Skip to content

Legacy

This section only applies if you have an existing Azure AD client registered in the IaC repository.

Why migrate?

  • Declarative provisioning, straight from your application's nais.yaml
  • No longer dependent on manual user approvals in multiple IaC repositories
  • No longer dependent on Vault
  • Credentials are rotated regularly, completely transparent to the application. This ensures that credentials are fresh and lessens the impact in the case of exposure.
  • The exact same feature is present in the GCP clusters, which simplifies migration.

Pre-authorization

Communication between legacy clients provisioned through aad-iac and clients provisioned through NAIS requires some additional configuration.

Scenario 1

Allowing a NAIS client to access an aad-iac client

Prerequisites:

  • You have a legacy client registered in the aad-iac repository.
  • You would like to pre-authorize client provisioned through NAIS.

Steps:

  • Refer to the NAIS client in aad-iac using its fully qualified name (see naming format):
<cluster>:<namespace>:<app-name>

Example:


Scenario 2

Allowing an aad-iac client to access a NAIS client

Prerequisites:

  • You have a client provisioned through NAIS.
  • You would like to pre-authorize a legacy client registered in the aad-iac repository.

Steps:

Example:

spec:
  accessPolicy:
    inbound:
      rules:
      - application: dkif
        namespace: team-rocket
        cluster: dev-fss

Migration guide - step by step

The following describes the steps needed to migrate an existing legacy client where you wish to keep the existing client ID and configuration.

If keeping the existing client ID and configuration is not important, it should be much easier to just provision new clients instead.

Warning

Be aware of the differences in tenants between the IaC repository and NAIS:

  • nonprod -> trygdeetaten.no
  • prod -> nav.no
Step 1 - Rename your application in the Azure Portal

The Display name of the application registered in the Azure Portal must match the expected format.

  • Go to the Branding tab for your client in the Azure Portal.
  • Update the Name.
Step 2 - Update your application (and any dependants) in the IaC repository
  • Ensure the name of the client registered in the IaC repository is updated to match the name set in step 1.
  • Ensure that any clients that has a reference to the previous name in their preauthorizedapplications is also updated.
Step 3 - Deploy your NAIS application with Azure AD provisioning enabled
Step 4 - Delete your application from the IaC repository
  • Verify that everything works after the migration
  • Delete the application from the IaC repository in order to maintain a single source of truth