Enable Azure RBAC changes

.github/actions/deploy/action.yml

@@ -80,7 +80,7 @@ runs:
           ${{ env.key_vault_app_secret_name }}
           ${{ env.key_vault_infra_secret_name }}
 
-    - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
       with:
         azure-credentials: ${{ inputs.azure-credentials }}
 
@@ -110,7 +110,7 @@ runs:
     - name: K8 setup
       shell: bash
       run: |
-        az aks get-credentials -g ${{ env.cluster_rg }} -n ${{ env.cluster_name }}
+        make ${{ inputs.environment }} get-cluster-credentials APP_NAME=${APP_NAME}
         make install-konduit
 
     - name: Generate example data

.github/workflows/delete-review-app.yml

@@ -45,7 +45,7 @@ jobs:
         with:
           terraform_version: ${{ env.TERRAFORM_VERSION }}
 
-      - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+      - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
         if: env.TF_STATE_EXISTS == 'true'
         with:
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}

Makefile

@@ -16,24 +16,24 @@ install-fetch-config:
 		&& chmod +x bin/fetch_config.rb \
 		|| true
 
-review:
+review: test-cluster
 	$(if $(APP_NAME), , $(error Missing environment variable "APP_NAME", Please specify a pr number for your review app))
 	$(eval include global_config/review.sh)
 	$(eval DEPLOY_ENV=review)
 	$(eval export TF_VAR_app_name=$(APP_NAME))
 	echo https://check-childrens-barred-list-$(APP_NAME).test.teacherservices.cloud will be created in aks
 
-test:
+test: test-cluster
 	$(eval include global_config/test.sh)
 	$(eval DEPLOY_ENV=test)
 	echo https://check-childrens-barred-list-test.test.teacherservices.cloud will be created in aks
 
-preproduction:
+preproduction: production-cluster
 	$(eval include global_config/preproduction.sh)
 	$(eval DEPLOY_ENV=preproduction)
 	echo https://check-childrens-barred-list-preproduction.test.teacherservices.cloud will be created in aks
 
-production:
+production: production-cluster
 	$(eval include global_config/production.sh)
 	$(eval DEPLOY_ENV=production)
 	echo https://check-childrens-barred-list-production.teacherservices.cloud will be created in aks
@@ -99,8 +99,17 @@ print-app-secrets: read-tf-config install-fetch-config set-azure-account
 print-infra-secrets: read-tf-config install-fetch-config set-azure-account
 	bin/fetch_config.rb -s azure-key-vault-secret:${key_vault_name}/${key_vault_infra_secret_name} -f yaml
 
-get-cluster-credentials: read-cluster-config set-azure-account ## make <config> get-cluster-credentials [ENVIRONMENT=<clusterX>]
-	az aks get-credentials --overwrite-existing -g ${AZURE_RESOURCE_PREFIX}-tsc-${CLUSTER_SHORT}-rg -n ${AZURE_RESOURCE_PREFIX}-tsc-${CLUSTER}-aks
+test-cluster:
+	$(eval CLUSTER_RESOURCE_GROUP_NAME=s189t01-tsc-ts-rg)
+	$(eval CLUSTER_NAME=s189t01-tsc-test-aks)
+
+production-cluster:
+	$(eval CLUSTER_RESOURCE_GROUP_NAME=s189p01-tsc-pd-rg)
+	$(eval CLUSTER_NAME=s189p01-tsc-production-aks)
+
+get-cluster-credentials: set-azure-account
+	az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME}
+	kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli)
 
 set-what-if:
 	$(eval WHAT_IF=--what-if)

docs/aks-cheatsheet.md

@@ -52,31 +52,10 @@ Example: Activate `s189-teacher-services-cloud-test`. It will be approved automa
 az login
 ```
 
-Select account for az:
+Get access credentials for a managed Kubernetes cluster (passing the environment name):
 
 ```shell
-az account set -s s189-teacher-services-cloud-test
-```
-
-Get access credentials for a managed Kubernetes cluster (passing the
-resource group and the name):
-
-```shell
-az aks get-credentials -g s189t01-tsc-ts-rg -n s189t01-tsc-test-aks
-```
-
-When you have multiple cluster credentials loaded, you can switch between clusters
-
-Display current context (current cluster will have an asterisk next to it)
-
-```shell
-kubectl config get-contexts
-```
-
-Switch to production cluster
-
-```shell
-kubectl config use-context s189p01-tsc-production-aks
+make review get-cluster-credentials
 ```
 
 ## Show namespaces

terraform/aks/providers.tf

@@ -13,6 +13,14 @@ provider "kubernetes" {
   client_certificate     = module.cluster_data.kubernetes_client_certificate
   client_key             = module.cluster_data.kubernetes_client_key
   cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate
+  dynamic "exec" {
+    for_each = module.cluster_data.azure_RBAC_enabled ? [1] : []
+    content {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "kubelogin"
+      args        = module.cluster_data.kubelogin_args
+    }
+  }
 }
 
 provider "statuscake" {