From f18c0b914657f99f47e7e8b1d8a5e25f78ae5961 Mon Sep 17 00:00:00 2001 From: RMcVelia Date: Fri, 26 Jan 2024 14:39:06 +0000 Subject: [PATCH] Enable azure rbac deployment --- .github/actions/deploy-environment/action.yml | 8 ++++--- .../set-kubernetes-credentials/action.yaml | 19 ++-------------- .github/workflows/delete-review-app.yml | 2 +- Makefile | 22 ++++++++++++++----- docs/infrastructure.md | 5 ++--- terraform/application/outputs.tf | 8 ------- terraform/application/providers.tf | 9 ++++++++ 7 files changed, 36 insertions(+), 37 deletions(-) diff --git a/.github/actions/deploy-environment/action.yml b/.github/actions/deploy-environment/action.yml index bd0f46b8c..57ef7aa72 100644 --- a/.github/actions/deploy-environment/action.yml +++ b/.github/actions/deploy-environment/action.yml @@ -33,7 +33,7 @@ runs: terraform_version: 1.5.0 terraform_wrapper: false - - uses: DFE-Digital/github-actions/set-arm-environment-variables@master + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master with: azure-credentials: ${{ inputs.azure-credentials }} @@ -56,8 +56,10 @@ runs: if: ${{ inputs.pull-request-number != '' }} shell: bash run: | - az aks get-credentials -g s189t01-tsc-ts-rg -n s189t01-tsc-test-aks - kubectl exec -n tra-development deployment/apply-for-qts-review-${{ inputs.pull-request-number }}-web -- sh -c "cd /app && /usr/local/bin/bundle exec rails db:seed review_app:configure example_data:generate" + make ci review get-cluster-credentials + kubectl exec -n tra-development deployment/apply-for-qts-review-${PULL_REQUEST_NUMBER}-web -- sh -c "cd /app && /usr/local/bin/bundle exec rails db:seed review_app:configure example_data:generate" + env: + PULL_REQUEST_NUMBER: ${{ inputs.pull-request-number }} - id: key-vault-name if: ${{ inputs.smoke-test-credentials-required == 'true' }} diff --git a/.github/actions/set-kubernetes-credentials/action.yaml b/.github/actions/set-kubernetes-credentials/action.yaml index bfaf8ddcc..013dbbd14 100644 --- a/.github/actions/set-kubernetes-credentials/action.yaml +++ b/.github/actions/set-kubernetes-credentials/action.yaml @@ -18,29 +18,14 @@ runs: terraform_version: 1.5.0 terraform_wrapper: false - - uses: DFE-Digital/github-actions/set-arm-environment-variables@master + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master with: azure-credentials: ${{ inputs.azure-credentials }} - - name: Refresh Terraform - shell: sh - run: make ci ${{ inputs.environment }} terraform-refresh - env: - TF_VAR_azure_sp_credentials_json: ${{ inputs.azure-credentials }} - DOCKER_IMAGE: "ghcr.io/dfe-digital/apply-for-qualified-teacher-status:no-tag" - - - name: Get cluster details - id: cluster-details - working-directory: terraform/application - shell: bash - run: | - echo "name=$(terraform output -raw kubernetes_cluster_name)" >> $GITHUB_OUTPUT - echo "resource-group=$(terraform output -raw kubernetes_cluster_resource_group_name)" >> $GITHUB_OUTPUT - - uses: Azure/login@v1 with: creds: ${{ inputs.azure-credentials }} - name: Set AKS credentials shell: bash - run: az aks get-credentials -g ${{ steps.cluster-details.outputs.resource-group }} -n ${{ steps.cluster-details.outputs.name }} + run: make ci ${{ inputs.environment }} get-cluster-credentials diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml index 05a54e186..45e410a54 100644 --- a/.github/workflows/delete-review-app.yml +++ b/.github/workflows/delete-review-app.yml @@ -38,7 +38,7 @@ jobs: echo "TF_STATE_EXISTS=true" >> $GITHUB_ENV fi - - uses: DFE-Digital/github-actions/set-arm-environment-variables@master + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master if: env.TF_STATE_EXISTS == 'true' with: azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} diff --git a/Makefile b/Makefile index db0c4e9bb..ed449cdb4 100644 --- a/Makefile +++ b/Makefile @@ -11,13 +11,13 @@ help: ## Show this help @grep -E '^[a-zA-Z\._\-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' .PHONY: development -development: set-test-azure-subscription ## Specify development configuration +development: set-test-azure-subscription test-cluster ## Specify development configuration $(eval CONFIG=development) $(eval CONFIG_SHORT=dv) $(eval DOMAINS_TERRAFORM_BACKEND_KEY=afqtsdomains_dev.tfstate) .PHONY: review -review: set-test-azure-subscription ## Specify review configuration +review: set-test-azure-subscription test-cluster ## Specify review configuration $(if $(PULL_REQUEST_NUMBER), , $(error Missing environment variable "PULL_REQUEST_NUMBER")) $(eval CONFIG=review) $(eval CONFIG_SHORT=rv) @@ -26,18 +26,18 @@ review: set-test-azure-subscription ## Specify review configuration $(eval export TF_VAR_uploads_storage_account_name=$(AZURE_RESOURCE_PREFIX)afqtsrv$(PULL_REQUEST_NUMBER)sa) .PHONY: test -test: set-test-azure-subscription ## Specify test configuration +test: set-test-azure-subscription test-cluster ## Specify test configuration $(eval CONFIG=test) $(eval CONFIG_SHORT=ts) .PHONY: preproduction -preproduction: set-test-azure-subscription ## Specify preproduction configuration +preproduction: set-test-azure-subscription test-cluster ## Specify preproduction configuration $(eval CONFIG=preproduction) $(eval CONFIG_SHORT=pp) $(eval DOMAINS_TERRAFORM_BACKEND_KEY=afqtsdomains_preprod.tfstate) .PHONY: production -production: set-production-azure-subscription ## Specify production configuration +production: set-production-azure-subscription production-cluster ## Specify production configuration $(eval CONFIG=production) $(eval CONFIG_SHORT=pd) $(eval KEY_VAULT_PURGE_PROTECTION=true) @@ -194,3 +194,15 @@ domains-apply: domains-init ## terraform apply for dns resources domains-destroy: domains-init ## terraform destroy for dns resources terraform -chdir=terraform/domains/environment_domains destroy -var-file config/$(CONFIG).tfvars.json + +test-cluster: + $(eval CLUSTER_RESOURCE_GROUP_NAME=s189t01-tsc-ts-rg) + $(eval CLUSTER_NAME=s189t01-tsc-test-aks) + +production-cluster: + $(eval CLUSTER_RESOURCE_GROUP_NAME=s189p01-tsc-pd-rg) + $(eval CLUSTER_NAME=s189p01-tsc-production-aks) + +get-cluster-credentials: set-azure-account + az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME} + kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli) diff --git a/docs/infrastructure.md b/docs/infrastructure.md index 12a338665..db6a1823c 100644 --- a/docs/infrastructure.md +++ b/docs/infrastructure.md @@ -73,11 +73,10 @@ Select account for az: $ az account set -s s189-teacher-services-cloud-test ``` -Get access credentials for a managed Kubernetes cluster (passing the -resource group and the name): +Get access credentials for a managed Kubernetes cluster (in this case for the `development` environment): ``` -$ az aks get-credentials -g s189t01-tsc-ts-rg -n s189t01-tsc-test-aks +$ make development get-cluster-credentials ``` When you have multiple cluster credentials loaded, you can switch between clusters diff --git a/terraform/application/outputs.tf b/terraform/application/outputs.tf index 1d8e3bc7a..027cf7922 100644 --- a/terraform/application/outputs.tf +++ b/terraform/application/outputs.tf @@ -10,14 +10,6 @@ output "postgres_azure_backup_storage_container_name" { value = module.postgres.azure_backup_storage_container_name } -output "kubernetes_cluster_name" { - value = "${module.cluster_data.configuration_map.resource_prefix}-aks" -} - -output "kubernetes_cluster_resource_group_name" { - value = module.cluster_data.configuration_map.resource_group_name -} - output "azure_storage_account_name" { value = azurerm_storage_account.uploads.name } diff --git a/terraform/application/providers.tf b/terraform/application/providers.tf index 70622bbaa..ac7abc955 100644 --- a/terraform/application/providers.tf +++ b/terraform/application/providers.tf @@ -17,6 +17,15 @@ provider "kubernetes" { client_certificate = module.cluster_data.kubernetes_client_certificate client_key = module.cluster_data.kubernetes_client_key cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate + + dynamic "exec" { + for_each = module.cluster_data.azure_RBAC_enabled ? [1] : [] + content { + api_version = "client.authentication.k8s.io/v1beta1" + command = "kubelogin" + args = module.cluster_data.kubelogin_args + } + } } provider "statuscake" {