feat(infraci/cluster/sponsored): Add admin service account and token (#…

…722) as per jenkins-infra/helpdesk#3923 (comment) Plan: 3 to add, 0 to change, 0 to destroy. add: - kubernetes_cluster_role_binding - kubernetes_secret - kubernetes_service_account
jenkins-infra · Jun 11, 2024 · fce7e5f · fce7e5f
1 parent c1dbf20
commit fce7e5f
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/infraci.jenkins.io-kubernetes-sponsored-agents.tf b/infraci.jenkins.io-kubernetes-sponsored-agents.tf
@@ -121,3 +121,21 @@ resource "azurerm_kubernetes_cluster_node_pool" "linux_arm64_agents_1_sponsorshi
 
   tags = local.default_tags
 }
+
+# Configure the jenkins-infra/kubernetes-management admin service account
+module "infracijenkinsio_agents_1_admin_sa_sponsorship" {
+  providers = {
+    kubernetes = kubernetes.infracijenkinsio_agents_1
+  }
+  source                     = "./.shared-tools/terraform/modules/kubernetes-admin-sa"
+  cluster_name               = azurerm_kubernetes_cluster.infracijenkinsio_agents_1.name
+  cluster_hostname           = azurerm_kubernetes_cluster.infracijenkinsio_agents_1.fqdn
+  cluster_ca_certificate_b64 = azurerm_kubernetes_cluster.infracijenkinsio_agents_1.kube_config.0.cluster_ca_certificate
+}
+output "kubeconfig_infracijenkinsio_agents_1" {
+  sensitive = true
+  value     = module.infracijenkinsio_agents_1_admin_sa_sponsorship.kubeconfig
+}
+output "infracijenkinsio_agents_1_kube_config_command" {
+  value = "az aks get-credentials --name ${azurerm_kubernetes_cluster.infracijenkinsio_agents_1.name} --resource-group ${azurerm_kubernetes_cluster.infracijenkinsio_agents_1.resource_group_name}"
+}
diff --git a/providers.tf b/providers.tf
@@ -35,6 +35,14 @@ provider "kubernetes" {
   cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.cijenkinsio_agents_1.kube_config.0.cluster_ca_certificate)
 }
 
+provider "kubernetes" {
+  alias                  = "infracijenkinsio_agents_1"
+  host                   = "https://${azurerm_kubernetes_cluster.infracijenkinsio_agents_1.fqdn}:443" # Cannot use the kubeconfig host as it provides a private DNS name
+  client_certificate     = base64decode(azurerm_kubernetes_cluster.infracijenkinsio_agents_1.kube_config.0.client_certificate)
+  client_key             = base64decode(azurerm_kubernetes_cluster.infracijenkinsio_agents_1.kube_config.0.client_key)
+  cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.infracijenkinsio_agents_1.kube_config.0.cluster_ca_certificate)
+}
+
 provider "postgresql" {
   /**
   Important: terraform must be allowed to reach this instance through the network. Check the followings: