-
-
Save jldeen/2aa48f34ad7c29e81510acaeae87fee6 to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| ### Setup AppGateway V2 w/ multi namespace support | |
| resourceGroup=jdk8s | |
| k8sVnet=jdk8sVnet | |
| appgwName=jdk8sappgw | |
| appgwPublicIpName=appgwjdIP | |
| # create dedicated appgateway vnet subnet | |
| az network vnet subnet create \ | |
| --name appgwsubnet \ | |
| --resource-group $resourceGroup \ | |
| --vnet-name $k8sVnet \ | |
| --address-prefix 10.242.0.0/16 | |
| # create public ip for app gateway | |
| az network public-ip create \ | |
| --resource-group $resourceGroup \ | |
| --name $appgwPublicIpName \ | |
| --allocation-method Static \ | |
| --sku Standard | |
| # Create the application gateway | |
| az network application-gateway create \ | |
| --name $appgwName \ | |
| --location eastus \ | |
| --resource-group $resourceGroup \ | |
| --vnet-name $k8sVnet \ | |
| --subnet appgwsubnet \ | |
| --capacity 2 \ | |
| --sku WAF_v2 \ | |
| --http-settings-cookie-based-affinity Disabled \ | |
| --frontend-port 80 \ | |
| --http-settings-port 80 \ | |
| --http-settings-protocol Http \ | |
| --public-ip-address $appgwPublicIpName | |
| # enable firewall mode detection | |
| # need to update to network application-gateway waf-policy in future | |
| az network application-gateway waf-config set \ | |
| -g $resourceGroup \ | |
| --gateway-name $appgwName \ | |
| --enabled true \ | |
| --firewall-mode Detection \ | |
| --rule-set-version 3.0 | |
| # Create http probe | |
| az network application-gateway probe create \ | |
| -g $resourceGroup \ | |
| --gateway-name $appgwName \ | |
| -n defaultprobe-Http \ | |
| --protocol http \ | |
| --host 127.0.0.1 \ | |
| --timeout 30 \ | |
| --path / | |
| # Create https probe | |
| az network application-gateway probe create \ | |
| -g $resourceGroup \ | |
| --gateway-name $appgwName \ | |
| -n defaultprobe-Https \ | |
| --protocol https \ | |
| --host 127.0.0.1 \ | |
| --timeout 30 \ | |
| --path / | |
| # Link http probe to application gateway | |
| az network application-gateway http-settings update \ | |
| -g $resourceGroup \ | |
| --gateway-name $appgwName \ | |
| -n appGatewayBackendHttpSettings \ | |
| --probe defaultprobe-Http | |
| # Install AAD Pod Identity to your cluster; installs Kubernetes CRDs: AzureIdentity, AzureAssignedIdentity, AzureIdentityBinding | |
| ## Be sure to switch to K8s cluster | |
| kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml | |
| ### setup aad pod identity w/ managed identity | |
| az identity create \ | |
| -g $resourceGroup \ | |
| -n aadappGW | |
| # capture clientId in variable | |
| clientId=$(az identity show \ | |
| -g $resourceGroup \ | |
| -n aadappGW \ | |
| --query 'clientId' \ | |
| -o tsv) | |
| # capture appgwId in variable | |
| appgwId=$(az network application-gateway list --resource-group $resourceGroup --query '[].id' -o tsv) | |
| # capture appgw resource group id in variable | |
| appgwrgId=$(az group show -g $resourceGroup --query 'id' -o tsv) | |
| # Give identity Contributor access to your Application Gateway | |
| az role assignment create \ | |
| --role Contributor \ | |
| --assignee $clientId \ | |
| --scope $appgwId | |
| # Give identity Reader access to the Application Gateway resource group | |
| az role assignment create \ | |
| --role Reader \ | |
| --assignee $clientId \ | |
| --scope $appgwrgId | |
| # capture necessary variables for helm config | |
| applicationGatewayName=$(az network application-gateway list --resource-group $resourceGroup --query '[].name' -o tsv) | |
| subscriptionId=$(az account show --query 'id' -o tsv) | |
| identityClientId=$(az identity show -g $resourceGroup -n aadappGW --query 'clientId' -o tsv) | |
| identityResourceId=$(az identity show -g $resourceGroup -n aadappGW --query 'id' -o tsv) | |
| # download helm-config | |
| wget https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/sample-helm-config.yaml -O helm-config.yaml | |
| # use said to replace <> field values with captured data | |
| sed -i "" "s|<subscriptionId>|${subscriptionId}|g" helm-config.yaml | |
| sed -i "" "s|<resourceGroupName>|${resourceGroup}|g" helm-config.yaml | |
| sed -i "" "s|<applicationGatewayName>|${applicationGatewayName}|g" helm-config.yaml | |
| sed -i "" "s|<identityResourceId>|${identityResourceId}|g" helm-config.yaml | |
| sed -i "" "s|<identityClientId>|${identityClientId}|g" helm-config.yaml | |
| ### Optional tip - open helm-config.yaml and edit line 47 if using an RBAC enabled cluster | |
| # add app gateway ingress helm chart repo and update repo | |
| helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/ | |
| helm repo update | |
| # install appgw ingress using helm chart and helm-config.yaml | |
| helm upgrade --install appgw-ingress-azure -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure | |
| # test deployment | |
| wget https://raw.githubusercontent.com/jldeen/helm3-demo/master/jenkins-values-demo.yaml -O jenkins-values.yaml | |
| # deploy to 2 different namespaces with 2 different hostnames | |
| # hostname appgateway.ap.az.jessicadeen.com | |
| helm upgrade jenkins --install --namespace default2 -f ./jenkins-values.yaml stable/jenkins | |
| # hostname default.ap.az.jessicadeen.com | |
| helm upgrade jenkins --install --namespace default -f ./jenkins-values.yaml stable/jenkins |
Thanks @jldeen very good tutorial! could you explain this additionals step @srinisachanta? When I install appgw-ingress-azure with helm the pod crash in the log I can see "Creating authorizer from Azure Managed Service Identity" could you help me?
Thanks!!
Hi
Yes I remember seeing that.
I had to do steps outlined in this link esp. 3 and 5. You may have to do 6 if you are not using identity associated with nodepool account.
Hope this helps, let me know otherwise.
This work for me, thanks!! @jldeen @srinisachanta
Thanks for the feedback @JorgeGuerrero-dev and @srinisachanta - question, did you follow the blog post and/or the video for this script? The identity and binding should have been covered - and we create the identity and role bindings starting at line 77 in the script here. You then create the AzureIdentity and Binding roles on the cluster using the helm-config downloaded on 116. Is there something extra you needed to do? If so, it would be helpful to understand if you have specific RBAC permissions on your cluster so I can add a note in to help others in the future. Thanks again!
Hi @jldeen. I followed the script. I am not sure helm-config is creating the AzureIdentity and Binding roles, I believe its just using them. I had to follow steps 3 and 5 here https://github.com/Azure/aad-pod-identity#deploy-the-azure-aad-identity-infra. to be able to setup.
Thanks @jldeen this script helped me a lot in configuring app gateway! just as an fyi...one extra thing I had to do was configure AzureIdentity and Binding pod identity with the ingress controller(?)