brentmcconnell/cert-manager.sh

## cert-manager.sh
#!/bin/bash
set -e

K8S_CONTEXT=$(kubectl config current-context)

echo -e "K8S_CONTEXT:      $K8S_CONTEXT\n"

# Verify if we want to proceed
read -p "Are you sure you want to install cert-manager [y/N]?"
if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
    exit
fi

##################
# Setup Cert-Manager #
##################
kubectl apply \
  --validate=false \
  -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml

# Create namespace
kubectl create namespace cert-manager

# Label the ingress namespace to disable resource validation
kubectl label namespace ingress cert-manager.io/disable-validation=true

# Label the cert-manager namespace to disable resource validation
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io

# Update your local Helm chart repository cache
helm repo update

# Install the cert-manager Helm chart
helm install cert-manager \
    --wait --namespace cert-manager \
    --version v0.13.0 \
    jetstack/cert-manager

# Setup ClusterIssuer
cat <<-EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: $LETS_ENCRYPT_EMAIL
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

## external-dns.sh
#!/bin/bash
set -e

AZURE_CLOUD=${AZURE_CLOUD-AzureUSGovernmentCloud}
LOCATION=${LOCATION-usgovvirginia}
SP_NAME=${SP_NAME-AKS_DNS_SP_$RANDOM}
K8S_CONTEXT=$(kubectl config current-context)

if [[ -z "$DOMAIN_NAME" || -z "$DNS_RG" ]]; then
    echo "ERROR: Some Environment variables are missing!"
    echo -e "ERROR: The following are required:\n"
    echo "       DNS_RG:                    Resource Group for DNS Zone"
    echo "       DOMAIN_NAME:               Domain Name (ie. example.com)"
    echo "       LOCATION (optional):       Azure region.  Default is usgovvirginia"
    echo "       AZURE_CLOUD (optional):    Selected Azure Cloud.  "
    echo "               Default is AzureUSGovernmentCloud."
    echo "               Use 'AzurePublicCloud' for Commercial"
    exit 1
fi

echo "DNS_RG:           $DNS_RG"
echo "DOMAIN_NAME:      $DOMAIN_NAME"
echo "LOCATION:         $LOCATION"
echo "AZURE_CLOUD:      $AZURE_CLOUD"
echo -e "K8S_CONTEXT:      $K8S_CONTEXT\n"

# Verify if we want to proceed
read -p "Are you sure you want to install external-dns [y/N]?"
if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
    exit
fi

# Create RG for DNS Zone.  If one already exists
# return the id for it.
DNS_RG_ID=$(
    az group create \
    --name $DNS_RG \
    --location $LOCATION \
    --query id -o tsv
)
# Create DNS Zone.  If one already exists
# return id for it.
DNS_ZONE_ID=$(
    az network dns zone create \
    -g $DNS_RG -n $DOMAIN_NAME \
    --query id -o tsv
)
# Create Service Principal
SP_TOKEN=$(az ad sp create-for-rbac -n $SP_NAME -o json)

# Grab info from the Service Principal
SP_APPID=$(echo $SP_TOKEN | jq -e -r 'select(.appId != null) | .appId')
SP_TENANTID=$(echo $SP_TOKEN | jq -e -r 'select(.tenant != null) | .tenant')
SP_PASSWORD=$(echo $SP_TOKEN | jq -e -r 'select(.password != null) | .password')
SUBSCRIPTION_ID=$(az account show --query id -o tsv)

# Assign Reader to SP for RG
az role assignment create \
    --role "Reader" \
    --assignee $SP_APPID \
    --scope $DNS_RG_ID 1>/dev/null

# Assign Contributor to SP for DNSZone
az role assignment create \
    --role "Contributor" \
    --assignee $SP_APPID \
    --scope $DNS_ZONE_ID 1>/dev/null

# Add bitnami repo for external-dns chart
helm repo add bitnami https://charts.bitnami.com/bitnami

# Create namespace for external-dns
kubectl create namespace external-dns

# Install external-dns chart
helm install external-dns bitnami/external-dns \
    --wait --namespace external-dns \
    --set provider=azure \
    --set azure.resourceGroup=AzureDNS \
    --set azure.tenantId=$SP_TENANTID \
    --set azure.subscriptionId=$SUBSCRIPTION_ID \
    --set azure.aadClientId=$SP_APPID \
    --set azure.aadClientSecret=$SP_PASSWORD \
    --set azure.cloud=$AZURE_CLOUD \
    --set policy=sync \
    --set domainFilters={$DOMAIN_NAME}

echo "=================================================="
echo "Current DNS Nameservers for $DOMAIN_NAME"
host -t ns $DOMAIN_NAME

echo "NOTE: ++++++++++++++++++++++++++++++++++++++++++++"
echo "      Ensure your domain registrar is using"
echo "      the following DNS nameservers for resolution"
echo "      before continuing."
echo "      +++++++++++++++++++++++++++++++++++++++++++++"
az network dns zone show \
    -g $DNS_RG -n $DOMAIN_NAME \
    -o tsv --query nameServers

## full-install.sh
#!/bin/bash
set -e

color()(set -o pipefail;"$@" 2>&1>&3|sed $'s,.*,\e[31m&\e[m,'>&2)3>&1

validateTools() {
    command -v az 2&> /dev/null
    if [ $? -ne 0 ]; then
        echo "ERROR: Requires Azure CLI (az).  Aborting..."
        exit 1
    fi

    command -v kubectl 2&> /dev/null
    if [ $? -ne 0 ]; then
        echo "ERROR: Requires Kubectl (kubectl). Aborting..."
        exit 1
    fi

    command -v jq 2&> /dev/null
    if [ $? -ne 0 ]; then
        echo "ERROR: Requires JQuery (jq). Aborting..."
        exit 1
    fi

    command -v helm 2&> /dev/null
    if [ $? -ne 0 ]; then
        echo "ERROR: Requires Helm v3.1.2_1+ (helm). Aborting..."
        exit 1
    fi
}

validateTools
# For Important Info
CRED='\033[1;40;41m'
CEND='\033[0m'

AKS_CREATE=${AKS_CREATE-true}
if [ "$AKS_CREATE" != "true" ]; then
    if [[ -z "$RG" || -z "$AKS_NAME" ]]; then
        echo "ERROR: Set RG and AKS_NAME as environment variables to continue."
        echo "Otherwise unset AKS_CREATE environment varialbe or set to 'true'."
        exit 1
    fi
fi
RND=$(echo $RANDOM | grep -o ..$)
RG=${RG-AKS-$RND-RG}
NODESIZE=${NODESIZE-Standard_DS2_v2}
NODECOUNT=${NODECOUNT-2}
LOCATION=${LOCATION-usgovvirginia}
AKS_NAME=${AKS_NAME-AKSCluster-$RND}
DNS_RG=${DNS_RG-AzureDNS}
DOMAIN_NAME=${DOMAIN_NAME-designingdevops.com}
SP_NAME=${SP_NAME-AKS_DNS_SP_$RANDOM}
AZURE_CLOUD=${AZURE_CLOUD-AzureUSGovernmentCloud}
K8S_CONTEXT=$(kubectl config current-context)

echo "RG:           $RG"
echo "AKS_NAME:     $AKS_NAME"
echo "NODESIZE:     $NODESIZE"
echo "LOCATION:     $LOCATION"
echo "DNS_RG:       $DNS_RG"
echo "DOMAIN_NAME:  $DOMAIN_NAME"
echo "AKS_CREATE:   $AKS_CREATE"
echo "NODECOUNT:    $NODECOUNT"
echo "AZURE_CLOUD:  $AZURE_CLOUD"
if [ "$AKS_CREATE" != "true" ]; then
    echo "K8S_CONTEXT:  $K8S_CONTEXT"
    if [ "$K8S_CONTEXT" != "$AKS_NAME" ]; then
        echo -e "\nERROR: Your existing K8S_CONTEXT should match your AKS_NAME\n"
        exit 1
    fi
    echo -e "\nNOTE: Will NOT Create AKS Cluster"
    echo -e "Will use $CRED $K8S_CONTEXT $CEND as target!\n"
else
    if [ "$K8S_CONTEXT" == "$AKS_NAME" ]; then
        echo "K8S_CONTEXT:  $K8S_CONTEXT"
        echo -e "\n$CRED ERROR: K8S_CONTEXT cannot match AKS_NAME for new clusters. $CEND"
        echo "You may have environment variables set."
        echo "During cluster create unset RG and AKS_NAME"
        echo "or set to something different."
        exit 1
    fi
fi

# Verify if we want to proceed
echo "NOTE: Override the above defaults with environment variables!"
read -p "Are you sure you want to Proceed [y/N]?"
if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
    exit
fi

if [ "$AKS_CREATE" == "true" ]; then
    ###############################################
    # CREATE AKS CLUSTER ==========================
    ###############################################
    echo "Creating AKS Cluster named=$AKS_NAME in $RG"
    az group create -l $LOCATION -n $RG 1>/dev/null

    az aks create \
        --resource-group $RG \
        --name $AKS_NAME \
        --vm-set-type VirtualMachineScaleSets \
        --node-count $NODECOUNT \
        --load-balancer-sku standard \
        --node-vm-size $NODESIZE \
        --generate-ssh-keys \
        --location $LOCATION 1>/dev/null

    az aks get-credentials \
        --name $AKS_NAME \
        --resource-group $RG 1>/dev/null
fi

###############################################
# CREATE NGINX INGRESS WITH STATIC IP =========
###############################################
# Get the Resource Group of our AKS Cluster
echo "Installing NGINX on $AKS_NAME!!"
AKS_CLUSTER_RG=$(
    az aks show \
    --resource-group $RG \
    --name $AKS_NAME \
    --query nodeResourceGroup -o tsv
)

# Create a Public IP and get the id of the address.  If one exists already
# in the RG with the same name.  The existing IP will be returned.
PUBLIC_IP=$(
    az network public-ip create \
    --resource-group $AKS_CLUSTER_RG \
    --name IP-PublicIP1 \
    --sku Standard \
    --allocation-method static \
    --query publicIp.ipAddress -o tsv
)
echo "Created/Retrieved Azure PublicIP=$PUBLIC_IP"

# Add stable chart repo
helm repo add stable https://kubernetes-charts.storage.googleapis.com

# Create namespace for Ingress
kubectl create namespace ingress || true

# Use Helm to deploy an NGINX ingress controller with static IP
helm install nginx-ingress stable/nginx-ingress  \
    --wait --namespace ingress \
    --set controller.replicaCount=2 \
    --set controller.service.loadBalancerIP="$PUBLIC_IP" \
    --set controller.publishService.enabled=true \
    --set controller.publishService.pathOverride=ingress/nginx-ingress-controller


###############################################
# CREATE EXTERNALDNS SERVICE ==================
###############################################
# Create RG for DNS Zone.  If one already exists
# return the id for it.
DNS_RG_ID=$(
    az group create \
    --name $DNS_RG \
    --location $LOCATION \
    --query id -o tsv
)

# Create DNS Zone.  If one already exists
# return id for it.
DNS_ZONE_ID=$(
    az network dns zone create \
    -g $DNS_RG -n $DOMAIN_NAME \
    --query id -o tsv
)

# Create Service Principal
SP_TOKEN=$(az ad sp create-for-rbac -n $SP_NAME -o json)

# Grab info from the Service Principal
SP_APPID=$(echo $SP_TOKEN | jq -e -r 'select(.appId != null) | .appId')
SP_TENANTID=$(echo $SP_TOKEN | jq -e -r 'select(.tenant != null) | .tenant')
SP_PASSWORD=$(echo $SP_TOKEN | jq -e -r 'select(.password != null) | .password')
SUBSCRIPTION_ID=$(az account show --query id -o tsv)

# Assign Reader to SP for RG
az role assignment create \
    --role "Reader" \
    --assignee $SP_APPID \
    --scope $DNS_RG_ID 1>/dev/null

# Assign Contributor to SP for DNSZone
az role assignment create \
    --role "Contributor" \
    --assignee $SP_APPID \
    --scope $DNS_ZONE_ID 1>/dev/null

# Add bitnami repo for external-dns chart
helm repo add bitnami https://charts.bitnami.com/bitnami

# Create namespace for external-dns
kubectl create namespace external-dns

# Install external-dns chart
helm install external-dns bitnami/external-dns \
    --wait --namespace external-dns \
    --set provider=azure \
    --set azure.resourceGroup=AzureDNS \
    --set azure.tenantId=$SP_TENANTID \
    --set azure.subscriptionId=$SUBSCRIPTION_ID \
    --set azure.aadClientId=$SP_APPID \
    --set azure.aadClientSecret=$SP_PASSWORD \
    --set azure.cloud=$AZURE_CLOUD \
    --set policy=sync \
    --set domainFilters={$DOMAIN_NAME}

echo "=================================================="
echo "Current DNS Nameservers for $DOMAIN_NAME"
host -t ns $DOMAIN_NAME

echo "NOTE: ++++++++++++++++++++++++++++++++++++++++++++"
echo "      Ensure your domain registrar is using"
echo "      the following DNS nameservers for resolution"
echo "      before continuing."
echo "      +++++++++++++++++++++++++++++++++++++++++++++"

az network dns zone show \
    -g $DNS_RG -n $DOMAIN_NAME \
    -o tsv --query nameServers

###############################################
# CREATE CERT-MANAGER SERVICE==================
###############################################
kubectl apply \
  --validate=false \
  -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml

# Create namespace
kubectl create namespace cert-manager

# Label the ingress namespace to disable resource validation
kubectl label namespace ingress cert-manager.io/disable-validation=true

# Label the cert-manager namespace to disable resource validation
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io

# Update your local Helm chart repository cache
helm repo update

# Install the cert-manager Helm chart
helm install cert-manager \
    --wait --namespace cert-manager \
    --version v0.13.0 \
    jetstack/cert-manager

# Setup ClusterIssuer
cat <<-EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: $LETS_ENCRYPT_EMAIL
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

## k8s.sh
#!/bin/bash

set -e
validateTools() {
    command -v az 2&> /dev/null
    if [ $? -ne 0 ]; then
        echo "ERROR: Requires Azure CLI (az).  Aborting..."
        exit 1
    fi
    command -v az 2&> /dev/null
    if [ $? -ne 0 ]; then
        echo "ERROR: Requires Azure CLI (az).  Aborting..."
        exit 1
    fi
    command -v kubectl 2&> /dev/null
    if [ $? -ne 0 ]; then
        echo "ERROR: Requires Kubectl (kubectl). Aborting..."
        exit 1
    fi
    command -v helm 2&> /dev/null
    if [ $? -ne 0 ]; then
        echo "ERROR: Requires Helm v3.1.2_1+ (helm). Aborting..."
        exit 1
    fi
}
validateTools

RND=$(echo $RANDOM | grep -o ..$)
RG=${RG-AKS-$RND-RG}
NODESIZE=${NODESIZE-Standard_DS2_v2}
NODECOUNT=${NODECOUNT-2}
LOCATION=${LOCATION-usgovvirginia}
AKS_NAME=${AKS_NAME-AKSCluster-$RND}

echo "RND:          $RND"
echo "RG:           $RG"
echo "NODESIZE:     $NODESIZE"
echo "NODECOUNT:    $NODECOUNT"
echo "LOCATION:     $LOCATION"
echo "AKS_NAME:     $AKS_NAME"

# Verify if we want to proceed
read -p "Are you sure you wish to create an AKS Cluster [y/N]?"
if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
    exit
fi

az group create -l $LOCATION -n $RG

az aks create \
    --resource-group $RG \
    --name $AKS_NAME \
    --vm-set-type VirtualMachineScaleSets \
    --node-count $NODECOUNT \
    --load-balancer-sku standard \
    --node-vm-size $NODESIZE \
    --generate-ssh-keys \
    --location $LOCATION

az aks get-credentials \
    --name $AKS_NAME \
    --resource-group $RG


## nginx-ingress.yaml
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx
  annotations:
    nginx.ingress.kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  tls:
  - hosts:
    - nginx.designingdevops.com
    secretName: tls-secret
  rules:
  - host: nginx.designingdevops.com
    http:
      paths:
      - backend:
          serviceName: nginx-svc
          servicePort: 80
        path: /


## nginx.sh
#!/bin/bash
# This script creates an Azure Public IP and binds
# an the NGINX Ingress controller to it

set -e

if [[ -z "$RG" || -z "$AKS_NAME" ]]; then
    echo "ERROR: Some Environment variables are missing!"
    echo -e "ERROR: These are required:\n"
    echo "       RG: Resource Group"
    echo "       AKS_NAME: AKS.Cluster Name"
    echo "       LOCATION (optional): Azure region.  Default is usgovvirginia"
    exit 1
fi

LOCATION=${LOCATION-usgovvirginia}
K8S_CONTEXT=$(kubectl config current-context)

echo "AKS_NAME:             $AKS_NAME"
echo "RG:                   $RG"
echo "LOCATION:             $LOCATION"
echo -e "K8S_CONTEXT:          $K8S_CONTEXT\n"

# Verify if we want to proceed
read -p "Are you sure you want to install NGINX [y/N]?"
if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
    exit
fi

# Get the Resource Group of our AKS Cluster
AKS_CLUSTER_RG=$(
    az aks show \
    --resource-group $RG \
    --name $AKS_NAME \
    --query nodeResourceGroup -o tsv
)
# Create a Public IP and get the id of the address.  If one exists already
# in the RG with the same name.  The existing IP will be returned.
PUBLIC_IP=$(
    az network public-ip create \
    --resource-group $AKS_CLUSTER_RG \
    --name IP-PublicIP1 \
    --sku Standard \
    --allocation-method static \
    --query publicIp.ipAddress -o tsv
)
# Add stable chart repo
helm repo add stable https://kubernetes-charts.storage.googleapis.com

# Create namespace for Ingress
kubectl create namespace ingress

# Use Helm to deploy an NGINX ingress controller with static IP
helm install nginx-ingress stable/nginx-ingress  \
    --wait --namespace ingress \
    --set controller.replicaCount=2 \
    --set controller.service.loadBalancerIP="$PUBLIC_IP" \
    --set controller.publishService.enabled=true \
    --set controller.publishService.pathOverride=ingress/nginx-ingress-controller

## nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx
        name: nginx
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-svc
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: ClusterIP

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx
  annotations:
    nginx.ingress.kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  tls:
  - hosts:
    - nginx.designingdevops.com
    secretName: tls-secret
  rules:
  - host: nginx.designingdevops.com
    http:
      paths:
      - backend:
          serviceName: nginx-svc
          servicePort: 80
        path: /
	#!/bin/bash
	set -e

	K8S_CONTEXT=$(kubectl config current-context)

	echo -e "K8S_CONTEXT: $K8S_CONTEXT\n"

	# Verify if we want to proceed
	read -p "Are you sure you want to install cert-manager [y/N]?"
	if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
	exit
	fi

	##################
	# Setup Cert-Manager #
	##################
	kubectl apply \
	--validate=false \
	-f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml

	# Create namespace
	kubectl create namespace cert-manager

	# Label the ingress namespace to disable resource validation
	kubectl label namespace ingress cert-manager.io/disable-validation=true

	# Label the cert-manager namespace to disable resource validation
	kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

	# Add the Jetstack Helm repository
	helm repo add jetstack https://charts.jetstack.io

	# Update your local Helm chart repository cache
	helm repo update

	# Install the cert-manager Helm chart
	helm install cert-manager \
	--wait --namespace cert-manager \
	--version v0.13.0 \
	jetstack/cert-manager

	# Setup ClusterIssuer
	cat <<-EOF \| kubectl apply -f -
	apiVersion: cert-manager.io/v1alpha2
	kind: ClusterIssuer
	metadata:
	name: letsencrypt
	spec:
	acme:
	server: https://acme-v02.api.letsencrypt.org/directory
	email: $LETS_ENCRYPT_EMAIL
	privateKeySecretRef:
	name: letsencrypt
	solvers:
	- http01:
	ingress:
	class: nginx
	EOF
	#!/bin/bash
	set -e

	AZURE_CLOUD=${AZURE_CLOUD-AzureUSGovernmentCloud}
	LOCATION=${LOCATION-usgovvirginia}
	SP_NAME=${SP_NAME-AKS_DNS_SP_$RANDOM}
	K8S_CONTEXT=$(kubectl config current-context)

	if [[ -z "$DOMAIN_NAME" \|\| -z "$DNS_RG" ]]; then
	echo "ERROR: Some Environment variables are missing!"
	echo -e "ERROR: The following are required:\n"
	echo " DNS_RG: Resource Group for DNS Zone"
	echo " DOMAIN_NAME: Domain Name (ie. example.com)"
	echo " LOCATION (optional): Azure region. Default is usgovvirginia"
	echo " AZURE_CLOUD (optional): Selected Azure Cloud. "
	echo " Default is AzureUSGovernmentCloud."
	echo " Use 'AzurePublicCloud' for Commercial"
	exit 1
	fi

	echo "DNS_RG: $DNS_RG"
	echo "DOMAIN_NAME: $DOMAIN_NAME"
	echo "LOCATION: $LOCATION"
	echo "AZURE_CLOUD: $AZURE_CLOUD"
	echo -e "K8S_CONTEXT: $K8S_CONTEXT\n"

	# Verify if we want to proceed
	read -p "Are you sure you want to install external-dns [y/N]?"
	if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
	exit
	fi

	# Create RG for DNS Zone. If one already exists
	# return the id for it.
	DNS_RG_ID=$(
	az group create \
	--name $DNS_RG \
	--location $LOCATION \
	--query id -o tsv
	)
	# Create DNS Zone. If one already exists
	# return id for it.
	DNS_ZONE_ID=$(
	az network dns zone create \
	-g $DNS_RG -n $DOMAIN_NAME \
	--query id -o tsv
	)
	# Create Service Principal
	SP_TOKEN=$(az ad sp create-for-rbac -n $SP_NAME -o json)

	# Grab info from the Service Principal
	SP_APPID=$(echo $SP_TOKEN \| jq -e -r 'select(.appId != null) \| .appId')
	SP_TENANTID=$(echo $SP_TOKEN \| jq -e -r 'select(.tenant != null) \| .tenant')
	SP_PASSWORD=$(echo $SP_TOKEN \| jq -e -r 'select(.password != null) \| .password')
	SUBSCRIPTION_ID=$(az account show --query id -o tsv)

	# Assign Reader to SP for RG
	az role assignment create \
	--role "Reader" \
	--assignee $SP_APPID \
	--scope $DNS_RG_ID 1>/dev/null

	# Assign Contributor to SP for DNSZone
	az role assignment create \
	--role "Contributor" \
	--assignee $SP_APPID \
	--scope $DNS_ZONE_ID 1>/dev/null

	# Add bitnami repo for external-dns chart
	helm repo add bitnami https://charts.bitnami.com/bitnami

	# Create namespace for external-dns
	kubectl create namespace external-dns

	# Install external-dns chart
	helm install external-dns bitnami/external-dns \
	--wait --namespace external-dns \
	--set provider=azure \
	--set azure.resourceGroup=AzureDNS \
	--set azure.tenantId=$SP_TENANTID \
	--set azure.subscriptionId=$SUBSCRIPTION_ID \
	--set azure.aadClientId=$SP_APPID \
	--set azure.aadClientSecret=$SP_PASSWORD \
	--set azure.cloud=$AZURE_CLOUD \
	--set policy=sync \
	--set domainFilters={$DOMAIN_NAME}

	echo "=================================================="
	echo "Current DNS Nameservers for $DOMAIN_NAME"
	host -t ns $DOMAIN_NAME

	echo "NOTE: ++++++++++++++++++++++++++++++++++++++++++++"
	echo " Ensure your domain registrar is using"
	echo " the following DNS nameservers for resolution"
	echo " before continuing."
	echo " +++++++++++++++++++++++++++++++++++++++++++++"
	az network dns zone show \
	-g $DNS_RG -n $DOMAIN_NAME \
	-o tsv --query nameServers
	#!/bin/bash
	set -e

	color()(set -o pipefail;"$@" 2>&1>&3\|sed $'s,.*,\e[31m&\e[m,'>&2)3>&1

	validateTools() {
	command -v az 2&> /dev/null
	if [ $? -ne 0 ]; then
	echo "ERROR: Requires Azure CLI (az). Aborting..."
	exit 1
	fi

	command -v kubectl 2&> /dev/null
	if [ $? -ne 0 ]; then
	echo "ERROR: Requires Kubectl (kubectl). Aborting..."
	exit 1
	fi

	command -v jq 2&> /dev/null
	if [ $? -ne 0 ]; then
	echo "ERROR: Requires JQuery (jq). Aborting..."
	exit 1
	fi

	command -v helm 2&> /dev/null
	if [ $? -ne 0 ]; then
	echo "ERROR: Requires Helm v3.1.2_1+ (helm). Aborting..."
	exit 1
	fi
	}

	validateTools
	# For Important Info
	CRED='\033[1;40;41m'
	CEND='\033[0m'

	AKS_CREATE=${AKS_CREATE-true}
	if [ "$AKS_CREATE" != "true" ]; then
	if [[ -z "$RG" \|\| -z "$AKS_NAME" ]]; then
	echo "ERROR: Set RG and AKS_NAME as environment variables to continue."
	echo "Otherwise unset AKS_CREATE environment varialbe or set to 'true'."
	exit 1
	fi
	fi
	RND=$(echo $RANDOM \| grep -o ..$)
	RG=${RG-AKS-$RND-RG}
	NODESIZE=${NODESIZE-Standard_DS2_v2}
	NODECOUNT=${NODECOUNT-2}
	LOCATION=${LOCATION-usgovvirginia}
	AKS_NAME=${AKS_NAME-AKSCluster-$RND}
	DNS_RG=${DNS_RG-AzureDNS}
	DOMAIN_NAME=${DOMAIN_NAME-designingdevops.com}
	SP_NAME=${SP_NAME-AKS_DNS_SP_$RANDOM}
	AZURE_CLOUD=${AZURE_CLOUD-AzureUSGovernmentCloud}
	K8S_CONTEXT=$(kubectl config current-context)

	echo "RG: $RG"
	echo "AKS_NAME: $AKS_NAME"
	echo "NODESIZE: $NODESIZE"
	echo "LOCATION: $LOCATION"
	echo "DNS_RG: $DNS_RG"
	echo "DOMAIN_NAME: $DOMAIN_NAME"
	echo "AKS_CREATE: $AKS_CREATE"
	echo "NODECOUNT: $NODECOUNT"
	echo "AZURE_CLOUD: $AZURE_CLOUD"
	if [ "$AKS_CREATE" != "true" ]; then
	echo "K8S_CONTEXT: $K8S_CONTEXT"
	if [ "$K8S_CONTEXT" != "$AKS_NAME" ]; then
	echo -e "\nERROR: Your existing K8S_CONTEXT should match your AKS_NAME\n"
	exit 1
	fi
	echo -e "\nNOTE: Will NOT Create AKS Cluster"
	echo -e "Will use $CRED $K8S_CONTEXT $CEND as target!\n"
	else
	if [ "$K8S_CONTEXT" == "$AKS_NAME" ]; then
	echo "K8S_CONTEXT: $K8S_CONTEXT"
	echo -e "\n$CRED ERROR: K8S_CONTEXT cannot match AKS_NAME for new clusters. $CEND"
	echo "You may have environment variables set."
	echo "During cluster create unset RG and AKS_NAME"
	echo "or set to something different."
	exit 1
	fi
	fi

	# Verify if we want to proceed
	echo "NOTE: Override the above defaults with environment variables!"
	read -p "Are you sure you want to Proceed [y/N]?"
	if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
	exit
	fi

	if [ "$AKS_CREATE" == "true" ]; then
	###############################################
	# CREATE AKS CLUSTER ==========================
	###############################################
	echo "Creating AKS Cluster named=$AKS_NAME in $RG"
	az group create -l $LOCATION -n $RG 1>/dev/null

	az aks create \
	--resource-group $RG \
	--name $AKS_NAME \
	--vm-set-type VirtualMachineScaleSets \
	--node-count $NODECOUNT \
	--load-balancer-sku standard \
	--node-vm-size $NODESIZE \
	--generate-ssh-keys \
	--location $LOCATION 1>/dev/null

	az aks get-credentials \
	--name $AKS_NAME \
	--resource-group $RG 1>/dev/null
	fi

	###############################################
	# CREATE NGINX INGRESS WITH STATIC IP =========
	###############################################
	# Get the Resource Group of our AKS Cluster
	echo "Installing NGINX on $AKS_NAME!!"
	AKS_CLUSTER_RG=$(
	az aks show \
	--resource-group $RG \
	--name $AKS_NAME \
	--query nodeResourceGroup -o tsv
	)

	# Create a Public IP and get the id of the address. If one exists already
	# in the RG with the same name. The existing IP will be returned.
	PUBLIC_IP=$(
	az network public-ip create \
	--resource-group $AKS_CLUSTER_RG \
	--name IP-PublicIP1 \
	--sku Standard \
	--allocation-method static \
	--query publicIp.ipAddress -o tsv
	)
	echo "Created/Retrieved Azure PublicIP=$PUBLIC_IP"

	# Add stable chart repo
	helm repo add stable https://kubernetes-charts.storage.googleapis.com

	# Create namespace for Ingress
	kubectl create namespace ingress \|\| true

	# Use Helm to deploy an NGINX ingress controller with static IP
	helm install nginx-ingress stable/nginx-ingress \
	--wait --namespace ingress \
	--set controller.replicaCount=2 \
	--set controller.service.loadBalancerIP="$PUBLIC_IP" \
	--set controller.publishService.enabled=true \
	--set controller.publishService.pathOverride=ingress/nginx-ingress-controller


	###############################################
	# CREATE EXTERNALDNS SERVICE ==================
	###############################################
	# Create RG for DNS Zone. If one already exists
	# return the id for it.
	DNS_RG_ID=$(
	az group create \
	--name $DNS_RG \
	--location $LOCATION \
	--query id -o tsv
	)

	# Create DNS Zone. If one already exists
	# return id for it.
	DNS_ZONE_ID=$(
	az network dns zone create \
	-g $DNS_RG -n $DOMAIN_NAME \
	--query id -o tsv
	)

	# Create Service Principal
	SP_TOKEN=$(az ad sp create-for-rbac -n $SP_NAME -o json)

	# Grab info from the Service Principal
	SP_APPID=$(echo $SP_TOKEN \| jq -e -r 'select(.appId != null) \| .appId')
	SP_TENANTID=$(echo $SP_TOKEN \| jq -e -r 'select(.tenant != null) \| .tenant')
	SP_PASSWORD=$(echo $SP_TOKEN \| jq -e -r 'select(.password != null) \| .password')
	SUBSCRIPTION_ID=$(az account show --query id -o tsv)

	# Assign Reader to SP for RG
	az role assignment create \
	--role "Reader" \
	--assignee $SP_APPID \
	--scope $DNS_RG_ID 1>/dev/null

	# Assign Contributor to SP for DNSZone
	az role assignment create \
	--role "Contributor" \
	--assignee $SP_APPID \
	--scope $DNS_ZONE_ID 1>/dev/null

	# Add bitnami repo for external-dns chart
	helm repo add bitnami https://charts.bitnami.com/bitnami

	# Create namespace for external-dns
	kubectl create namespace external-dns

	# Install external-dns chart
	helm install external-dns bitnami/external-dns \
	--wait --namespace external-dns \
	--set provider=azure \
	--set azure.resourceGroup=AzureDNS \
	--set azure.tenantId=$SP_TENANTID \
	--set azure.subscriptionId=$SUBSCRIPTION_ID \
	--set azure.aadClientId=$SP_APPID \
	--set azure.aadClientSecret=$SP_PASSWORD \
	--set azure.cloud=$AZURE_CLOUD \
	--set policy=sync \
	--set domainFilters={$DOMAIN_NAME}

	echo "=================================================="
	echo "Current DNS Nameservers for $DOMAIN_NAME"
	host -t ns $DOMAIN_NAME

	echo "NOTE: ++++++++++++++++++++++++++++++++++++++++++++"
	echo " Ensure your domain registrar is using"
	echo " the following DNS nameservers for resolution"
	echo " before continuing."
	echo " +++++++++++++++++++++++++++++++++++++++++++++"

	az network dns zone show \
	-g $DNS_RG -n $DOMAIN_NAME \
	-o tsv --query nameServers

	###############################################
	# CREATE CERT-MANAGER SERVICE==================
	###############################################
	kubectl apply \
	--validate=false \
	-f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml

	# Create namespace
	kubectl create namespace cert-manager

	# Label the ingress namespace to disable resource validation
	kubectl label namespace ingress cert-manager.io/disable-validation=true

	# Label the cert-manager namespace to disable resource validation
	kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

	# Add the Jetstack Helm repository
	helm repo add jetstack https://charts.jetstack.io

	# Update your local Helm chart repository cache
	helm repo update

	# Install the cert-manager Helm chart
	helm install cert-manager \
	--wait --namespace cert-manager \
	--version v0.13.0 \
	jetstack/cert-manager

	# Setup ClusterIssuer
	cat <<-EOF \| kubectl apply -f -
	apiVersion: cert-manager.io/v1alpha2
	kind: ClusterIssuer
	metadata:
	name: letsencrypt
	spec:
	acme:
	server: https://acme-v02.api.letsencrypt.org/directory
	email: $LETS_ENCRYPT_EMAIL
	privateKeySecretRef:
	name: letsencrypt
	solvers:
	- http01:
	ingress:
	class: nginx
	EOF
	---
	apiVersion: networking.k8s.io/v1beta1
	kind: Ingress
	metadata:
	name: nginx
	annotations:
	nginx.ingress.kubernetes.io/ingress.class: nginx
	cert-manager.io/cluster-issuer: letsencrypt
	spec:
	tls:
	- hosts:
	- nginx.designingdevops.com
	secretName: tls-secret
	rules:
	- host: nginx.designingdevops.com
	http:
	paths:
	- backend:
	serviceName: nginx-svc
	servicePort: 80
	path: /
	#!/bin/bash
	# This script creates an Azure Public IP and binds
	# an the NGINX Ingress controller to it

	set -e

	if [[ -z "$RG" \|\| -z "$AKS_NAME" ]]; then
	echo "ERROR: Some Environment variables are missing!"
	echo -e "ERROR: These are required:\n"
	echo " RG: Resource Group"
	echo " AKS_NAME: AKS.Cluster Name"
	echo " LOCATION (optional): Azure region. Default is usgovvirginia"
	exit 1
	fi

	LOCATION=${LOCATION-usgovvirginia}
	K8S_CONTEXT=$(kubectl config current-context)

	echo "AKS_NAME: $AKS_NAME"
	echo "RG: $RG"
	echo "LOCATION: $LOCATION"
	echo -e "K8S_CONTEXT: $K8S_CONTEXT\n"

	# Verify if we want to proceed
	read -p "Are you sure you want to install NGINX [y/N]?"
	if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
	exit
	fi

	# Get the Resource Group of our AKS Cluster
	AKS_CLUSTER_RG=$(
	az aks show \
	--resource-group $RG \
	--name $AKS_NAME \
	--query nodeResourceGroup -o tsv
	)
	# Create a Public IP and get the id of the address. If one exists already
	# in the RG with the same name. The existing IP will be returned.
	PUBLIC_IP=$(
	az network public-ip create \
	--resource-group $AKS_CLUSTER_RG \
	--name IP-PublicIP1 \
	--sku Standard \
	--allocation-method static \
	--query publicIp.ipAddress -o tsv
	)
	# Add stable chart repo
	helm repo add stable https://kubernetes-charts.storage.googleapis.com

	# Create namespace for Ingress
	kubectl create namespace ingress

	# Use Helm to deploy an NGINX ingress controller with static IP
	helm install nginx-ingress stable/nginx-ingress \
	--wait --namespace ingress \
	--set controller.replicaCount=2 \
	--set controller.service.loadBalancerIP="$PUBLIC_IP" \
	--set controller.publishService.enabled=true \
	--set controller.publishService.pathOverride=ingress/nginx-ingress-controller
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: nginx
	spec:
	selector:
	matchLabels:
	app: nginx
	template:
	metadata:
	labels:
	app: nginx
	spec:
	containers:
	- image: nginx
	name: nginx
	ports:
	- containerPort: 80
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: nginx-svc
	spec:
	ports:
	- port: 80
	protocol: TCP
	targetPort: 80
	selector:
	app: nginx
	type: ClusterIP

	---
	apiVersion: networking.k8s.io/v1beta1
	kind: Ingress
	metadata:
	name: nginx
	annotations:
	nginx.ingress.kubernetes.io/ingress.class: nginx
	cert-manager.io/cluster-issuer: letsencrypt
	spec:
	tls:
	- hosts:
	- nginx.designingdevops.com
	secretName: tls-secret
	rules:
	- host: nginx.designingdevops.com
	http:
	paths:
	- backend:
	serviceName: nginx-svc
	servicePort: 80
	path: /