPACK_SORT_COLUMNS=\"1\""
 
@@ -730,7 +743,8 @@ configure_service_fluentbit() {
     # shellcheck disable=SC2034
     local -r sysconfig_filename='/etc/sysconfig/fluentbit'
     # shellcheck disable=SC2034
-    local -r sysconfig_file="FLUENTBITIMAGE=$image"
+    local -r sysconfig_file="FLUENTBITIMAGE='$image'
+ENVIRONMENT='$ENVIRONMENT'"
 
     write_file sysconfig_filename sysconfig_file true
 
@@ -755,6 +769,7 @@ ExecStart=/usr/bin/podman run \
   --hostname %H \
   --name %N \
   --rm \
+  -e ENVIRONMENT \
   --cap-drop net_raw \
   -v /etc/fluentbit/fluentbit.conf:/etc/fluentbit/fluentbit.conf \
   -v /var/lib/fluent:/var/lib/fluent:z \

@@ -27,6 +27,7 @@ func (g *generator) gatewayTemplate() *arm.Template {
 		"azureSecPackQualysUrl",
 		"azureSecPackVSATenantId",
 		"databaseAccountName",
+		"environment",
 		"fluentbitImage",
 		"gatewayDomains",
 		"gatewayFeatures",

@@ -47,6 +47,7 @@ func (g *generator) rpTemplate() *arm.Template {
 			"clusterMdsdConfigVersion",
 			"clusterMdsdNamespace",
 			"cosmosDB",
+			"environment",
 			"disableCosmosDBFirewall",
 			"fluentbitImage",
 			"fpClientId",

@@ -6,6 +6,7 @@ package env
 import (
 	"context"
 	"crypto/fips140"
+	"os"
 	"strings"
 
 	"github.com/sirupsen/logrus"
@@ -51,6 +52,7 @@ type Core interface {
 	Service() string
 	Logger() *logrus.Entry
 	LoggerForComponent(string) *logrus.Entry
+	EnvironmentType() string
 }
 
 type core struct {
@@ -88,6 +90,10 @@ func (c *core) LoggerForComponent(component string) *logrus.Entry {
 	return c.serviceLog.WithField("component", component)
 }
 
+func (c *core) EnvironmentType() string {
+	return os.Getenv("ENVIRONMENT")
+}
+
 func (c *core) NewLiveConfigManager(ctx context.Context) (liveconfig.Manager, error) {
 	credential, err := c.NewMSITokenCredential()
 	if err != nil {

@@ -119,6 +119,7 @@ type Interface interface {
 	AROOperatorImage() string
 	LiveConfig() liveconfig.Manager
 	ClusterCertificates() azcertificates.Client
+	EnvironmentType() string
 }
 
 func NewEnv(ctx context.Context, log *logrus.Entry, component ServiceName) (Interface, error) {

@@ -83,6 +83,8 @@ type prod struct {
 
 	log *logrus.Entry
 
+	environment string
+
 	features map[Feature]bool
 }
 
@@ -125,6 +127,7 @@ func newProd(ctx context.Context, log *logrus.Entry, service ServiceName) (*prod
 		clusterGenevaLoggingConfigVersion: os.Getenv("CLUSTER_MDSD_CONFIG_VERSION"),
 		clusterGenevaLoggingEnvironment:   os.Getenv("MDSD_ENVIRONMENT"),
 		clusterGenevaLoggingNamespace:     os.Getenv("CLUSTER_MDSD_NAMESPACE"),
+		environment:                       os.Getenv("ENVIRONMENT"),
 
 		log: log,
 
@@ -406,6 +409,10 @@ func (p *prod) Domain() string {
 	return os.Getenv("DOMAIN_NAME")
 }
 
+func (p *prod) EnvironmentType() string {
+	return p.environment
+}
+
 func (p *prod) FeatureIsSet(f Feature) bool {
 	return p.features[f]
 }

@@ -158,6 +158,12 @@ func (r *Reconciler) daemonset(cluster *arov1alpha1.Cluster) (*appsv1.DaemonSet,
 								"-c",
 								"/etc/td-agent-bit/fluent.conf",
 							},
+							Env: []corev1.EnvVar{
+								{
+									Name:  "ENVIRONMENT",
+									Value: cluster.Spec.OperatorFlags.GetWithDefault("aro.environment", ""),
+								},
+							},
 							// TODO: specify requests/limits
 							SecurityContext: &corev1.SecurityContext{
 								Privileged: pointerutils.ToPtr(true),
@@ -232,6 +238,10 @@ func (r *Reconciler) daemonset(cluster *arov1alpha1.Cluster) (*appsv1.DaemonSet,
 									Name:  "MONITORING_USE_GENEVA_CONFIG_SERVICE",
 									Value: "true",
 								},
+								{
+									Name:  "MONITORING_ENVIRONMENT",
+									Value: cluster.Spec.OperatorFlags.GetWithDefault("aro.environment", ""),
+								},
 								{
 									Name:  "MONITORING_TENANT",
 									Value: cluster.Spec.Location,