SFDP-148 - Migrate to Workload Identity (#7)

* Migrate to workload identity * Bump package version * Add cluster ip to helm
DEFRA · Jan 17, 2025 · 5e5e441 · 5e5e441
1 parent 75d33a4
commit 5e5e441
Show file tree

Hide file tree

Showing 18 changed files with 22 additions and 23 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,3 +1,3 @@
-@Library('defra-library@v-9') _
+@Library('defra-library@v-10') _
 
 buildNodeJs()
diff --git a/app/utils/storage.js b/app/utils/storage.js
@@ -1,5 +1,5 @@
 import { StorageSharedKeyCredential } from '@azure/storage-blob'
-import { ManagedIdentityCredential } from '@azure/identity'
+import { WorkloadIdentityCredential } from '@azure/identity'
 
 import { storageConfig } from '../config/index.js'
 
@@ -19,7 +19,7 @@ const getStorageCredential = (accountName, accessKey) => {
 
   console.log('Using Azure Identity Credential for account:', accountName)
 
-  return new ManagedIdentityCredential({ clientId: storageConfig.get('managedIdentityClientId') })
+  return new WorkloadIdentityCredential({ clientId: storageConfig.get('managedIdentityClientId') })
 }
 
 export {

diff --git a/appconfig/common.yaml b/appconfig/common.yaml
diff --git a/appconfig/dev.yaml b/appconfig/dev.yaml
diff --git a/appconfig/post-deployment-test.yaml b/appconfig/post-deployment-test.yaml
diff --git a/appconfig/prd.yaml b/appconfig/prd.yaml
diff --git a/appconfig/pre.yaml b/appconfig/pre.yaml
diff --git a/appconfig/snd2.yaml b/appconfig/snd2.yaml
diff --git a/appconfig/test.yaml b/appconfig/test.yaml
diff --git a/helm/fcp-fd-file-retriever/Chart.yaml b/helm/fcp-fd-file-retriever/Chart.yaml
@@ -5,5 +5,5 @@ name: fcp-fd-file-retriever
 version: 1.0.0
 dependencies:
 - name: ffc-helm-library
-  version: 4.6.0
+  version: 4.7.2
   repository: https://raw.githubusercontent.com/defra/ffc-helm-repository/master/
diff --git a/helm/fcp-fd-file-retriever/templates/azure-identity-binding.yaml b/helm/fcp-fd-file-retriever/templates/azure-identity-binding.yaml
diff --git a/helm/fcp-fd-file-retriever/templates/azure-identity.yaml b/helm/fcp-fd-file-retriever/templates/azure-identity.yaml
diff --git a/helm/fcp-fd-file-retriever/templates/service-account.yaml b/helm/fcp-fd-file-retriever/templates/service-account.yaml
@@ -0,0 +1,3 @@
+{{- include "ffc-helm-library.service-account" (list . "fcp-fd-file-processor.service-account") -}}
+{{- define "fcp-fd-file-processor.service-account" -}}
+{{- end -}}
diff --git a/helm/fcp-fd-file-retriever/values.yaml b/helm/fcp-fd-file-retriever/values.yaml
@@ -44,12 +44,16 @@ readinessProbe:
   failureThreshold: 3
   timeoutSeconds: 5
 
-usePodIdentity: true
+workloadIdentity: true
 
 azureIdentity:
   clientID: not-a-real-clientID
   resourceID: not-a-real-resourceID
 
+service:
+  port: 80
+  type: ClusterIP
+
 ingress:
   class: nginx
   endpoint: fcp-fd-file-retriever

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "fcp-fd-file-retriever",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "description": "File retrieval service for Single Front Door",
   "homepage": "https://github.com/DEFRA/fcp-fd-file-retriever",
   "main": "app/index.js",

diff --git a/provision.azure.yaml b/provision.azure.yaml
@@ -0,0 +1,2 @@
+resources:
+  identity: fd-file-retriever
diff --git a/test/unit/storage/blob/clean.test.js b/test/unit/storage/blob/clean.test.js
@@ -1,7 +1,7 @@
 import { beforeEach, describe, expect, jest, test } from '@jest/globals'
 
 const mockSharedKeyCredential = jest.fn()
-const mockManagedIdentityCredential = jest.fn()
+const mockWorkloadIdentityCredential = jest.fn()
 
 const mockCreateIfNotExists = jest.fn()
 
@@ -17,7 +17,7 @@ jest.unstable_mockModule('@azure/storage-blob', () => ({
 }))
 
 jest.unstable_mockModule('@azure/identity', () => ({
-  ManagedIdentityCredential: mockManagedIdentityCredential
+  WorkloadIdentityCredential: mockWorkloadIdentityCredential
 }))
 
 describe('Clean Blob Storage Client', () => {
@@ -53,7 +53,7 @@ describe('Clean Blob Storage Client', () => {
 
       expect(client).toBeDefined()
       expect(mockSharedKeyCredential).toHaveBeenCalled()
-      expect(mockManagedIdentityCredential).not.toHaveBeenCalled()
+      expect(mockWorkloadIdentityCredential).not.toHaveBeenCalled()
 
       process.env = orginalEnv
     })
@@ -70,7 +70,7 @@ describe('Clean Blob Storage Client', () => {
       const { client } = await import('../../../../app/storage/blob/clean')
 
       expect(client).toBeDefined()
-      expect(mockManagedIdentityCredential).toHaveBeenCalled()
+      expect(mockWorkloadIdentityCredential).toHaveBeenCalled()
       expect(mockSharedKeyCredential).not.toHaveBeenCalled()
 
       process.env = orginalEnv