From a6d6e825c74885690d40f06157fbc439ada4939e Mon Sep 17 00:00:00 2001 From: RMcVelia Date: Mon, 29 Jan 2024 12:24:11 +0000 Subject: [PATCH] Enable azure rbac deployment --- .github/actions/deploy/action.yml | 2 +- .github/workflows/database-backup.yml | 2 +- .github/workflows/delete-review-app.yml | 2 +- Makefile | 1 + docs/aks-cheatsheet.md | 4 ++-- terraform/aks/terraform.tf | 9 +++++++++ 6 files changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml index c4d65f24..2190f1a1 100644 --- a/.github/actions/deploy/action.yml +++ b/.github/actions/deploy/action.yml @@ -73,7 +73,7 @@ runs: ${{ env.key_vault_app_secret_name }} ${{ env.key_vault_infra_secret_name }} - - uses: DFE-Digital/github-actions/set-arm-environment-variables@master + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master with: azure-credentials: ${{ inputs.azure-credentials }} diff --git a/.github/workflows/database-backup.yml b/.github/workflows/database-backup.yml index f3d36d65..3f0b5464 100644 --- a/.github/workflows/database-backup.yml +++ b/.github/workflows/database-backup.yml @@ -37,7 +37,7 @@ jobs: - name: K8 setup shell: bash run: | - az aks get-credentials -g s189p01-tsc-pd-rg -n s189p01-tsc-production-aks + make ci production get-cluster-credentials make install-konduit - name: Setup postgres client diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml index 4ac49515..c432ed44 100644 --- a/.github/workflows/delete-review-app.yml +++ b/.github/workflows/delete-review-app.yml @@ -58,7 +58,7 @@ jobs: # ${{ env.key_vault_app_secret_name }} # ${{ env.key_vault_infra_secret_name }} - - uses: DFE-Digital/github-actions/set-arm-environment-variables@master + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master if: env.TF_STATE_EXISTS == 'true' with: azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} diff --git a/Makefile b/Makefile index d8d353a7..ed9bb0fa 100644 --- a/Makefile +++ b/Makefile @@ -99,6 +99,7 @@ print-infra-secrets: read-tf-config install-fetch-config set-azure-account get-cluster-credentials: read-cluster-config set-azure-account ## make get-cluster-credentials [ENVIRONMENT=] az aks get-credentials --overwrite-existing -g ${AZURE_RESOURCE_PREFIX}-tsc-${CLUSTER_SHORT}-rg -n ${AZURE_RESOURCE_PREFIX}-tsc-${CLUSTER}-aks + kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli) console: get-cluster-credentials $(if $(APP_NAME), $(eval export APP_ID=$(APP_NAME)) , $(eval export APP_ID=$(CONFIG_LONG))) diff --git a/docs/aks-cheatsheet.md b/docs/aks-cheatsheet.md index 48497abb..4d42ae9a 100644 --- a/docs/aks-cheatsheet.md +++ b/docs/aks-cheatsheet.md @@ -54,10 +54,10 @@ $ az account set -s s189-teacher-services-cloud-test ``` Get access credentials for a managed Kubernetes cluster (passing the -resource group and the name): +register environment): ``` -$ az aks get-credentials -g s189t01-tsc-ts-rg -n s189t01-tsc-test-aks +$ make qa get-cluster-credentials ``` When you have multiple cluster credentials loaded, you can switch between clusters diff --git a/terraform/aks/terraform.tf b/terraform/aks/terraform.tf index 5392b075..e31f9259 100644 --- a/terraform/aks/terraform.tf +++ b/terraform/aks/terraform.tf @@ -34,6 +34,15 @@ provider "kubernetes" { client_certificate = module.cluster_data.kubernetes_client_certificate client_key = module.cluster_data.kubernetes_client_key cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate + + dynamic "exec" { + for_each = module.cluster_data.azure_RBAC_enabled ? [1] : [] + content { + api_version = "client.authentication.k8s.io/v1beta1" + command = "kubelogin" + args = module.cluster_data.kubelogin_args + } + } } provider "statuscake" {