Merge pull request #4496 from DFE-Digital/enable-azure-rbac-deployment

Enable azure rbac on deployment
DFE-Digital · Jan 31, 2024 · 35683b6 · 35683b6
2 parents 93910c1 + 64b834d
commit 35683b6
Show file tree

Hide file tree

Showing 8 changed files with 36 additions and 7 deletions.
diff --git a/.github/actions/backup-and-restore-snapshot-database/action.yml b/.github/actions/backup-and-restore-snapshot-database/action.yml
@@ -21,9 +21,13 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure-credentials }}
+
     - name: Set AKS credentials
       shell: bash
-      run: az aks get-credentials -g s189p01-tsc-pd-rg -n s189p01-tsc-production-aks
+      run: make ci production get-cluster-credentials
 
     - name: Install kubectl
       uses: azure/setup-kubectl@v3

diff --git a/.github/actions/backup-and-upload-database/action.yml b/.github/actions/backup-and-upload-database/action.yml
@@ -18,9 +18,13 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure-credentials }}
+
     - name: Set AKS credentials
       shell: bash
-      run: az aks get-credentials -g s189p01-tsc-pd-rg -n s189p01-tsc-production-aks
+      run: make ci production get-cluster-credentials
 
     - name: Install kubectl
       uses: azure/setup-kubectl@v3

diff --git a/.github/actions/deploy-environment-to-aks/action.yml b/.github/actions/deploy-environment-to-aks/action.yml
@@ -39,7 +39,7 @@ runs:
         terraform_version: 1.5.4
         terraform_wrapper: false
 
-    - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
       with:
         azure-credentials: ${{ inputs.azure-credentials }}
 
@@ -63,8 +63,11 @@ runs:
       if: ${{ inputs.pull-request-number != '' }}
       shell: bash
       run: |
-        az aks get-credentials --resource-group s189t01-tsc-ts-rg --name s189t01-tsc-test-aks
+        make ci review get-cluster-credentials
         kubectl exec -n cpd-development deployment/cpd-ecf-review-${{ inputs.pull-request-number }}-web -- sh -c "cd /app && /usr/local/bin/bundle exec rails db:safe_reset"
+      env:
+        PULL_REQUEST_NUMBER: ${{ inputs.pull-request-number }}
+
 
     - uses: ./.github/actions/smoke-test
       with:

diff --git a/.github/actions/refresh-migration-database/action.yml b/.github/actions/refresh-migration-database/action.yml
@@ -21,6 +21,10 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure-credentials }}
+
     - name: Install kubectl
       uses: azure/setup-kubectl@v3
 
@@ -30,7 +34,7 @@ runs:
 
     - name: Set AKS credentials (production)
       shell: bash
-      run: az aks get-credentials -g s189p01-tsc-pd-rg -n s189p01-tsc-production-aks
+      run: make ci production get-cluster-credentials
 
     - name: Backup production DB
       shell: bash

diff --git a/.github/actions/sanitise-and-upload-database/action.yml b/.github/actions/sanitise-and-upload-database/action.yml
@@ -33,9 +33,13 @@ runs:
       with:
         creds: ${{ inputs.azure-credentials }}
 
+    - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
+      with:
+        azure-credentials: ${{ inputs.azure-credentials }}
+
     - name: Set AKS credentials
       shell: bash
-      run: az aks get-credentials -g s189p01-tsc-pd-rg -n s189p01-tsc-production-aks
+      run: make ci production get-cluster-credentials
 
     - name: Install kubectl
       uses: azure/setup-kubectl@v3

diff --git a/.github/workflows/aks_destroy_review.yml b/.github/workflows/aks_destroy_review.yml
@@ -38,7 +38,7 @@ jobs:
             echo "TF_STATE_EXISTS=true" >> $GITHUB_ENV
           fi
 
-      - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
+      - uses: DFE-Digital/github-actions/set-kubelogin-environment@master
         if: env.TF_STATE_EXISTS == 'true'
         with:
           azure-credentials: ${{ secrets.AZURE_CREDENTIALS }}

diff --git a/Makefile b/Makefile
@@ -146,6 +146,7 @@ production-cluster:
 
 get-cluster-credentials: set-azure-account
 	az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME}
+	kubelogin convert-kubeconfig -l $(if ${GITHUB_ACTIONS},spn,azurecli)
 
 .PHONY: install-konduit
 install-konduit: ## Install the konduit script, for accessing backend services

diff --git a/terraform/aks/providers.tf b/terraform/aks/providers.tf
@@ -17,6 +17,15 @@ provider "kubernetes" {
   client_certificate     = module.cluster_data.kubernetes_client_certificate
   client_key             = module.cluster_data.kubernetes_client_key
   cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate
+
+  dynamic "exec" {
+    for_each = module.cluster_data.azure_RBAC_enabled ? [1] : []
+    content {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "kubelogin"
+      args        = module.cluster_data.kubelogin_args
+    }
+  }
 }
 
 provider "statuscake" {