Skip to content

Instantly share code, notes, and snippets.

@jldeen
Last active April 29, 2020 03:01
Show Gist options
  • Save jldeen/2aa48f34ad7c29e81510acaeae87fee6 to your computer and use it in GitHub Desktop.
Save jldeen/2aa48f34ad7c29e81510acaeae87fee6 to your computer and use it in GitHub Desktop.
#!/bin/bash
### Setup AppGateway V2 w/ multi namespace support
resourceGroup=jdk8s
k8sVnet=jdk8sVnet
appgwName=jdk8sappgw
appgwPublicIpName=appgwjdIP
# create dedicated appgateway vnet subnet
az network vnet subnet create \
--name appgwsubnet \
--resource-group $resourceGroup \
--vnet-name $k8sVnet \
--address-prefix 10.242.0.0/16
# create public ip for app gateway
az network public-ip create \
--resource-group $resourceGroup \
--name $appgwPublicIpName \
--allocation-method Static \
--sku Standard
# Create the application gateway
az network application-gateway create \
--name $appgwName \
--location eastus \
--resource-group $resourceGroup \
--vnet-name $k8sVnet \
--subnet appgwsubnet \
--capacity 2 \
--sku WAF_v2 \
--http-settings-cookie-based-affinity Disabled \
--frontend-port 80 \
--http-settings-port 80 \
--http-settings-protocol Http \
--public-ip-address $appgwPublicIpName
# enable firewall mode detection
# need to update to network application-gateway waf-policy in future
az network application-gateway waf-config set \
-g $resourceGroup \
--gateway-name $appgwName \
--enabled true \
--firewall-mode Detection \
--rule-set-version 3.0
# Create http probe
az network application-gateway probe create \
-g $resourceGroup \
--gateway-name $appgwName \
-n defaultprobe-Http \
--protocol http \
--host 127.0.0.1 \
--timeout 30 \
--path /
# Create https probe
az network application-gateway probe create \
-g $resourceGroup \
--gateway-name $appgwName \
-n defaultprobe-Https \
--protocol https \
--host 127.0.0.1 \
--timeout 30 \
--path /
# Link http probe to application gateway
az network application-gateway http-settings update \
-g $resourceGroup \
--gateway-name $appgwName \
-n appGatewayBackendHttpSettings \
--probe defaultprobe-Http
# Install AAD Pod Identity to your cluster; installs Kubernetes CRDs: AzureIdentity, AzureAssignedIdentity, AzureIdentityBinding
## Be sure to switch to K8s cluster
kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
### setup aad pod identity w/ managed identity
az identity create \
-g $resourceGroup \
-n aadappGW
# capture clientId in variable
clientId=$(az identity show \
-g $resourceGroup \
-n aadappGW \
--query 'clientId' \
-o tsv)
# capture appgwId in variable
appgwId=$(az network application-gateway list --resource-group $resourceGroup --query '[].id' -o tsv)
# capture appgw resource group id in variable
appgwrgId=$(az group show -g $resourceGroup --query 'id' -o tsv)
# Give identity Contributor access to your Application Gateway
az role assignment create \
--role Contributor \
--assignee $clientId \
--scope $appgwId
# Give identity Reader access to the Application Gateway resource group
az role assignment create \
--role Reader \
--assignee $clientId \
--scope $appgwrgId
# capture necessary variables for helm config
applicationGatewayName=$(az network application-gateway list --resource-group $resourceGroup --query '[].name' -o tsv)
subscriptionId=$(az account show --query 'id' -o tsv)
identityClientId=$(az identity show -g $resourceGroup -n aadappGW --query 'clientId' -o tsv)
identityResourceId=$(az identity show -g $resourceGroup -n aadappGW --query 'id' -o tsv)
# download helm-config
wget https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/sample-helm-config.yaml -O helm-config.yaml
# use said to replace <> field values with captured data
sed -i "" "s|<subscriptionId>|${subscriptionId}|g" helm-config.yaml
sed -i "" "s|<resourceGroupName>|${resourceGroup}|g" helm-config.yaml
sed -i "" "s|<applicationGatewayName>|${applicationGatewayName}|g" helm-config.yaml
sed -i "" "s|<identityResourceId>|${identityResourceId}|g" helm-config.yaml
sed -i "" "s|<identityClientId>|${identityClientId}|g" helm-config.yaml
### Optional tip - open helm-config.yaml and edit line 47 if using an RBAC enabled cluster
# add app gateway ingress helm chart repo and update repo
helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/
helm repo update
# install appgw ingress using helm chart and helm-config.yaml
helm upgrade --install appgw-ingress-azure -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure
# test deployment
wget https://raw.githubusercontent.com/jldeen/helm3-demo/master/jenkins-values-demo.yaml -O jenkins-values.yaml
# deploy to 2 different namespaces with 2 different hostnames
# hostname appgateway.ap.az.jessicadeen.com
helm upgrade jenkins --install --namespace default2 -f ./jenkins-values.yaml stable/jenkins
# hostname default.ap.az.jessicadeen.com
helm upgrade jenkins --install --namespace default -f ./jenkins-values.yaml stable/jenkins
@JorgeGuerreroTech
Copy link

This work for me, thanks!! @jldeen @srinisachanta

@jldeen
Copy link
Author

jldeen commented Apr 25, 2020

Thanks for the feedback @JorgeGuerrero-dev and @srinisachanta - question, did you follow the blog post and/or the video for this script? The identity and binding should have been covered - and we create the identity and role bindings starting at line 77 in the script here. You then create the AzureIdentity and Binding roles on the cluster using the helm-config downloaded on 116. Is there something extra you needed to do? If so, it would be helpful to understand if you have specific RBAC permissions on your cluster so I can add a note in to help others in the future. Thanks again!

@srinisachanta
Copy link

Hi @jldeen. I followed the script. I am not sure helm-config is creating the AzureIdentity and Binding roles, I believe its just using them. I had to follow steps 3 and 5 here https://github.com/Azure/aad-pod-identity#deploy-the-azure-aad-identity-infra. to be able to setup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment