grant cluster admin to the gh action principal

Signed-off-by: Gerd Oberlechner <[email protected]>
Azure · Oct 28, 2024 · 3bd7fd3 · 3bd7fd3
1 parent 8dbeb25
commit 3bd7fd3
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/.github/workflows/aro-hcp-dev-env-cd.yml b/.github/workflows/aro-hcp-dev-env-cd.yml
@@ -150,7 +150,7 @@
         - name: 'Deploy'
           run: |
             cd dev-infrastructure/
-            make svc svc.aks.admin-access svc.enable-aks-metrics
+            PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make svc svc.aks.admin-access svc.enable-aks-metrics
 
             # grant GH action user access to resources
             PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make dev-role-assignments
@@ -181,7 +181,7 @@
         - name: 'Deploy or Update'
           run: |
             cd dev-infrastructure/
-            make mgmt mgmt.aks.admin-access mgmt.enable-aks-metrics
+            PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make mgmt mgmt.aks.admin-access mgmt.enable-aks-metrics
 
     build_push_frontend:
       permissions:
@@ -293,6 +293,9 @@
           with:
             fetch-depth: 1
 
+        - name: Install Azure CLI
+          uses: ./.github/actions/install-azure-cli
+
         - name: Build image-sync container image
           run: |
             cd tooling/image-sync
@@ -306,9 +309,6 @@
             tenant-id: ${{ secrets.AZURE_TENANT_ID }}
             subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-        - name: Install Azure CLI
-          uses: ./.github/actions/install-azure-cli
-
         - name: Push image-sync container image
           #if: github.event.pull_request.merged == true
           run: |

diff --git a/dev-infrastructure/scripts/aks-admin-access.sh b/dev-infrastructure/scripts/aks-admin-access.sh
@@ -2,7 +2,11 @@
 set -e
 
 RESOURCEGROUP=$1
-CURRENTUSER_CLIENT_ID=$(az ad signed-in-user show -o json | jq -r '.id')
+if [ -z "$PRINCIPAL_ID" ]; then
+    CURRENTUSER_CLIENT_ID=$(az ad signed-in-user show -o json | jq -r '.id')
+else
+    CURRENTUSER_CLIENT_ID=$PRINCIPAL_ID
+fi
 CLUSTER_ID=$(az aks list -g $RESOURCEGROUP -o json | jq -r .[0].id)
 
 az role assignment create --assignee $CURRENTUSER_CLIENT_ID --role "Azure Kubernetes Service RBAC Cluster Admin" --scope $CLUSTER_ID