From 98a420708c49b9eb779d1f5069c61bcd27ce23b8 Mon Sep 17 00:00:00 2001 From: Venkata Challa Date: Tue, 30 Jan 2024 13:12:50 +0000 Subject: [PATCH] Enable Azure RBAC changes wip --- .github/actions/deploy/action.yml | 4 ++-- .github/workflows/delete-review-app.yml | 2 +- Makefile | 7 ++++++- terraform/aks/providers.tf | 8 ++++++++ 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml index c96f060a..beb57b94 100644 --- a/.github/actions/deploy/action.yml +++ b/.github/actions/deploy/action.yml @@ -80,7 +80,7 @@ runs: ${{ env.key_vault_app_secret_name }} ${{ env.key_vault_infra_secret_name }} - - uses: DFE-Digital/github-actions/set-arm-environment-variables@master + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master with: azure-credentials: ${{ inputs.azure-credentials }} @@ -110,7 +110,7 @@ runs: - name: K8 setup shell: bash run: | - az aks get-credentials -g ${{ env.cluster_rg }} -n ${{ env.cluster_name }} + make get-cluster-credentials cluster_rg=${{ env.cluster_rg }} cluster_name=${{ env.cluster_name }} make install-konduit - name: Generate example data diff --git a/.github/workflows/delete-review-app.yml b/.github/workflows/delete-review-app.yml index 117a9075..179b3abf 100644 --- a/.github/workflows/delete-review-app.yml +++ b/.github/workflows/delete-review-app.yml @@ -45,7 +45,7 @@ jobs: with: terraform_version: ${{ env.TERRAFORM_VERSION }} - - uses: DFE-Digital/github-actions/set-arm-environment-variables@master + - uses: DFE-Digital/github-actions/set-kubelogin-environment@master if: env.TF_STATE_EXISTS == 'true' with: azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW }} diff --git a/Makefile b/Makefile index 2b5752d5..f47fe57b 100644 --- a/Makefile +++ b/Makefile @@ -100,7 +100,12 @@ print-infra-secrets: read-tf-config install-fetch-config set-azure-account bin/fetch_config.rb -s azure-key-vault-secret:${key_vault_name}/${key_vault_infra_secret_name} -f yaml get-cluster-credentials: read-cluster-config set-azure-account ## make get-cluster-credentials [ENVIRONMENT=] - az aks get-credentials --overwrite-existing -g ${AZURE_RESOURCE_PREFIX}-tsc-${CLUSTER_SHORT}-rg -n ${AZURE_RESOURCE_PREFIX}-tsc-${CLUSTER}-aks +ifeq ($(GITHUB_ACTIONS),) + $(eval cluster_rg= ${AZURE_RESOURCE_PREFIX}-tsc-${CLUSTER_SHORT}-rg) + $(eval cluster_name= ${AZURE_RESOURCE_PREFIX}-tsc-${CLUSTER}-aks) +endif + az aks get-credentials --overwrite-existing -g ${cluster_rg} -n ${cluster_name} + kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli) set-what-if: $(eval WHAT_IF=--what-if) diff --git a/terraform/aks/providers.tf b/terraform/aks/providers.tf index 2b71e729..0e23e53e 100644 --- a/terraform/aks/providers.tf +++ b/terraform/aks/providers.tf @@ -13,6 +13,14 @@ provider "kubernetes" { client_certificate = module.cluster_data.kubernetes_client_certificate client_key = module.cluster_data.kubernetes_client_key cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate + dynamic "exec" { + for_each = module.cluster_data.azure_RBAC_enabled ? [1] : [] + content { + api_version = "client.authentication.k8s.io/v1beta1" + command = "kubelogin" + args = module.cluster_data.kubelogin_args + } + } } provider "statuscake" {