ayan.poddar/eShopOnContainers
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

local update

Browse Source
This commit is contained in:
Deli Liu 2021-11-22 17:55:01 +08:00
parent 9e5cd835b4
commit 4bb7a854a2
17 changed files with 7713 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
deploy/k8s/enable-tls.ps1
View File

@ -16,5 +16,5 @@ if ($aksName -and $aksRg) {
} }
Write-Host "Installing cert-manager on current cluster" Write-Host "Installing cert-manager on current cluster"
#1.5.4
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml --validate=false kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml --validate=false

212
deploy/k8s/helm/allrelated.sh Normal file
View File

@ -0,0 +1,212 @@
# login in Ubuntu
az login az login --use-device-code /
az login --tenant 429950a6-2916-4b6f-8bd1-09b5071951d4
#Create a resource group
resourceGroup=DL-LEARNING-RG
az group create --name $resourceGroup --location southeastasia #/////canadacentral
#delete resouce group
az group delete --name $resourceGroup
# Vnet
#resourceGroup='DL-LEARNING-RG'
subscription='909efc0a-aa87-4bd2-884c-c93b75692357'
vnetName='aks-vnet-eshop'
az network vnet create -g $resourceGroup --subscription $subscription -n $vnetName -l southeastasia --address-prefix 10.10.0.0/17 --subnet-name eshopsubnet --subnet-prefix 10.10.0.0/18
subnetId=$(az network vnet subnet show --resource-group $resourceGroup --subscription $subscription --vnet-name $vnetName --name eshopsubnet --query id -o tsv)
# Create a private container registry
#######################################################################################
# Create a resource group for acr
acrrg=DL-PRIVATE-RG
az group create --name $acrrg --location southeastasia ///eastus
# Create a container registry
az acr create --resource-group $acrrg \
--name heigoo --sku Basic ###// Standard Premium
#Log in to registry
az acr login --name heigoo #geCqSifODg7Zs8KCni//P/f295oI8uUr
#Push image to registry
docker pull mcr.microsoft.com/hello-world
docker tag mcr.microsoft.com/hello-world heigoo.azurecr.io/hello-world:v1
docker push heigoo.azurecr.io/hello-world:v1
docker rmi heigoo.azurecr.io/hello-world:v1
#List container images
az acr repository list --name heigoo --output table
az acr repository show-tags --name heigoo --repository hello-world --output table
#Run image from registry
docker run heigoo.azurecr.io/hello-world:v1
#Clean up resources
az group delete --name DL-PRIVATE-RG
# crete aks Cluster
clusterName='eShop'
acr=$(az acr show --name heigoo --resource-group $acrrg --query "id" --output tsv)
az aks create -n $clusterName --resource-group $resourceGroup --subscription $subscription --kubernetes-version 1.21.1 --network-plugin azure --enable-managed-identity --generate-ssh-keys --attach-acr $acr --node-count 2 --vnet-subnet-id $subnetId
## if acr already created
az aks update --name myAKSCluster --resource-group myResourceGroup --subscription mySubscription --attach-acr <acr-resource-id>
az acr show --name acrName --resource-group myResourceGroup --subscription mySubscription --query "id"
## deploy
az account set --subscription 909efc0a-aa87-4bd2-884c-c93b75692357
az aks get-credentials --resource-group DL-LEARNING-RG --name eShop
kubectl get all -n cert-manager -o wide
# install ingress-nginx
#cd D:\temp\microservice\eShopOnContainers\deploy\k8s\nginx-ingress
kubectl apply -f mandatory.yaml
kubectl apply -f local-cm.yaml #(add large-client-header-buffers: "4 16k")
kubectl apply -f local-svc.yaml
#cd D:\temp\microservice\eShopOnContainers\deploy\k8s\helm
#.\deploy-all.ps1 -externalDns aks -aksName eShop -aksRg DL-LEARNING-RG -imageTag linux-latest -registry heigoo.azurecr.io -dockerUser heigoo -dockerPassword tuQbbDDaFxYPV6NMBpEylhw -useMesh $false
.\deploy-all.ps1 -externalDns eshop.anniedesign.xyz -imageTag linux-latest -registry heigoo.azurecr.io -dockerUser heigoo -dockerPassword geCqSifODg7Zs8KCni//P/f295oI8uUr -useMesh $false -sslSupport staging
.\deploy-all.ps1 -externalDns eshop.anniedesign.xyz -imageTag linux-latest -registry heigoo.azurecr.io -dockerUser heigoo -dockerPassword geCqSifODg7Zs8KCni//P/f295oI8uUr -useMesh $false -sslSupport prod
#.\deploy-all.ps1 -externalDns eshop.anniedesign.xyz -aksName eShop -aksRg DL-LEARNING-RG -imageTag linux-dev -useMesh $false
# enable tls-support
# cd D:\temp\microservice\eShopOnContainers\deploy\k8s
#run .\enable-tls.ps1
# rename values-staging.yaml(values-prod.yaml) to values.yaml() and ingressClass to nginx
# cd D:\temp\microservice\eShopOnContainers\deploy\k8s\helm
#kubectl apply -f cert-manager.yaml(if no running .\enable-tls.ps1)
helm install eshop-tls-support tls-support
kubectl get issuer
kubectl get cert -o wide
helm uninstall eshop-tls-support #(change server and environment to pord server ) redeploy
# check deploy status
kubectl get deployment
kubectl get ingress #check external IP to bind it on Godaddy (or other DNS provider) with the DNS name
kubectl get cert # check certificate
kubectl get certificaterequest
kubectl get order
kubectl get challenges
kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces
# CD D:\temp\microservice\eShopOnContainers\deploy\k8s\nodeports to change sql-service.yaml from NodePort to LoadBalancer
kubectl apply -f sql-service1.yaml
#get db external IP(lb) to connect to DB to change all http to https (eg. 20.44.192.98:1433 sa/Pass@word)
# update clients set ClientUri= replace(clientUri,'http://eshop.','https://eshop.')
# update ClientRedirectUris set RedirectUri = replace(RedirectUri,'http://eshop.','https://eshop.') where clientid <>3
# update ClientPostLogoutRedirectUris set PostLogoutRedirectUri = replace(PostLogoutRedirectUri,'http://eshop.','https://eshop.') where clientid <>3
# webmvc unauthorized client issue (change back RedirectUri to http for temporary usage)
##uninstall
helm uninstall $(helm ls --filter eshop -q) --dry-run
#############################################################################################
## This creates a working single node Azure Kubernetes Cluster
## and with an Azure Container Registry. Note, the ACR is in
## the same resource group as the AKS for demo purposes. For
## dev you should have ACR in separate resource group.
echo "Beginning AKS Setup for Demo"
date
AKS_RESOURCE_GROUP=aks-rg1
AKS_CLUSTER_NAME=aks-c1
ACR_RESOURCE_GROUP=MC_aks-rg1_aks-c1_centralus
ACR_NAME=aksacr122
SERVICE_PRINCIPAL_NAME=aks-sp-user
RG_LOCATION=CentralUS
DOCKER_USERNAME=$ACR_NAME
DOCKER_EMAIL={provide email address here} #does not have to be an account with docker hub
#DOCKER_PASSWORD is applied a value later
az group create --location $RG_LOCATION --name $AKS_RESOURCE_GROUP
az aks create -g $AKS_RESOURCE_GROUP -n $AKS_CLUSTER_NAME --generate-ssh-keys --node-count 1 --node-vm-size Standard_F1s
az acr create --resource-group $ACR_RESOURCE_GROUP --name $ACR_NAME --sku Basic --admin-enabled true
CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
# Get the ACR registry resource id
ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)
# Create role assignment
az role assignment create --assignee $CLIENT_ID --role Reader --scope $ACR_ID
# Populate the ACR login server and resource id.
ACR_LOGIN_SERVER=$(az acr show --name $ACR_NAME --query loginServer --output tsv)
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
# Create a contributor role assignment with a scope of the ACR resource.
SP_PASSWD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --role Reader --scopes $ACR_REGISTRY_ID --query password --output tsv)
# Get the service principle client id.
CLIENT_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
# Output used when creating Kubernetes secret.
echo "Service principal ID: $CLIENT_ID"
echo "Service principal password: $SP_PASSWD"
#connect to the aks environment
az aks get-credentials --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME
ACR_HTTPS_LOGIN_SERVER="https://$ACR_LOGIN_SERVER"
### get password from ACR
DOCKER_PASSWORD=$(az acr credential show -n $ACR_NAME --query passwords[0].value -o tsv)
kubectl create secret docker-registry acrconnection --docker-server=$ACR_HTTPS_LOGIN_SERVER --docker-username=$DOCKER_USERNAME --docker-password=$DOCKER_PASSWORD --docker-email=$DOCKER_EMAIL
az acr login --name $ACR_NAME
echo "Completed AKS Setup"
date

6361
deploy/k8s/helm/cert-manager.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

56
deploy/k8s/helm/enablelargerheader.sh Normal file
View File

@ -0,0 +1,56 @@
# =======================
kubectl annotate --overwrite ingress eshop-webmvc nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webmvc nginx.ingress.kubernetes.io/proxy-body-size=8M
kubectl annotate --overwrite ingress eshop-webmvc nginx.ingress.kubernetes.io/client-body-buffer-size=1M
kubectl annotate --overwrite ingress eshop-webspa nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webspa nginx.ingress.kubernetes.io/proxy-body-size=8M
kubectl annotate --overwrite ingress eshop-webspa nginx.ingress.kubernetes.io/client-body-buffer-size=1M
kubectl annotate --overwrite ingress eshop-webstatus nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webstatus nginx.ingress.kubernetes.io/proxy-body-size=8M
kubectl annotate --overwrite ingress eshop-webstatus nginx.ingress.kubernetes.io/client-body-buffer-size=1M
kubectl annotate --overwrite ingress eshop-apigwms nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-apigwms nginx.ingress.kubernetes.io/proxy-body-size=8M
kubectl annotate --overwrite ingress eshop-apigwms nginx.ingress.kubernetes.io/client-body-buffer-size=1M
kubectl annotate --overwrite ingress eshop-apigwws nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-apigwws nginx.ingress.kubernetes.io/proxy-body-size=8M
kubectl annotate --overwrite ingress eshop-apigwws nginx.ingress.kubernetes.io/client-body-buffer-size=1M
kubectl annotate --overwrite ingress eshop-identity-api nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-identity-api nginx.ingress.kubernetes.io/proxy-body-size=8M
kubectl annotate --overwrite ingress eshop-identity-api nginx.ingress.kubernetes.io/client-body-buffer-size=1M
kubectl annotate --overwrite ingress eshop-webhooks-web nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webhooks-web nginx.ingress.kubernetes.io/proxy-body-size=8M
kubectl annotate --overwrite ingress eshop-webhooks-web nginx.ingress.kubernetes.io/client-body-buffer-size=1M
kubectl annotate --overwrite ingress eshop-webhooks-api nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webhooks-api nginx.ingress.kubernetes.io/proxy-body-size=8M
kubectl annotate --overwrite ingress eshop-webhooks-api nginx.ingress.kubernetes.io/client-body-buffer-size=1M
kubectl annotate --overwrite ingress eshop-webhooks-web nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webhooks-web nginx.ingress.kubernetes.io/proxy-body-size=8M
kubectl annotate --overwrite ingress eshop-webhooks-web nginx.ingress.kubernetes.io/client-body-buffer-size=1M
# -------------
kubectl annotate --overwrite ingress eshop-webmvc nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webspa nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webstatus nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-apigwms nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-apigwws nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-identity-api nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webhooks-api nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
kubectl annotate --overwrite ingress eshop-webhooks-web nginx.ingress.kubernetes.io/proxy-buffer-size="16k"
# nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
# nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
# nginx.ingress.kubernetes.io/proxy-body-size: 8M
# nginx.ingress.kubernetes.io/client-body-buffer-size: 1M
# nginx.ingress.kubernetes.io/server-snippet: |
# http2_max_header_size 256k;
# http2_max_field_size 256k;

22
deploy/k8s/helm/importregistry.sh Normal file
View File

@ -0,0 +1,22 @@
REGISTRY_NAME=heigoo
CONTROLLER_REGISTRY=k8s.gcr.io
CONTROLLER_IMAGE=ingress-nginx/controller
CONTROLLER_TAG=v0.48.1
PATCH_REGISTRY=docker.io
PATCH_IMAGE=jettech/kube-webhook-certgen
PATCH_TAG=v1.5.1
DEFAULTBACKEND_REGISTRY=k8s.gcr.io
DEFAULTBACKEND_IMAGE=defaultbackend-amd64
DEFAULTBACKEND_TAG=1.5
CERT_MANAGER_REGISTRY=quay.io
CERT_MANAGER_TAG=v1.3.1
CERT_MANAGER_IMAGE_CONTROLLER=jetstack/cert-manager-controller
CERT_MANAGER_IMAGE_WEBHOOK=jetstack/cert-manager-webhook
CERT_MANAGER_IMAGE_CAINJECTOR=jetstack/cert-manager-cainjector
az acr import --name $REGISTRY_NAME --source $CONTROLLER_REGISTRY/$CONTROLLER_IMAGE:$CONTROLLER_TAG --image $CONTROLLER_IMAGE:$CONTROLLER_TAG
az acr import --name $REGISTRY_NAME --source $PATCH_REGISTRY/$PATCH_IMAGE:$PATCH_TAG --image $PATCH_IMAGE:$PATCH_TAG
az acr import --name $REGISTRY_NAME --source $DEFAULTBACKEND_REGISTRY/$DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG --image $DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG
az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG
az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG
az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG

7
deploy/k8s/helm/ingress_class.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: nginx
spec:
controller: k8s.io/ingress-nginx

676
deploy/k8s/helm/ingress_nginx_deploy103.yaml Normal file
View File

@ -0,0 +1,676 @@
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: 'true'
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ''
resources:
- nodes
verbs:
- get
- apiGroups:
- ''
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- apiGroups:
- ''
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- ingress-controller-leader
verbs:
- get
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- create
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
appProtocol: http
- name: https
port: 443
protocol: TCP
targetPort: https
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
revisionHistoryLimit: 10
minReadySeconds: 0
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
spec:
dnsPolicy: ClusterFirst
containers:
- name: controller
image: k8s.gcr.io/ingress-nginx/controller:v1.0.3@sha256:4ade87838eb8256b094fbb5272d7dda9b6c7fa8b759e6af5383c1300996a7452
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 101
allowPrivilegeEscalation: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: webhook
containerPort: 8443
protocol: TCP
volumeMounts:
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
resources:
requests:
cpu: 100m
memory: 90Mi
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
# Source: ingress-nginx/templates/controller-ingressclass.yaml
# We don't support namespaced ingressClass yet
# So a ClusterRole and a ClusterRoleBinding is required
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: nginx
namespace: ingress-nginx
spec:
controller: k8s.io/ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
name: ingress-nginx-admission
webhooks:
- name: validate.nginx.ingress.kubernetes.io
matchPolicy: Equivalent
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission
path: /networking/v1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-nginx-admission
namespace: ingress-nginx
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ingress-nginx-admission
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ingress-nginx-admission
namespace: ingress-nginx
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx-admission
namespace: ingress-nginx
annotations:
helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-create
namespace: ingress-nginx
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
template:
metadata:
name: ingress-nginx-admission-create
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: create
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
imagePullPolicy: IfNotPresent
args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: ingress-nginx-admission-patch
namespace: ingress-nginx
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
template:
metadata:
name: ingress-nginx-admission-patch
labels:
helm.sh/chart: ingress-nginx-4.0.4
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.3
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: admission-webhook
spec:
containers:
- name: patch
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068
imagePullPolicy: IfNotPresent
args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
runAsUser: 2000

5
deploy/k8s/helm/ingress_values.yaml
View File

@ -2,7 +2,10 @@
ingress: ingress:
annotations: annotations:
kubernetes.io/ingress.class: addon-http-application-routing # kubernetes.io/ingress.class: addon-http-application-routing
ingress.kubernetes.io/ssl-redirect: "false" ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/ssl-redirect: "false"
#kubernetes.io/ingress.class: nginx
#nginx.ingress.kubernetes.io/rewrite-target: /$1
#nginx.ingress.kubernetes.io/use-regex: "true"

92
deploy/k8s/helm/ingresscertmanager.sh Normal file
View File

@ -0,0 +1,92 @@
REGISTRY_NAME=heigoo
CONTROLLER_REGISTRY=k8s.gcr.io
CONTROLLER_IMAGE=ingress-nginx/controller
CONTROLLER_TAG=v0.48.1
PATCH_REGISTRY=docker.io
PATCH_IMAGE=jettech/kube-webhook-certgen
PATCH_TAG=v1.5.1
DEFAULTBACKEND_REGISTRY=k8s.gcr.io
DEFAULTBACKEND_IMAGE=defaultbackend-amd64
DEFAULTBACKEND_TAG=1.5
CERT_MANAGER_REGISTRY=quay.io
CERT_MANAGER_TAG=v1.3.1
CERT_MANAGER_IMAGE_CONTROLLER=jetstack/cert-manager-controller
CERT_MANAGER_IMAGE_WEBHOOK=jetstack/cert-manager-webhook
CERT_MANAGER_IMAGE_CAINJECTOR=jetstack/cert-manager-cainjector
az acr import --name $REGISTRY_NAME --source $CONTROLLER_REGISTRY/$CONTROLLER_IMAGE:$CONTROLLER_TAG --image $CONTROLLER_IMAGE:$CONTROLLER_TAG
az acr import --name $REGISTRY_NAME --source $PATCH_REGISTRY/$PATCH_IMAGE:$PATCH_TAG --image $PATCH_IMAGE:$PATCH_TAG
az acr import --name $REGISTRY_NAME --source $DEFAULTBACKEND_REGISTRY/$DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG --image $DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG
az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG
az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG
az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG
--------
# Create a namespace for your ingress resources
kubectl create namespace ingress-basic
# Add the ingress-nginx repository
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
# Set variable for ACR location to use for pulling images
ACR_URL=heigoo.azurecr.io
# Use Helm to deploy an NGINX ingress controller
helm install nginx-ingress ingress-nginx/ingress-nginx \
--namespace ingress-basic \
--set controller.replicaCount=2 \
--set controller.nodeSelector."kubernetes\.io/os"=linux \
--set controller.image.registry=$ACR_URL \
--set controller.image.image=$CONTROLLER_IMAGE \
--set controller.image.tag=$CONTROLLER_TAG \
--set controller.image.digest="" \
--set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux \
--set controller.admissionWebhooks.patch.image.registry=$ACR_URL \
--set controller.admissionWebhooks.patch.image.image=$PATCH_IMAGE \
--set controller.admissionWebhooks.patch.image.tag=$PATCH_TAG \
--set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
--set defaultBackend.image.registry=$ACR_URL \
--set defaultBackend.image.image=$DEFAULTBACKEND_IMAGE \
--set defaultBackend.image.tag=$DEFAULTBACKEND_TAG
# -----
kubectl --namespace ingress-basic get services -o wide
# ---- add a A reacord(and eshop.* subdomain cname) in Azure or DNS register(eg. GoDaddy) with load balancer ip
az network dns record-set a add-record \
--resource-group myResourceGroup \
--zone-name MY_CUSTOM_DOMAIN \
--record-set-name "*" \
--ipv4-address MY_EXTERNAL_IP
# ----
# install cert manager
# ------
# Label the ingress-basic namespace to disable resource validation
kubectl label namespace ingress-basic cert-manager.io/disable-validation=true
# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update
# Install the cert-manager Helm chart
helm install cert-manager jetstack/cert-manager \
--namespace ingress-basic \
--version $CERT_MANAGER_TAG \
--set installCRDs=true \
--set nodeSelector."kubernetes\.io/os"=linux \
--set image.repository=$ACR_URL/$CERT_MANAGER_IMAGE_CONTROLLER \
--set image.tag=$CERT_MANAGER_TAG \
--set webhook.image.repository=$ACR_URL/$CERT_MANAGER_IMAGE_WEBHOOK \
--set webhook.image.tag=$CERT_MANAGER_TAG \
--set cainjector.image.repository=$ACR_URL/$CERT_MANAGER_IMAGE_CAINJECTOR \
--set cainjector.image.tag=$CERT_MANAGER_TAG
# ----
# create ca issuer
# run demo https://docs.microsoft.com/en-us/azure/aks/ingress-tls
# https://docs.microsoft.com/en-us/azure/aks/static-ip

37
deploy/k8s/helm/ingressfix.yaml Normal file
View File

@ -0,0 +1,37 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: addon-http-app-routing-fix
rules:
- apiGroups:
- "networking.k8s.io"
resources:
- "ingresses/status"
verbs:
- "update"
- apiGroups:
- "networking.k8s.io"
resources:
- "ingresses"
verbs:
- "get"
- "watch"
- "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: addon-http-app-routing-fix-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: addon-http-app-routing-fix
subjects:
- kind: ServiceAccount
name: addon-http-application-routing-nginx-ingress-serviceaccount
namespace: kube-system
- kind: ServiceAccount
name: addon-http-application-routing-external-dns
namespace: kube-system
---

193
deploy/k8s/helm/publicipingressaks.sh Normal file
View File

@ -0,0 +1,193 @@
# 20.63.171.125
PUBLIC_IP_ID=$(az network public-ip list --query "[?ipAddress=='20.63.171.125'].id" -o tsv)
az network dns zone create --resource-group k8sstudy --name anniedesign.xyz
az network dns record-set a add-record --resource-group k8sstudy --record-set-name eshop --zone-name anniedesign.xyz --ipv4-address 1.1.1.1
az network dns record-set a update --name eshop --resource-group k8sstudy --zone-name anniedesign.xyz --target-resource /subscriptions/e25379c9-941e-4fe6-81ff-f0e62becf996/resourceGroups/mc_k8sstudy_eshop_japaneast/providers/Microsoft.Network/publicIPAddresses/kubernetes-ae87c596c80514b95839a76c3ed683df
az network dns zone show --resource-group k8sstudy --name anniedesign.xyz --query nameServers
# ns1-03.azure-dns.com.
# ns2-03.azure-dns.net.
# ns3-03.azure-dns.org.
# ns4-03.azure-dns.info.
# ---------------------------
REGISTRY_NAME=heigoo
CONTROLLER_REGISTRY=k8s.gcr.io
CONTROLLER_IMAGE=ingress-nginx/controller
CONTROLLER_TAG=v0.48.1
PATCH_REGISTRY=docker.io
PATCH_IMAGE=jettech/kube-webhook-certgen
PATCH_TAG=v1.5.1
DEFAULTBACKEND_REGISTRY=k8s.gcr.io
DEFAULTBACKEND_IMAGE=defaultbackend-amd64
DEFAULTBACKEND_TAG=1.5
CERT_MANAGER_REGISTRY=quay.io
CERT_MANAGER_TAG=v1.3.1
CERT_MANAGER_IMAGE_CONTROLLER=jetstack/cert-manager-controller
CERT_MANAGER_IMAGE_WEBHOOK=jetstack/cert-manager-webhook
CERT_MANAGER_IMAGE_CAINJECTOR=jetstack/cert-manager-cainjector
az acr import --name $REGISTRY_NAME --source $CONTROLLER_REGISTRY/$CONTROLLER_IMAGE:$CONTROLLER_TAG --image $CONTROLLER_IMAGE:$CONTROLLER_TAG
az acr import --name $REGISTRY_NAME --source $PATCH_REGISTRY/$PATCH_IMAGE:$PATCH_TAG --image $PATCH_IMAGE:$PATCH_TAG
az acr import --name $REGISTRY_NAME --source $DEFAULTBACKEND_REGISTRY/$DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG --image $DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG
az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG
az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG
az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG
az aks show --resource-group k8sstudy --name eshop --query nodeResourceGroup -o tsv --MC_k8sstudy_eShop_japaneast
az network public-ip create --resource-group MC_k8sstudy_eShop_japaneast --name myAKSPublicIP --sku Standard --allocation-method static --query publicIp.ipAddress -o tsv --20.194.219.173
-----
# Create a namespace for your ingress resources
kubectl create namespace ingress-basic
# Add the ingress-nginx repository
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
# Set variable for ACR location to use for pulling images
ACR_URL=heigoo.azurecr.io
STATIC_IP=20.194.219.173
DNS_LABEL=eshop
# Use Helm to deploy an NGINX ingress controller
kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller
az network public-ip list --resource-group MC_myResourceGroup_myAKSCluster_eastus --query "[?name=='myAKSPublicIP'].[dnsSettings.fqdn]" -o tsv
# ===============
az network public-ip create \
--resource-group k8sstudy \
--name myAKSPublicIP \
--sku Standard \
--allocation-method static
az network public-ip list
az network public-ip show --resource-group k8sstudy --name myAKSPublicIP --query ipAddress --output tsv
az role assignment create \
--assignee eShop \
--role "Network Contributor" \
--scope /subscriptions/e25379c9-941e-4fe6-81ff-f0e62becf996/resourceGroups/k8sstudy
# ==================
az aks create --name myAKSCluster --resource-group myResourceGroup
service principle
az ad sp create-for-rbac --skip-assignment --name myAKSClusterServicePrincipal
Specify a service principal for an AKS cluster
az aks create \
--resource-group myResourceGroup \
--name myAKSCluster \
--service-principal <appId> \
--client-secret <password>
# Delegate access to other Azure resources
az role assignment create --assignee <appId> --scope <resourceScope> --role Contributor
# ===========================================
# Create a new AKS cluster with ACR integration
# set this to the name of your Azure Container Registry. It must be globally unique
MYACR=myContainerRegistry
# Run the following line to create an Azure Container Registry if you do not already have one
az acr create -n $MYACR -g myContainerRegistryResourceGroup --sku basic
# Create an AKS cluster with ACR integration
az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr $MYACR
az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr /subscriptions/<subscription-id>/resourceGroups/myContainerRegistryResourceGroup/providers/Microsoft.ContainerRegistry/registries/myContainerRegistry
# Configure ACR integration for existing AKS clusters
# =====
# =================managed identity==========================
az account show --query id -o tsv
az aks show -g k8sstudy -n eShop --query "servicePrincipalProfile"
# After verifying the cluster is using managed identities, you can find the control plane system-assigned identity's object ID with the following command:
az aks show -g k8sstudy -n eShop --query "identity"
az identity list --query "[].{Name:name, Id:id, Location:location}" -o table
# ==================inital aks==========
az group delete --name myResourceGroup --yes --no-wait
# ======= acr azure registry============
az aks check-acr --name MyManagedCluster --resource-group MyResourceGroup --acr myacr.azurecr.io
# set this to the name of your Azure Container Registry. It must be globally unique
MYACR=myContainerRegistry
# Run the following line to create an Azure Container Registry if you do not already have one
az acr create -n $MYACR -g myContainerRegistryResourceGroup --sku basic
# Create an AKS cluster with ACR integration
az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr $MYACR
# -----------------
az aks update -n myAKSCluster -g myResourceGroup --attach-acr heigoo
# If you are using an ACR that is located in a different subscription from your AKS cluster, use the ACR resource ID when attaching or detaching from an AKS cluster.
az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr /subscriptions/<subscription-id>/resourceGroups/myContainerRegistryResourceGroup/providers/Microsoft.ContainerRegistry/registries/myContainerRegistry
# -----
helm upgrade -i nginx-ingress ingress-nginx/ingress-nginx \
--version 3.36.0 \
--namespace ingress-basic \
--set controller.replicaCount=2 \
--set controller.nodeSelector."kubernetes\.io/os"=linux \
--set controller.image.registry=$ACR_URL \
--set controller.image.image=$CONTROLLER_IMAGE \
--set controller.image.tag=$CONTROLLER_TAG \
--set controller.image.digest="" \
--set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux \
--set controller.admissionWebhooks.patch.image.registry=$ACR_URL \
--set controller.admissionWebhooks.patch.image.image=$PATCH_IMAGE \
--set controller.admissionWebhooks.patch.image.tag=$PATCH_TAG \
--set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
--set defaultBackend.image.registry=$ACR_URL \
--set defaultBackend.image.image=$DEFAULTBACKEND_IMAGE \
--set defaultBackend.image.tag=$DEFAULTBACKEND_TAG
helm upgrade -i nginx-ingress ingress-nginx/ingress-nginx \
--version 3.36.0 \
--namespace ingress-basic \
--set controller.replicaCount=2 \
--set controller.nodeSelector."kubernetes\.io/os"=linux \
--set controller.image.registry=$ACR_URL \
--set controller.image.image=$CONTROLLER_IMAGE \
--set controller.image.tag=$CONTROLLER_TAG \
--set controller.image.digest="" \
--set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux \
--set controller.admissionWebhooks.patch.image.registry=$ACR_URL \
--set controller.admissionWebhooks.patch.image.image=$PATCH_IMAGE \
--set controller.admissionWebhooks.patch.image.tag=$PATCH_TAG \
--set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
--set defaultBackend.image.registry=$ACR_URL \
--set defaultBackend.image.image=$DEFAULTBACKEND_IMAGE \
--set defaultBackend.image.tag=$DEFAULTBACKEND_TAG \
--set controller.service.loadBalancerIP=$STATIC_IP \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"=$DNS_LABEL
az network dns record-set a add-record \
--resource-group myResourceGroup \
--zone-name anniedesign.xyz \
--record-set-name "*" \
--ipv4-address 20.89.163.19
# ============clear resources========================
kubectl delete namespace ingress-basic
kubectl delete -f certificates.yaml
kubectl delete -f cluster-issuer.yaml
helm list --all-namespaces
helm uninstall nginx-ingress cert-manager -n ingress-basic
kubectl delete -f aks-helloworld.yaml --namespace ingress-basic
kubectl delete -f ingress-demo.yaml --namespace ingress-basic
kubectl delete namespace ingress-basic
az network public-ip delete --resource-group MC_myResourceGroup_myAKSCluster_japaneast --name myAKSPublicIP
az group delete --name myResourceGroup --yes --no-wait

14
deploy/k8s/helm/push.bat Normal file
View File

@ -0,0 +1,14 @@
docker push heigoo.azurecr.io/eshop/webspa:linux-latest
docker push heigoo.azurecr.io/eshop/webmvc:linux-latest
docker push heigoo.azurecr.io/eshop/webshoppingagg:linux-latest
docker push heigoo.azurecr.io/eshop/mobileshoppingagg:linux-latest
docker push heigoo.azurecr.io/eshop/ordering.signalrhub:linux-latest
docker push heigoo.azurecr.io/eshop/basket.api:linux-latest
docker push heigoo.azurecr.io/eshop/identity.api:linux-latest
docker push heigoo.azurecr.io/eshop/catalog.api:linux-latest
docker push heigoo.azurecr.io/eshop/ordering.api:linux-latest
docker push heigoo.azurecr.io/eshop/webhooks.client:linux-latest
docker push heigoo.azurecr.io/eshop/webhooks.api:linux-latest
docker push heigoo.azurecr.io/eshop/ordering.backgroundtasks:linux-latest
docker push heigoo.azurecr.io/eshop/payment.api:linux-latest
docker push heigoo.azurecr.io/eshop/webstatus:linux-latest

14
deploy/k8s/helm/tag.bat Normal file
View File

@ -0,0 +1,14 @@
docker tag eshop/webspa:linux-latest heigoo.azurecr.io/eshop/webspa:linux-latest
docker tag eshop/webmvc:linux-latest heigoo.azurecr.io/eshop/webmvc:linux-latest
docker tag eshop/webshoppingagg:linux-latest heigoo.azurecr.io/eshop/webshoppingagg:linux-latest
docker tag eshop/mobileshoppingagg:linux-latest heigoo.azurecr.io/eshop/mobileshoppingagg:linux-latest
docker tag eshop/ordering.signalrhub:linux-latest heigoo.azurecr.io/eshop/ordering.signalrhub:linux-latest
docker tag eshop/basket.api:linux-latest heigoo.azurecr.io/eshop/basket.api:linux-latest
docker tag eshop/identity.api:linux-latest heigoo.azurecr.io/eshop/identity.api:linux-latest
docker tag eshop/catalog.api:linux-latest heigoo.azurecr.io/eshop/catalog.api:linux-latest
docker tag eshop/ordering.api:linux-latest heigoo.azurecr.io/eshop/ordering.api:linux-latest
docker tag eshop/webhooks.client:linux-latest heigoo.azurecr.io/eshop/webhooks.client:linux-latest
docker tag eshop/webhooks.api:linux-latest heigoo.azurecr.io/eshop/webhooks.api:linux-latest
docker tag eshop/ordering.backgroundtasks:linux-latest heigoo.azurecr.io/eshop/ordering.backgroundtasks:linux-latest
docker tag eshop/eshop/payment.api:linux-latest heigoo.azurecr.io/eshop/payment.api:linux-latest
docker tag eshop/webstatus:linux-latest heigoo.azurecr.io/eshop/webstatus:linux-latest

2
deploy/k8s/helm/tls-support/templates/issuer.yaml
View File

@ -8,7 +8,7 @@ metadata:
spec: spec:
acme: acme:
server: {{ .Values.server }} server: {{ .Values.server }}
email: not@used.com email: ernie.liu@outlook.com
privateKeySecretRef: privateKeySecretRef:
name: {{ .Values.issuerSecretName }} name: {{ .Values.issuerSecretName }}
solvers: solvers:

8
deploy/k8s/helm/tls-support/values.yaml Normal file
View File

@ -0,0 +1,8 @@
applicationName: eshop
issuerName: letsencrypt-prod
certName: eshop-cert-prod
environment: prod
server: https://acme-v02.api.letsencrypt.org/directory
certSecretName: eshop-letsencrypt-prod
issuerSecretName: letsencrypt-prod
ingressClass: nginx

4
deploy/k8s/nginx-ingress/local-cm.yaml
View File

@ -8,4 +8,6 @@ metadata:
namespace: ingress-nginx namespace: ingress-nginx
data: data:
proxy-buffer-size: "128k" proxy-buffer-size: "128k"
proxy-buffers: "4 256k" proxy-buffers: "4 256k"
large-client-header-buffers: "4 16k"
##https://stackoverflow.com/questions/59274805/kubernetes-nginx-ingress-request-header-or-cookie-too-large

12
deploy/k8s/nodeports/sql-service1.yaml Normal file
View File

@ -0,0 +1,12 @@
kind: Service
apiVersion: v1
metadata:
name: sql-service
spec:
type: LoadBalancer
selector:
app: sql-data
ports:
- protocol: TCP
port: 1433
targetPort: 1433