Last active
May 11, 2023 20:15
-
-
Save sabbour/e5299d32e89f312ad64584b4881754ea to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Define Environment Variables | |
| export RANDOM_STRING=$RANDOM | |
| export RESOURCE_GROUP_NAME=rg-${RANDOM_STRING} | |
| export RESOURCE_LOCATION=eastus | |
| export AKS_CLUSTER_NAME=aks-${RANDOM_STRING} | |
| export KEYVAULT_NAME=kv-${RANDOM_STRING} | |
| export KEYVAULT_CERTIFICATE_NAME=myKvCertificate | |
| export AZUREDNSZONE_NAME=contoso-${RANDOM_STRING}.com | |
| export HOSTNAME=hello.${AZUREDNSZONE_NAME} | |
| export CURRENTUSER=$(az account show --query user.name --output tsv) | |
| # Enable the Preview CLI | |
| az extension add --name aks-preview | |
| # Create a self-signed SSL certificate | |
| openssl req -new -x509 -nodes -out ${KEYVAULT_CERTIFICATE_NAME}.crt -keyout ${KEYVAULT_CERTIFICATE_NAME}.key -subj "/CN=${HOSTNAME}" -addext "subjectAltName=DNS:${HOSTNAME}" | |
| openssl pkcs12 -export -in ${KEYVAULT_CERTIFICATE_NAME}.crt -inkey ${KEYVAULT_CERTIFICATE_NAME}.key -out ${KEYVAULT_CERTIFICATE_NAME}.pfx -passout pass: | |
| # Create resource group | |
| az group create --name ${RESOURCE_GROUP_NAME} --location ${RESOURCE_LOCATION} | |
| # Create key vault | |
| az keyvault create -g ${RESOURCE_GROUP_NAME} -l ${RESOURCE_LOCATION} -n ${KEYVAULT_NAME} --enable-rbac-authorization true | |
| KEYVAULT_ID=$(az keyvault show --name ${KEYVAULT_NAME} --query "id" --output tsv) | |
| # Assign the current user permissions to upload certificates to the key vault using Azure RBAC | |
| az role assignment create --role "Key Vault Certificates Officer" --assignee $CURRENTUSER --scope $KEYVAULT_ID | |
| # Wait for role propagation | |
| echo "Waiting for role assignment to propagate" | |
| sleep 60 | |
| # Import certificate into Azure Key Vault | |
| az keyvault certificate import --vault-name ${KEYVAULT_NAME} -n ${KEYVAULT_CERTIFICATE_NAME} -f ${KEYVAULT_CERTIFICATE_NAME}.pfx | |
| # Create Azure DNS zone | |
| az network dns zone create -g ${RESOURCE_GROUP_NAME} -n ${AZUREDNSZONE_NAME} | |
| AZUREDNSZONE_ID=$(az network dns zone show -g ${RESOURCE_GROUP_NAME} -n ${AZUREDNSZONE_NAME} --query "id" --output tsv) | |
| # Create AKS cluster | |
| az aks create -g ${RESOURCE_GROUP_NAME} -n ${AKS_CLUSTER_NAME} -l ${RESOURCE_LOCATION} --enable-addons azure-keyvault-secrets-provider,web_application_routing --enable-secret-rotation --dns-zone-resource-id=${AZUREDNSZONE_ID} --generate-ssh-keys | |
| APPROUTING_MANAGEDIDENTITY_OBJECTID=$(az aks show -g ${RESOURCE_GROUP_NAME} -n ${AKS_CLUSTER_NAME} --query ingressProfile.webAppRouting.identity.objectId -o tsv) | |
| # Create role assignments for the add-on's managed identity | |
| az role assignment create --role "Key Vault Secrets User" --assignee $APPROUTING_MANAGEDIDENTITY_OBJECTID --scope $KEYVAULT_ID | |
| az role assignment create --role "DNS Zone Contributor" --assignee $APPROUTING_MANAGEDIDENTITY_OBJECTID --scope $AZUREDNSZONE_ID | |
| # Install kubectl | |
| # ignore error if already installed | |
| az aks install-cli || true | |
| # Get credentials | |
| az aks get-credentials -g ${RESOURCE_GROUP_NAME} --name ${AKS_CLUSTER_NAME} --overwrite-existing | |
| # Create namespace | |
| kubectl create namespace hello-web-app-routing | |
| # Create deployment | |
| cat <<EOF > deployment.yaml | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: aks-helloworld | |
| namespace: hello-web-app-routing | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: aks-helloworld | |
| template: | |
| metadata: | |
| labels: | |
| app: aks-helloworld | |
| spec: | |
| containers: | |
| - name: aks-helloworld | |
| image: mcr.microsoft.com/azuredocs/aks-helloworld:v1 | |
| ports: | |
| - containerPort: 80 | |
| env: | |
| - name: TITLE | |
| value: "Welcome to Azure Kubernetes Service (AKS)" | |
| EOF | |
| # Create service | |
| cat <<EOF > service.yaml | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: aks-helloworld | |
| namespace: hello-web-app-routing | |
| spec: | |
| type: ClusterIP | |
| ports: | |
| - port: 80 | |
| targetPort: 80 | |
| selector: | |
| app: aks-helloworld | |
| EOF | |
| # Get certificate from key vault | |
| KEYVAULT_CERTIFICATE_URI=$(az keyvault certificate show --vault-name ${KEYVAULT_NAME} -n ${KEYVAULT_CERTIFICATE_NAME} --query "id" --output tsv) | |
| # Create ingress | |
| cat <<EOF > ingress.yaml | |
| apiVersion: networking.k8s.io/v1 | |
| kind: Ingress | |
| metadata: | |
| annotations: | |
| kubernetes.azure.com/tls-cert-keyvault-uri: ${KEYVAULT_CERTIFICATE_URI} | |
| name: aks-helloworld | |
| namespace: hello-web-app-routing | |
| spec: | |
| ingressClassName: webapprouting.kubernetes.azure.com | |
| rules: | |
| - host: ${HOSTNAME} | |
| http: | |
| paths: | |
| - path: / | |
| pathType: Prefix | |
| backend: | |
| service: | |
| name: aks-helloworld | |
| port: | |
| number: 80 | |
| tls: | |
| - hosts: | |
| - ${HOSTNAME} | |
| secretName: keyvault-aks-helloworld | |
| EOF | |
| # Deploy application | |
| kubectl apply -f deployment.yaml -f service.yaml -f ingress.yaml -n hello-web-app-routing | |
| # Monitor the ingress | |
| timeout 60 kubectl get ingress aks-helloworld -n hello-web-app-routing --watch | |
| # Retrieve the ingress IP address | |
| INGRESS_IP=$(kubectl get ingress aks-helloworld -n hello-web-app-routing -o jsonpath='{.status.loadBalancer.ingress[0].ip}') | |
| # Use curl to test the application, passing the hostname | |
| curl -kL https://${INGRESS_IP} -H "Host: ${HOSTNAME}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment