Skip to content

Commit

Permalink
Merge pull request #1953 from DFE-Digital/937-enable-azure-rbac-deplo…
Browse files Browse the repository at this point in the history
…yment-on-all-services

Enable azure rbac deployment
  • Loading branch information
RMcVelia authored Jan 30, 2024
2 parents 3131b53 + f18c0b9 commit 3e3c101
Show file tree
Hide file tree
Showing 7 changed files with 36 additions and 37 deletions.
8 changes: 5 additions & 3 deletions .github/actions/deploy-environment/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ runs:
terraform_version: 1.5.0
terraform_wrapper: false

- uses: DFE-Digital/github-actions/set-arm-environment-variables@master
- uses: DFE-Digital/github-actions/set-kubelogin-environment@master
with:
azure-credentials: ${{ inputs.azure-credentials }}

Expand All @@ -56,8 +56,10 @@ runs:
if: ${{ inputs.pull-request-number != '' }}
shell: bash
run: |
az aks get-credentials -g s189t01-tsc-ts-rg -n s189t01-tsc-test-aks
kubectl exec -n tra-development deployment/apply-for-qts-review-${{ inputs.pull-request-number }}-web -- sh -c "cd /app && /usr/local/bin/bundle exec rails db:seed review_app:configure example_data:generate"
make ci review get-cluster-credentials
kubectl exec -n tra-development deployment/apply-for-qts-review-${PULL_REQUEST_NUMBER}-web -- sh -c "cd /app && /usr/local/bin/bundle exec rails db:seed review_app:configure example_data:generate"
env:
PULL_REQUEST_NUMBER: ${{ inputs.pull-request-number }}

- id: key-vault-name
if: ${{ inputs.smoke-test-credentials-required == 'true' }}
Expand Down
19 changes: 2 additions & 17 deletions .github/actions/set-kubernetes-credentials/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,29 +18,14 @@ runs:
terraform_version: 1.5.0
terraform_wrapper: false

- uses: DFE-Digital/github-actions/set-arm-environment-variables@master
- uses: DFE-Digital/github-actions/set-kubelogin-environment@master
with:
azure-credentials: ${{ inputs.azure-credentials }}

- name: Refresh Terraform
shell: sh
run: make ci ${{ inputs.environment }} terraform-refresh
env:
TF_VAR_azure_sp_credentials_json: ${{ inputs.azure-credentials }}
DOCKER_IMAGE: "ghcr.io/dfe-digital/apply-for-qualified-teacher-status:no-tag"

- name: Get cluster details
id: cluster-details
working-directory: terraform/application
shell: bash
run: |
echo "name=$(terraform output -raw kubernetes_cluster_name)" >> $GITHUB_OUTPUT
echo "resource-group=$(terraform output -raw kubernetes_cluster_resource_group_name)" >> $GITHUB_OUTPUT
- uses: Azure/login@v1
with:
creds: ${{ inputs.azure-credentials }}

- name: Set AKS credentials
shell: bash
run: az aks get-credentials -g ${{ steps.cluster-details.outputs.resource-group }} -n ${{ steps.cluster-details.outputs.name }}
run: make ci ${{ inputs.environment }} get-cluster-credentials
2 changes: 1 addition & 1 deletion .github/workflows/delete-review-app.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
echo "TF_STATE_EXISTS=true" >> $GITHUB_ENV
fi
- uses: DFE-Digital/github-actions/set-arm-environment-variables@master
- uses: DFE-Digital/github-actions/set-kubelogin-environment@master
if: env.TF_STATE_EXISTS == 'true'
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}
Expand Down
22 changes: 17 additions & 5 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,13 @@ help: ## Show this help
@grep -E '^[a-zA-Z\._\-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

.PHONY: development
development: set-test-azure-subscription ## Specify development configuration
development: set-test-azure-subscription test-cluster ## Specify development configuration
$(eval CONFIG=development)
$(eval CONFIG_SHORT=dv)
$(eval DOMAINS_TERRAFORM_BACKEND_KEY=afqtsdomains_dev.tfstate)

.PHONY: review
review: set-test-azure-subscription ## Specify review configuration
review: set-test-azure-subscription test-cluster ## Specify review configuration
$(if $(PULL_REQUEST_NUMBER), , $(error Missing environment variable "PULL_REQUEST_NUMBER"))
$(eval CONFIG=review)
$(eval CONFIG_SHORT=rv)
Expand All @@ -26,18 +26,18 @@ review: set-test-azure-subscription ## Specify review configuration
$(eval export TF_VAR_uploads_storage_account_name=$(AZURE_RESOURCE_PREFIX)afqtsrv$(PULL_REQUEST_NUMBER)sa)

.PHONY: test
test: set-test-azure-subscription ## Specify test configuration
test: set-test-azure-subscription test-cluster ## Specify test configuration
$(eval CONFIG=test)
$(eval CONFIG_SHORT=ts)

.PHONY: preproduction
preproduction: set-test-azure-subscription ## Specify preproduction configuration
preproduction: set-test-azure-subscription test-cluster ## Specify preproduction configuration
$(eval CONFIG=preproduction)
$(eval CONFIG_SHORT=pp)
$(eval DOMAINS_TERRAFORM_BACKEND_KEY=afqtsdomains_preprod.tfstate)

.PHONY: production
production: set-production-azure-subscription ## Specify production configuration
production: set-production-azure-subscription production-cluster ## Specify production configuration
$(eval CONFIG=production)
$(eval CONFIG_SHORT=pd)
$(eval KEY_VAULT_PURGE_PROTECTION=true)
Expand Down Expand Up @@ -194,3 +194,15 @@ domains-apply: domains-init ## terraform apply for dns resources

domains-destroy: domains-init ## terraform destroy for dns resources
terraform -chdir=terraform/domains/environment_domains destroy -var-file config/$(CONFIG).tfvars.json

test-cluster:
$(eval CLUSTER_RESOURCE_GROUP_NAME=s189t01-tsc-ts-rg)
$(eval CLUSTER_NAME=s189t01-tsc-test-aks)

production-cluster:
$(eval CLUSTER_RESOURCE_GROUP_NAME=s189p01-tsc-pd-rg)
$(eval CLUSTER_NAME=s189p01-tsc-production-aks)

get-cluster-credentials: set-azure-account
az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME}
kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli)
5 changes: 2 additions & 3 deletions docs/infrastructure.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,11 +73,10 @@ Select account for az:
$ az account set -s s189-teacher-services-cloud-test
```

Get access credentials for a managed Kubernetes cluster (passing the
resource group and the name):
Get access credentials for a managed Kubernetes cluster (in this case for the `development` environment):

```
$ az aks get-credentials -g s189t01-tsc-ts-rg -n s189t01-tsc-test-aks
$ make development get-cluster-credentials
```

When you have multiple cluster credentials loaded, you can switch between clusters
Expand Down
8 changes: 0 additions & 8 deletions terraform/application/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,6 @@ output "postgres_azure_backup_storage_container_name" {
value = module.postgres.azure_backup_storage_container_name
}

output "kubernetes_cluster_name" {
value = "${module.cluster_data.configuration_map.resource_prefix}-aks"
}

output "kubernetes_cluster_resource_group_name" {
value = module.cluster_data.configuration_map.resource_group_name
}

output "azure_storage_account_name" {
value = azurerm_storage_account.uploads.name
}
Expand Down
9 changes: 9 additions & 0 deletions terraform/application/providers.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,15 @@ provider "kubernetes" {
client_certificate = module.cluster_data.kubernetes_client_certificate
client_key = module.cluster_data.kubernetes_client_key
cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate

dynamic "exec" {
for_each = module.cluster_data.azure_RBAC_enabled ? [1] : []
content {
api_version = "client.authentication.k8s.io/v1beta1"
command = "kubelogin"
args = module.cluster_data.kubelogin_args
}
}
}

provider "statuscake" {
Expand Down

0 comments on commit 3e3c101

Please sign in to comment.