Skip to content

Instantly share code, notes, and snippets.

@ivanthelad

ivanthelad/deployaks.sh

Created October 24, 2022 11:33
Show Gist options
  • Save ivanthelad/248b3034ba040622ca9b8261fa960d97 to your computer and use it in GitHub Desktop.
Save ivanthelad/248b3034ba040622ca9b8261fa960d97 to your computer and use it in GitHub Desktop.
Download ZIP
SimpleAKS
Raw
deployaks.sh
#!/bin/bash
## neable app insights https://github.com/microsoft/Application-Insights-K8s-Codeless-Attach
source ./env.sh
uuid=$(openssl rand -hex 32 | tr -dc 'a-zA-Z0-9' | fold -w 5 | head -n 1)
clusternameparam=$1
function isempty ()
{
paramname="$1"
paramvalue="$2"
if test -z "$paramvalue"
then
echo -e " \e[31mError\e[0m:$paramname is EMPTY, Please paas a parameter for the $paramname"
return 0
else
echo -e " \e[32m OK\e[0m :$paramname=$paramvalue is set"
fi
return 1
}
function sanitycheck ()
{
errors=0;
if isempty "clusternameparam" "$clusternameparam"; then
echo -e " \e[31mError\e[0m: No param passed to script. A cluster name is required to be passed to script"
errors=$((errors+1))
fi
if isempty "SUBSCRIPTIONID" "$SUBSCRIPTIONID"; then
errors=$((errors+1))
fi
if isempty "WORKSPACE_ID" "$WORKSPACE_ID"; then
echo -e " \e[33mWarn\e[0m: WORKSPACE_ID not set. A new log analytics workspace will be created and used"
fi
if isempty "ACR_REGISTRY" "$ACR_REGISTRY"; then
echo -e " \e[33mWarn\e[0m: ACR_REGISTRY not set. A new Azure Container Registry will be created and used"
fi
if isempty "SUBNET_ID" "$SUBNET_ID"; then
echo -e " \e[33mWarn\e[0m: SUBNET_ID not set. A new Azure Container Registry will be created and used"
fi
if isempty "AKS_IDENTITY_ID" "$AKS_IDENTITY_ID"; then
echo -e " \e[33mWarn\e[0m: AKS_IDENTITY_ID not set. A new user managed identity will be created and used"
fi
if isempty "AKS_KUBELET_IDENTITY_ID" "$AKS_IDENTITY_ID"; then
echo -e " \e[33mWarn\e[0m: AKS_KUBELET_IDENTITY_ID not set. A new kubelet user managed identity will be created and used"
fi
if [ $errors -gt 0 ]; then
echo -e " \e[31mEncountered $errors in parameters. Please fix before continuing. exiting \e[0m "
exit 1;
fi
}
sanitycheck
aksname="$clusternameparam-$uuid"
registryname="${clusternameparam}${uuid}reg"
echo "Creating cluster with name $aksname "
RESOURCE_GROUP=$aksname-rg
AKS_CLUSTER=$aksname
AKS_IDENTITY_NAME="${aksname}control"
AKS_KUBELET_IDENTITY_NAME="${aksname}kubelet"
INGRESS_SUBNET_ID=""
network_prefix='172.16.0.0/23'
network_aks_subnet='172.16.0.0/25'
network_aks_system='10.3.4.0/24'
network_aks_ingress='10.3.5.0/24'
LB_IDLE_TIMEOUT=10
OS_DISK_SIZE=50
## Some basic tags
tags=`echo environment=stage project=pim department=pim`
pool_tags=`echo environment=stage project=pim department=pim`
echo tags $pool_tags
## az acr show --name aksonazure --resource-group aksonazure --query "id" --output tsv
echo $LOCATION
#Create a RG
az group create --name $RESOURCE_GROUP -l $LOCATION --subscription $SUBSCRIPTIONID --tags $tags
echo waiting 120 seconds
az identity create -g $RESOURCE_GROUP -n $RESOURCE_GROUP -l $LOCATION
echo success
if test -z "$AKS_IDENTITY_ID"
then
echo "AKS_IDENTITY_ID is empty, Gona create a Registry in RG $RESOURCE_GROUP "
az identity create -n $AKS_IDENTITY_NAME -g $RESOURCE_GROUP -l $LOCATION
AKS_IDENTITY_ID="$(az identity show -n $AKS_IDENTITY_NAME -g $RESOURCE_GROUP --query id -o tsv --subscription $SUBSCRIPTIONID)"
echo "created USER managed identity with id $AKS_IDENTITY_ID"
else
echo "\AKS_IDENTITY_ID is is NOT empty. using $AKS_IDENTITY_ID "
fi
if test -z "$AKS_KUBELET_IDENTITY_ID"
then
echo "AKS_KUBELET_IDENTITY_ID is empty, Gona create identity with name $AKS_KUBELET_IDENTITY_NAME in RG $RESOURCE_GROUP "
az identity create -n $AKS_KUBELET_IDENTITY_NAME -g $RESOURCE_GROUP -l $LOCATION
AKS_KUBELET_IDENTITY_ID="$(az identity show -n $AKS_KUBELET_IDENTITY_NAME -g $RESOURCE_GROUP --query id -o tsv --subscription $SUBSCRIPTIONID)"
echo "created USER managed identity with id $AKS_KUBELET_IDENTITY_ID"
else
echo "\AKS_KUBELET_IDENTITY_ID is is NOT empty. using $AKS_KUBELET_IDENTITY_ID "
fi
if test -z "$ACR_REGISTRY"
then
echo "ACR_REGISTRY is empty, Gona create a Registry in RG $RESOURCE_GROUP "
az acr create -n $registryname -g $RESOURCE_GROUP -l $LOCATION --sku standard
ACR_REGISTRY="$(az acr show -n $registryname -g $RESOURCE_GROUP --query id -o tsv --subscription $SUBSCRIPTIONID )"
echo "created log ACR with id $ACR_REGISTRY"
else
echo "\ACR_REGISTRY is is NOT empty. using $ACR_REGISTRY "
fi
if test -z "$WORKSPACE_ID"
then
echo "WORKSPACE_ID is empty, Gona create a Log analytics workspace in RG $RESOURCE_GROUP "
az monitor log-analytics workspace create --workspace-name $aksname-logs -g $RESOURCE_GROUP -l $LOCATION --subscription $SUBSCRIPTIONID --tags $tags
WORKSPACE_ID="$(az monitor log-analytics workspace show --workspace-name $aksname-logs -g $RESOURCE_GROUP --query id -o tsv --subscription $SUBSCRIPTIONID)"
echo "created log analytics workspace with id $WORKSPACE_ID"
else
echo "\Workspace_id is is NOT empty. using $WORKSPACE_ID "
fi
#Create a VNET
if test -z "$SUBNET_ID"
then
echo "SUBNET_ID is empty, Gona create a custom vnet in RG $RESOURCE_GROUP "
az network vnet create -g $RESOURCE_GROUP -n $aksname --address-prefix $network_prefix --tags $tags --subnet-name aks --subnet-prefix $network_aks_subnet -l $LOCATION --subscription $SUBSCRIPTIONID
SUBNET_ID="$(az network vnet subnet list --resource-group $RESOURCE_GROUP --vnet-name $aksname --query [].id --output tsv --subscription $SUBSCRIPTIONID | grep aks)"
# az network vnet subnet create -n ingress --vnet-name $aksname --address-prefix $network_aks_ingress -g $RESOURCE_GROUP --subscription $SUBSCRIPTIONID
# INGRESS_SUBNET_ID="$(az network vnet subnet list --resource-group $RESOURCE_GROUP --vnet-name $aksname --query [].id --output tsv --subscription $SUBSCRIPTIONID | grep aks)"
else
echo "\SUBNET_ID is is NOT empty. using $SUBNET_ID "
fi
#Create a AKS subnet. not needed. created above.
#az network vnet subnet create -g $RESOURCE_GROUP --vnet-name iotsuite -n $AKS_CLUSTER --address-prefix 10.0.1.0/24 --subscription $SUBSCRIPTIONID
#List Subnet belonging to VNET
echo $SUBNET_ID
## --service-principal $SP_ID \
## --client-secret $SP_PASS \
echo managed identity $AKS_IDENTITY_ID
USER_ASSIGNED_IDENTITY_CLIENTID="$( az identity show --ids $AKS_IDENTITY_ID --query clientId -o tsv)"
echo creating kublet managed identity $
USER_ASSIGNED_IDENTITY_CLIENTID="$( az identity show --ids $AKS_IDENTITY_ID --query clientId -o tsv --subscription $SUBSCRIPTIONID)"
AKS_VNET_RG=$(echo $SUBNET_ID|cut -d'/' -f 5)
AKS_VNET=$(echo $SUBNET_ID| cut -d'/' -f 9)
echo $AKS_VNET_RG ..... $AKS_VNET .... $USER_ASSIGNED_IDENTITY_CLIENTID
az role assignment create --assignee $USER_ASSIGNED_IDENTITY_CLIENTID --role "Contributor" --scope /subscriptions/$SUBSCRIPTIONID/resourceGroups/$AKS_VNET_RG/providers/Microsoft.Network/virtualNetworks/$AKS_VNET
az role assignment create --assignee $USER_ASSIGNED_IDENTITY_CLIENTID --role "Network Contributor" --scope /subscriptions/$SUBSCRIPTIONID/resourceGroups/$AKS_VNET_RG/providers/Microsoft.Network/virtualNetworks/$AKS_VNET
#Create AKS Cluster with Service Principle
az aks create \
--resource-group $RESOURCE_GROUP \
--network-plugin kubenet \
--pod-cidr 192.168.0.0/16 \
--node-count 3 \
--node-vm-size=$VM_SIZE \
--kubernetes-version=$KUBE_VERSION \
--name $AKS_CLUSTER \
--dns-service-ip "172.10.0.10" \
--service-cidr "172.10.0.0/16" \
--pod-cidr "192.168.0.0/16" \
--location $LOCATION \
--enable-addons monitoring,azure-keyvault-secrets-provider,azure-policy \
--vm-set-type "VirtualMachineScaleSets" \
--tags $tags \
--nodepool-name="basepool" \
--vnet-subnet-id $SUBNET_ID \
--enable-cluster-autoscaler \
--min-count $MIN_NODE_COUNT \
--max-count $MAX_NODE_COUNT \
--subscription $SUBSCRIPTIONID \
--workspace-resource-id $WORKSPACE_ID \
--nodepool-tags $pool_tags \
--nodepool-labels $pool_tags \
--generate-ssh-keys \
--zones 3 \
--node-resource-group $RESOURCE_GROUP-managed \
--attach-acr $ACR_REGISTRY \
--enable-managed-identity \
--assign-identity $AKS_IDENTITY_ID \
--auto-upgrade-channel stable \
--assign-kubelet-identity $AKS_KUBELET_IDENTITY_ID \
--enable-secret-rotation \
--enable-aad --aad-admin-group-object-ids $(az ad signed-in-user show --query id --out tsv)
az aks get-credentials -n $AKS_CLUSTER -g $RESOURCE_GROUP --subscription $SUBSCRIPTIONID
## get the managed identity
#USER_ASSIGNED_IDENTITY_CLIENTID="$( az identity show --name $AKS_IDENTITY_NAME -g $RESOURCE_GROUP --query clientId -o tsv)"
#AKS_VNET_RG=$(echo $SUBNET_ID|cut -d'/' -f 5)
#AKS_VNET=$(echo $SUBNET_ID| cut -d'/' -f 9)
#az role assignment create --assignee $USER_ASSIGNED_IDENTITY_CLIENTID --role "Contributor" --scope /subscriptions/$SUBSCRIPTIONID/resourceGroups/$AKS_VNET_RG/providers/Microsoft.Network/virtualNetworks/$AKS_VNET
#az role assignment create --assignee $USER_ASSIGNED_IDENTITY_CLIENTID --role "Network Contributor" --scope /subscriptions/$SUBSCRIPTIONID/resourceGroups/$AKS_VNET_RG/providers/Microsoft.Network/virtualNetworks/$AKS_VNET
#helm repo add cilium https://helm.cilium.io/
## install helm
#helm install cilium cilium/cilium --version 1.11.3 \
# --namespace kube-system \
# --set hubble.relay.enabled=true --set hubble.ui.enabled=true --namespace kube-system
echo "adding system pool "
az aks nodepool add -g $RESOURCE_GROUP --scale-down-mode Deallocate --node-osdisk-type Managed --cluster-name $AKS_CLUSTER -n systemnodes --node-taints CriticalAddonsOnly=true:NoSchedule --mode system --node-count=2 --subscription $SUBSCRIPTIONID --no-wait
echo "adding app pool"
az aks nodepool add --scale-down-mode Deallocate --node-osdisk-type Managed --zones 1 2 3 --mode user -g $RESOURCE_GROUP --cluster-name $AKS_CLUSTER -n apppool --tags="Apps=true" --min-count $MIN_NODE_COUNT --max-count $MAX_NODE_COUNT --enable-cluster-autoscaler --subscription $SUBSCRIPTIONID
## remove normal pool. Cos you cannot update the min to zero
az aks nodepool delete -g $RESOURCE_GROUP --cluster-name $AKS_CLUSTER -n basepool --subscription $SUBSCRIPTIONID --no-wait
##
# security policy
# --enable-pod-security-policy \
az aks get-credentials -n $AKS_CLUSTER -g $RESOURCE_GROUP --subscription $SUBSCRIPTIONID
Raw
env.sh
## Subscription where everything will be deployed
SUBSCRIPTIONID=""
## Service principal for AKS. known as APPID
## https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal#specify-a-service-principal-for-an-aks-cluster
SP_ID="not needed. replaced with managed identity"
## Service principal passwork
SP_PASS="not needed. replaced with managed identity "
## optional Azure Container Registry ID. If empty a new one will be created
#ACR_REGISTRY=""
#ACR_REGISTRY=""
## Optional Azure log analytics Workspace ID. If empty a new one will be created
#WORKSPACE_ID=""
## Optional Subnetid.AKS will be deployed into this subnet. If empty a new one will be created
#SUBNET_ID=""
## Option. A user defined identity for the AKS Control plane. if not found one will be created. this is the resource id of the identity
#AKS_IDENTITY_ID=""
## Required EncryptionSetid. if not found the the script will abort. required for aks to encrypt the hosts disks.
#DISK_ENCRYPTION_SET_ID=""
VM_SIZE=Standard_D2s_v3
#i#VM_SIZE=Standard_B2s
MIN_NODE_COUNT=3
MAX_NODE_COUNT=5
KUBE_VERSION="1.24.6"
LOCATION=westeurope
## kubenet or azure
#NETWORK_PLUGIN="kubenet"
NETWORK_PLUGIN="kubenet"
#AKS_IDENTITY_NAME="aksuseridentity"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment