Created
October 24, 2022 11:33
-
-
Save ivanthelad/248b3034ba040622ca9b8261fa960d97 to your computer and use it in GitHub Desktop.
SimpleAKS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## neable app insights https://github.com/microsoft/Application-Insights-K8s-Codeless-Attach | |
source ./env.sh | |
uuid=$(openssl rand -hex 32 | tr -dc 'a-zA-Z0-9' | fold -w 5 | head -n 1) | |
clusternameparam=$1 | |
function isempty () | |
{ | |
paramname="$1" | |
paramvalue="$2" | |
if test -z "$paramvalue" | |
then | |
echo -e " \e[31mError\e[0m:$paramname is EMPTY, Please paas a parameter for the $paramname" | |
return 0 | |
else | |
echo -e " \e[32m OK\e[0m :$paramname=$paramvalue is set" | |
fi | |
return 1 | |
} | |
function sanitycheck () | |
{ | |
errors=0; | |
if isempty "clusternameparam" "$clusternameparam"; then | |
echo -e " \e[31mError\e[0m: No param passed to script. A cluster name is required to be passed to script" | |
errors=$((errors+1)) | |
fi | |
if isempty "SUBSCRIPTIONID" "$SUBSCRIPTIONID"; then | |
errors=$((errors+1)) | |
fi | |
if isempty "WORKSPACE_ID" "$WORKSPACE_ID"; then | |
echo -e " \e[33mWarn\e[0m: WORKSPACE_ID not set. A new log analytics workspace will be created and used" | |
fi | |
if isempty "ACR_REGISTRY" "$ACR_REGISTRY"; then | |
echo -e " \e[33mWarn\e[0m: ACR_REGISTRY not set. A new Azure Container Registry will be created and used" | |
fi | |
if isempty "SUBNET_ID" "$SUBNET_ID"; then | |
echo -e " \e[33mWarn\e[0m: SUBNET_ID not set. A new Azure Container Registry will be created and used" | |
fi | |
if isempty "AKS_IDENTITY_ID" "$AKS_IDENTITY_ID"; then | |
echo -e " \e[33mWarn\e[0m: AKS_IDENTITY_ID not set. A new user managed identity will be created and used" | |
fi | |
if isempty "AKS_KUBELET_IDENTITY_ID" "$AKS_IDENTITY_ID"; then | |
echo -e " \e[33mWarn\e[0m: AKS_KUBELET_IDENTITY_ID not set. A new kubelet user managed identity will be created and used" | |
fi | |
if [ $errors -gt 0 ]; then | |
echo -e " \e[31mEncountered $errors in parameters. Please fix before continuing. exiting \e[0m " | |
exit 1; | |
fi | |
} | |
sanitycheck | |
aksname="$clusternameparam-$uuid" | |
registryname="${clusternameparam}${uuid}reg" | |
echo "Creating cluster with name $aksname " | |
RESOURCE_GROUP=$aksname-rg | |
AKS_CLUSTER=$aksname | |
AKS_IDENTITY_NAME="${aksname}control" | |
AKS_KUBELET_IDENTITY_NAME="${aksname}kubelet" | |
INGRESS_SUBNET_ID="" | |
network_prefix='172.16.0.0/23' | |
network_aks_subnet='172.16.0.0/25' | |
network_aks_system='10.3.4.0/24' | |
network_aks_ingress='10.3.5.0/24' | |
LB_IDLE_TIMEOUT=10 | |
OS_DISK_SIZE=50 | |
## Some basic tags | |
tags=`echo environment=stage project=pim department=pim` | |
pool_tags=`echo environment=stage project=pim department=pim` | |
echo tags $pool_tags | |
## az acr show --name aksonazure --resource-group aksonazure --query "id" --output tsv | |
echo $LOCATION | |
#Create a RG | |
az group create --name $RESOURCE_GROUP -l $LOCATION --subscription $SUBSCRIPTIONID --tags $tags | |
echo waiting 120 seconds | |
az identity create -g $RESOURCE_GROUP -n $RESOURCE_GROUP -l $LOCATION | |
echo success | |
if test -z "$AKS_IDENTITY_ID" | |
then | |
echo "AKS_IDENTITY_ID is empty, Gona create a Registry in RG $RESOURCE_GROUP " | |
az identity create -n $AKS_IDENTITY_NAME -g $RESOURCE_GROUP -l $LOCATION | |
AKS_IDENTITY_ID="$(az identity show -n $AKS_IDENTITY_NAME -g $RESOURCE_GROUP --query id -o tsv --subscription $SUBSCRIPTIONID)" | |
echo "created USER managed identity with id $AKS_IDENTITY_ID" | |
else | |
echo "\AKS_IDENTITY_ID is is NOT empty. using $AKS_IDENTITY_ID " | |
fi | |
if test -z "$AKS_KUBELET_IDENTITY_ID" | |
then | |
echo "AKS_KUBELET_IDENTITY_ID is empty, Gona create identity with name $AKS_KUBELET_IDENTITY_NAME in RG $RESOURCE_GROUP " | |
az identity create -n $AKS_KUBELET_IDENTITY_NAME -g $RESOURCE_GROUP -l $LOCATION | |
AKS_KUBELET_IDENTITY_ID="$(az identity show -n $AKS_KUBELET_IDENTITY_NAME -g $RESOURCE_GROUP --query id -o tsv --subscription $SUBSCRIPTIONID)" | |
echo "created USER managed identity with id $AKS_KUBELET_IDENTITY_ID" | |
else | |
echo "\AKS_KUBELET_IDENTITY_ID is is NOT empty. using $AKS_KUBELET_IDENTITY_ID " | |
fi | |
if test -z "$ACR_REGISTRY" | |
then | |
echo "ACR_REGISTRY is empty, Gona create a Registry in RG $RESOURCE_GROUP " | |
az acr create -n $registryname -g $RESOURCE_GROUP -l $LOCATION --sku standard | |
ACR_REGISTRY="$(az acr show -n $registryname -g $RESOURCE_GROUP --query id -o tsv --subscription $SUBSCRIPTIONID )" | |
echo "created log ACR with id $ACR_REGISTRY" | |
else | |
echo "\ACR_REGISTRY is is NOT empty. using $ACR_REGISTRY " | |
fi | |
if test -z "$WORKSPACE_ID" | |
then | |
echo "WORKSPACE_ID is empty, Gona create a Log analytics workspace in RG $RESOURCE_GROUP " | |
az monitor log-analytics workspace create --workspace-name $aksname-logs -g $RESOURCE_GROUP -l $LOCATION --subscription $SUBSCRIPTIONID --tags $tags | |
WORKSPACE_ID="$(az monitor log-analytics workspace show --workspace-name $aksname-logs -g $RESOURCE_GROUP --query id -o tsv --subscription $SUBSCRIPTIONID)" | |
echo "created log analytics workspace with id $WORKSPACE_ID" | |
else | |
echo "\Workspace_id is is NOT empty. using $WORKSPACE_ID " | |
fi | |
#Create a VNET | |
if test -z "$SUBNET_ID" | |
then | |
echo "SUBNET_ID is empty, Gona create a custom vnet in RG $RESOURCE_GROUP " | |
az network vnet create -g $RESOURCE_GROUP -n $aksname --address-prefix $network_prefix --tags $tags --subnet-name aks --subnet-prefix $network_aks_subnet -l $LOCATION --subscription $SUBSCRIPTIONID | |
SUBNET_ID="$(az network vnet subnet list --resource-group $RESOURCE_GROUP --vnet-name $aksname --query [].id --output tsv --subscription $SUBSCRIPTIONID | grep aks)" | |
# az network vnet subnet create -n ingress --vnet-name $aksname --address-prefix $network_aks_ingress -g $RESOURCE_GROUP --subscription $SUBSCRIPTIONID | |
# INGRESS_SUBNET_ID="$(az network vnet subnet list --resource-group $RESOURCE_GROUP --vnet-name $aksname --query [].id --output tsv --subscription $SUBSCRIPTIONID | grep aks)" | |
else | |
echo "\SUBNET_ID is is NOT empty. using $SUBNET_ID " | |
fi | |
#Create a AKS subnet. not needed. created above. | |
#az network vnet subnet create -g $RESOURCE_GROUP --vnet-name iotsuite -n $AKS_CLUSTER --address-prefix 10.0.1.0/24 --subscription $SUBSCRIPTIONID | |
#List Subnet belonging to VNET | |
echo $SUBNET_ID | |
## --service-principal $SP_ID \ | |
## --client-secret $SP_PASS \ | |
echo managed identity $AKS_IDENTITY_ID | |
USER_ASSIGNED_IDENTITY_CLIENTID="$( az identity show --ids $AKS_IDENTITY_ID --query clientId -o tsv)" | |
echo creating kublet managed identity $ | |
USER_ASSIGNED_IDENTITY_CLIENTID="$( az identity show --ids $AKS_IDENTITY_ID --query clientId -o tsv --subscription $SUBSCRIPTIONID)" | |
AKS_VNET_RG=$(echo $SUBNET_ID|cut -d'/' -f 5) | |
AKS_VNET=$(echo $SUBNET_ID| cut -d'/' -f 9) | |
echo $AKS_VNET_RG ..... $AKS_VNET .... $USER_ASSIGNED_IDENTITY_CLIENTID | |
az role assignment create --assignee $USER_ASSIGNED_IDENTITY_CLIENTID --role "Contributor" --scope /subscriptions/$SUBSCRIPTIONID/resourceGroups/$AKS_VNET_RG/providers/Microsoft.Network/virtualNetworks/$AKS_VNET | |
az role assignment create --assignee $USER_ASSIGNED_IDENTITY_CLIENTID --role "Network Contributor" --scope /subscriptions/$SUBSCRIPTIONID/resourceGroups/$AKS_VNET_RG/providers/Microsoft.Network/virtualNetworks/$AKS_VNET | |
#Create AKS Cluster with Service Principle | |
az aks create \ | |
--resource-group $RESOURCE_GROUP \ | |
--network-plugin kubenet \ | |
--pod-cidr 192.168.0.0/16 \ | |
--node-count 3 \ | |
--node-vm-size=$VM_SIZE \ | |
--kubernetes-version=$KUBE_VERSION \ | |
--name $AKS_CLUSTER \ | |
--dns-service-ip "172.10.0.10" \ | |
--service-cidr "172.10.0.0/16" \ | |
--pod-cidr "192.168.0.0/16" \ | |
--location $LOCATION \ | |
--enable-addons monitoring,azure-keyvault-secrets-provider,azure-policy \ | |
--vm-set-type "VirtualMachineScaleSets" \ | |
--tags $tags \ | |
--nodepool-name="basepool" \ | |
--vnet-subnet-id $SUBNET_ID \ | |
--enable-cluster-autoscaler \ | |
--min-count $MIN_NODE_COUNT \ | |
--max-count $MAX_NODE_COUNT \ | |
--subscription $SUBSCRIPTIONID \ | |
--workspace-resource-id $WORKSPACE_ID \ | |
--nodepool-tags $pool_tags \ | |
--nodepool-labels $pool_tags \ | |
--generate-ssh-keys \ | |
--zones 3 \ | |
--node-resource-group $RESOURCE_GROUP-managed \ | |
--attach-acr $ACR_REGISTRY \ | |
--enable-managed-identity \ | |
--assign-identity $AKS_IDENTITY_ID \ | |
--auto-upgrade-channel stable \ | |
--assign-kubelet-identity $AKS_KUBELET_IDENTITY_ID \ | |
--enable-secret-rotation \ | |
--enable-aad --aad-admin-group-object-ids $(az ad signed-in-user show --query id --out tsv) | |
az aks get-credentials -n $AKS_CLUSTER -g $RESOURCE_GROUP --subscription $SUBSCRIPTIONID | |
## get the managed identity | |
#USER_ASSIGNED_IDENTITY_CLIENTID="$( az identity show --name $AKS_IDENTITY_NAME -g $RESOURCE_GROUP --query clientId -o tsv)" | |
#AKS_VNET_RG=$(echo $SUBNET_ID|cut -d'/' -f 5) | |
#AKS_VNET=$(echo $SUBNET_ID| cut -d'/' -f 9) | |
#az role assignment create --assignee $USER_ASSIGNED_IDENTITY_CLIENTID --role "Contributor" --scope /subscriptions/$SUBSCRIPTIONID/resourceGroups/$AKS_VNET_RG/providers/Microsoft.Network/virtualNetworks/$AKS_VNET | |
#az role assignment create --assignee $USER_ASSIGNED_IDENTITY_CLIENTID --role "Network Contributor" --scope /subscriptions/$SUBSCRIPTIONID/resourceGroups/$AKS_VNET_RG/providers/Microsoft.Network/virtualNetworks/$AKS_VNET | |
#helm repo add cilium https://helm.cilium.io/ | |
## install helm | |
#helm install cilium cilium/cilium --version 1.11.3 \ | |
# --namespace kube-system \ | |
# --set hubble.relay.enabled=true --set hubble.ui.enabled=true --namespace kube-system | |
echo "adding system pool " | |
az aks nodepool add -g $RESOURCE_GROUP --scale-down-mode Deallocate --node-osdisk-type Managed --cluster-name $AKS_CLUSTER -n systemnodes --node-taints CriticalAddonsOnly=true:NoSchedule --mode system --node-count=2 --subscription $SUBSCRIPTIONID --no-wait | |
echo "adding app pool" | |
az aks nodepool add --scale-down-mode Deallocate --node-osdisk-type Managed --zones 1 2 3 --mode user -g $RESOURCE_GROUP --cluster-name $AKS_CLUSTER -n apppool --tags="Apps=true" --min-count $MIN_NODE_COUNT --max-count $MAX_NODE_COUNT --enable-cluster-autoscaler --subscription $SUBSCRIPTIONID | |
## remove normal pool. Cos you cannot update the min to zero | |
az aks nodepool delete -g $RESOURCE_GROUP --cluster-name $AKS_CLUSTER -n basepool --subscription $SUBSCRIPTIONID --no-wait | |
## | |
# security policy | |
# --enable-pod-security-policy \ | |
az aks get-credentials -n $AKS_CLUSTER -g $RESOURCE_GROUP --subscription $SUBSCRIPTIONID | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Subscription where everything will be deployed | |
SUBSCRIPTIONID="" | |
## Service principal for AKS. known as APPID | |
## https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal#specify-a-service-principal-for-an-aks-cluster | |
SP_ID="not needed. replaced with managed identity" | |
## Service principal passwork | |
SP_PASS="not needed. replaced with managed identity " | |
## optional Azure Container Registry ID. If empty a new one will be created | |
#ACR_REGISTRY="" | |
#ACR_REGISTRY="" | |
## Optional Azure log analytics Workspace ID. If empty a new one will be created | |
#WORKSPACE_ID="" | |
## Optional Subnetid.AKS will be deployed into this subnet. If empty a new one will be created | |
#SUBNET_ID="" | |
## Option. A user defined identity for the AKS Control plane. if not found one will be created. this is the resource id of the identity | |
#AKS_IDENTITY_ID="" | |
## Required EncryptionSetid. if not found the the script will abort. required for aks to encrypt the hosts disks. | |
#DISK_ENCRYPTION_SET_ID="" | |
VM_SIZE=Standard_D2s_v3 | |
#i#VM_SIZE=Standard_B2s | |
MIN_NODE_COUNT=3 | |
MAX_NODE_COUNT=5 | |
KUBE_VERSION="1.24.6" | |
LOCATION=westeurope | |
## kubenet or azure | |
#NETWORK_PLUGIN="kubenet" | |
NETWORK_PLUGIN="kubenet" | |
#AKS_IDENTITY_NAME="aksuseridentity" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment