-
-
Save jldeen/2aa48f34ad7c29e81510acaeae87fee6 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
### Setup AppGateway V2 w/ multi namespace support | |
resourceGroup=jdk8s | |
k8sVnet=jdk8sVnet | |
appgwName=jdk8sappgw | |
appgwPublicIpName=appgwjdIP | |
# create dedicated appgateway vnet subnet | |
az network vnet subnet create \ | |
--name appgwsubnet \ | |
--resource-group $resourceGroup \ | |
--vnet-name $k8sVnet \ | |
--address-prefix 10.242.0.0/16 | |
# create public ip for app gateway | |
az network public-ip create \ | |
--resource-group $resourceGroup \ | |
--name $appgwPublicIpName \ | |
--allocation-method Static \ | |
--sku Standard | |
# Create the application gateway | |
az network application-gateway create \ | |
--name $appgwName \ | |
--location eastus \ | |
--resource-group $resourceGroup \ | |
--vnet-name $k8sVnet \ | |
--subnet appgwsubnet \ | |
--capacity 2 \ | |
--sku WAF_v2 \ | |
--http-settings-cookie-based-affinity Disabled \ | |
--frontend-port 80 \ | |
--http-settings-port 80 \ | |
--http-settings-protocol Http \ | |
--public-ip-address $appgwPublicIpName | |
# enable firewall mode detection | |
# need to update to network application-gateway waf-policy in future | |
az network application-gateway waf-config set \ | |
-g $resourceGroup \ | |
--gateway-name $appgwName \ | |
--enabled true \ | |
--firewall-mode Detection \ | |
--rule-set-version 3.0 | |
# Create http probe | |
az network application-gateway probe create \ | |
-g $resourceGroup \ | |
--gateway-name $appgwName \ | |
-n defaultprobe-Http \ | |
--protocol http \ | |
--host 127.0.0.1 \ | |
--timeout 30 \ | |
--path / | |
# Create https probe | |
az network application-gateway probe create \ | |
-g $resourceGroup \ | |
--gateway-name $appgwName \ | |
-n defaultprobe-Https \ | |
--protocol https \ | |
--host 127.0.0.1 \ | |
--timeout 30 \ | |
--path / | |
# Link http probe to application gateway | |
az network application-gateway http-settings update \ | |
-g $resourceGroup \ | |
--gateway-name $appgwName \ | |
-n appGatewayBackendHttpSettings \ | |
--probe defaultprobe-Http | |
# Install AAD Pod Identity to your cluster; installs Kubernetes CRDs: AzureIdentity, AzureAssignedIdentity, AzureIdentityBinding | |
## Be sure to switch to K8s cluster | |
kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml | |
### setup aad pod identity w/ managed identity | |
az identity create \ | |
-g $resourceGroup \ | |
-n aadappGW | |
# capture clientId in variable | |
clientId=$(az identity show \ | |
-g $resourceGroup \ | |
-n aadappGW \ | |
--query 'clientId' \ | |
-o tsv) | |
# capture appgwId in variable | |
appgwId=$(az network application-gateway list --resource-group $resourceGroup --query '[].id' -o tsv) | |
# capture appgw resource group id in variable | |
appgwrgId=$(az group show -g $resourceGroup --query 'id' -o tsv) | |
# Give identity Contributor access to your Application Gateway | |
az role assignment create \ | |
--role Contributor \ | |
--assignee $clientId \ | |
--scope $appgwId | |
# Give identity Reader access to the Application Gateway resource group | |
az role assignment create \ | |
--role Reader \ | |
--assignee $clientId \ | |
--scope $appgwrgId | |
# capture necessary variables for helm config | |
applicationGatewayName=$(az network application-gateway list --resource-group $resourceGroup --query '[].name' -o tsv) | |
subscriptionId=$(az account show --query 'id' -o tsv) | |
identityClientId=$(az identity show -g $resourceGroup -n aadappGW --query 'clientId' -o tsv) | |
identityResourceId=$(az identity show -g $resourceGroup -n aadappGW --query 'id' -o tsv) | |
# download helm-config | |
wget https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/sample-helm-config.yaml -O helm-config.yaml | |
# use said to replace <> field values with captured data | |
sed -i "" "s|<subscriptionId>|${subscriptionId}|g" helm-config.yaml | |
sed -i "" "s|<resourceGroupName>|${resourceGroup}|g" helm-config.yaml | |
sed -i "" "s|<applicationGatewayName>|${applicationGatewayName}|g" helm-config.yaml | |
sed -i "" "s|<identityResourceId>|${identityResourceId}|g" helm-config.yaml | |
sed -i "" "s|<identityClientId>|${identityClientId}|g" helm-config.yaml | |
### Optional tip - open helm-config.yaml and edit line 47 if using an RBAC enabled cluster | |
# add app gateway ingress helm chart repo and update repo | |
helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/ | |
helm repo update | |
# install appgw ingress using helm chart and helm-config.yaml | |
helm upgrade --install appgw-ingress-azure -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure | |
# test deployment | |
wget https://raw.githubusercontent.com/jldeen/helm3-demo/master/jenkins-values-demo.yaml -O jenkins-values.yaml | |
# deploy to 2 different namespaces with 2 different hostnames | |
# hostname appgateway.ap.az.jessicadeen.com | |
helm upgrade jenkins --install --namespace default2 -f ./jenkins-values.yaml stable/jenkins | |
# hostname default.ap.az.jessicadeen.com | |
helm upgrade jenkins --install --namespace default -f ./jenkins-values.yaml stable/jenkins |
Thanks for the feedback @JorgeGuerrero-dev and @srinisachanta - question, did you follow the blog post and/or the video for this script? The identity and binding should have been covered - and we create the identity and role bindings starting at line 77 in the script here. You then create the AzureIdentity and Binding roles on the cluster using the helm-config downloaded on 116. Is there something extra you needed to do? If so, it would be helpful to understand if you have specific RBAC permissions on your cluster so I can add a note in to help others in the future. Thanks again!
Hi @jldeen. I followed the script. I am not sure helm-config is creating the AzureIdentity and Binding roles, I believe its just using them. I had to follow steps 3 and 5 here https://github.com/Azure/aad-pod-identity#deploy-the-azure-aad-identity-infra. to be able to setup.
This work for me, thanks!! @jldeen @srinisachanta