You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
244 lines
8.9 KiB
244 lines
8.9 KiB
# login in Ubuntu
|
|
az login az login --use-device-code /
|
|
az login --tenant 429950a6-2916-4b6f-8bd1-09b5071951d4
|
|
#Create a resource group
|
|
resourceGroup=DL-LEARNING-RG
|
|
az group create --name $resourceGroup --location southeastasia #/////canadacentral
|
|
|
|
#delete resouce group
|
|
az group delete --name $resourceGroup
|
|
|
|
# Vnet
|
|
#resourceGroup='DL-LEARNING-RG'
|
|
subscription='909efc0a-aa87-4bd2-884c-c93b75692357'
|
|
vnetName='aks-vnet-eshop'
|
|
|
|
az network vnet create -g $resourceGroup --subscription $subscription -n $vnetName -l southeastasia --address-prefix 10.10.0.0/17 --subnet-name eshopsubnet --subnet-prefix 10.10.0.0/18
|
|
|
|
subnetId=$(az network vnet subnet show --resource-group $resourceGroup --subscription $subscription --vnet-name $vnetName --name eshopsubnet --query id -o tsv)
|
|
|
|
# Create a private container registry
|
|
#######################################################################################
|
|
# Create a resource group for acr
|
|
acrrg=DL-PRIVATE-RG
|
|
az group create --name $acrrg --location southeastasia ///eastus
|
|
# Create a container registry
|
|
az acr create --resource-group $acrrg \
|
|
--name heigoo --sku Basic ###// Standard Premium
|
|
|
|
#Log in to registry
|
|
az acr login --name heigoo #geCqSifODg7Zs8KCni//P/f295oI8uUr
|
|
|
|
#Push image to registry
|
|
docker pull mcr.microsoft.com/hello-world
|
|
docker tag mcr.microsoft.com/hello-world heigoo.azurecr.io/hello-world:v1
|
|
docker push heigoo.azurecr.io/hello-world:v1
|
|
docker rmi heigoo.azurecr.io/hello-world:v1
|
|
|
|
#List container images
|
|
az acr repository list --name heigoo --output table
|
|
az acr repository show-tags --name heigoo --repository hello-world --output table
|
|
|
|
#Run image from registry
|
|
docker run heigoo.azurecr.io/hello-world:v1
|
|
#Clean up resources
|
|
az group delete --name DL-PRIVATE-RG
|
|
|
|
# crete aks Cluster
|
|
clusterName='eShop'
|
|
acr=$(az acr show --name heigoo --resource-group $acrrg --query "id" --output tsv)
|
|
|
|
az aks create -n $clusterName --resource-group $resourceGroup --subscription $subscription --kubernetes-version 1.21.1 --network-plugin azure --enable-managed-identity --generate-ssh-keys --attach-acr $acr --node-count 2 --vnet-subnet-id $subnetId
|
|
|
|
|
|
## if acr already created
|
|
az aks update --name myAKSCluster --resource-group myResourceGroup --subscription mySubscription --attach-acr <acr-resource-id>
|
|
az acr show --name acrName --resource-group myResourceGroup --subscription mySubscription --query "id"
|
|
|
|
|
|
## deploy
|
|
az account set --subscription 909efc0a-aa87-4bd2-884c-c93b75692357
|
|
az aks get-credentials --resource-group DL-LEARNING-RG --name eShop
|
|
kubectl get all -n cert-manager -o wide
|
|
|
|
|
|
|
|
|
|
# install ingress-nginx
|
|
#cd D:\temp\microservice\eShopOnContainers\deploy\k8s\nginx-ingress
|
|
kubectl apply -f mandatory.yaml
|
|
kubectl apply -f local-cm.yaml #(add large-client-header-buffers: "4 16k")
|
|
kubectl apply -f local-svc.yaml
|
|
|
|
|
|
#cd D:\temp\microservice\eShopOnContainers\deploy\k8s\helm
|
|
|
|
#.\deploy-all.ps1 -externalDns aks -aksName eShop -aksRg DL-LEARNING-RG -imageTag linux-latest -registry heigoo.azurecr.io -dockerUser heigoo -dockerPassword tuQbbDDaFxYPV6NMBpEylhw -useMesh $false
|
|
|
|
.\deploy-all.ps1 -externalDns eshop.anniedesign.xyz -imageTag linux-latest -registry heigoo.azurecr.io -dockerUser heigoo -dockerPassword geCqSifODg7Zs8KCni//P/f295oI8uUr -useMesh $false -sslSupport staging
|
|
.\deploy-all.ps1 -externalDns eshop.anniedesign.xyz -imageTag linux-latest -registry heigoo.azurecr.io -dockerUser heigoo -dockerPassword geCqSifODg7Zs8KCni//P/f295oI8uUr -useMesh $false -sslSupport prod
|
|
#.\deploy-all.ps1 -externalDns eshop.anniedesign.xyz -aksName eShop -aksRg DL-LEARNING-RG -imageTag linux-dev -useMesh $false
|
|
|
|
# enable tls-support
|
|
# https://github.com/dotnet-architecture/eShopOnContainers/wiki/AKS-TLS
|
|
# cd D:\temp\microservice\eShopOnContainers\deploy\k8s
|
|
#run .\enable-tls.ps1
|
|
# rename values-staging.yaml(values-prod.yaml) to values.yaml() and ingressClass to nginx
|
|
# cd D:\temp\microservice\eShopOnContainers\deploy\k8s\helm
|
|
|
|
#kubectl apply -f cert-manager.yaml(if no running .\enable-tls.ps1)
|
|
helm install eshop-tls-support tls-support
|
|
kubectl get issuer
|
|
kubectl get cert -o wide
|
|
helm uninstall eshop-tls-support #(change server and environment to pord server ) redeploy
|
|
|
|
# check deploy status
|
|
kubectl get deployment
|
|
kubectl get ingress #check external IP to bind it on Godaddy (or other DNS provider) with the DNS name
|
|
kubectl get cert # check certificate
|
|
|
|
kubectl get certificaterequest
|
|
kubectl get order
|
|
kubectl get challenges
|
|
|
|
kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces
|
|
|
|
# CD D:\temp\microservice\eShopOnContainers\deploy\k8s\nodeports to change sql-service.yaml from NodePort to LoadBalancer
|
|
kubectl apply -f sql-service1.yaml
|
|
#get db external IP(lb) to connect to DB to change all http to https (eg. 20.44.192.98:1433 sa/Pass@word)
|
|
|
|
# update clients set ClientUri= replace(clientUri,'http://eshop.','https://eshop.')
|
|
# update ClientRedirectUris set RedirectUri = replace(RedirectUri,'http://eshop.','https://eshop.') where clientid <>3
|
|
# update ClientPostLogoutRedirectUris set PostLogoutRedirectUri = replace(PostLogoutRedirectUri,'http://eshop.','https://eshop.') where clientid <>3
|
|
# webmvc unauthorized client issue (change back RedirectUri to http for temporary usage)
|
|
##uninstall
|
|
|
|
helm uninstall $(helm ls --filter eshop -q) --dry-run
|
|
|
|
#azure devops pipeline
|
|
# https://github.com/dotnet-architecture/eShopOnContainers/tree/main/build/azure-devops
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#############################################################################################
|
|
## This creates a working single node Azure Kubernetes Cluster
|
|
## and with an Azure Container Registry. Note, the ACR is in
|
|
## the same resource group as the AKS for demo purposes. For
|
|
## dev you should have ACR in separate resource group.
|
|
|
|
echo "Beginning AKS Setup for Demo"
|
|
date
|
|
|
|
AKS_RESOURCE_GROUP=aks-rg1
|
|
AKS_CLUSTER_NAME=aks-c1
|
|
ACR_RESOURCE_GROUP=MC_aks-rg1_aks-c1_centralus
|
|
ACR_NAME=aksacr122
|
|
SERVICE_PRINCIPAL_NAME=aks-sp-user
|
|
RG_LOCATION=CentralUS
|
|
DOCKER_USERNAME=$ACR_NAME
|
|
DOCKER_EMAIL={provide email address here} #does not have to be an account with docker hub
|
|
#DOCKER_PASSWORD is applied a value later
|
|
|
|
az group create --location $RG_LOCATION --name $AKS_RESOURCE_GROUP
|
|
|
|
az aks create -g $AKS_RESOURCE_GROUP -n $AKS_CLUSTER_NAME --generate-ssh-keys --node-count 1 --node-vm-size Standard_F1s
|
|
|
|
az acr create --resource-group $ACR_RESOURCE_GROUP --name $ACR_NAME --sku Basic --admin-enabled true
|
|
|
|
|
|
CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
|
|
|
|
# Get the ACR registry resource id
|
|
ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)
|
|
|
|
# Create role assignment
|
|
az role assignment create --assignee $CLIENT_ID --role Reader --scope $ACR_ID
|
|
|
|
# Populate the ACR login server and resource id.
|
|
ACR_LOGIN_SERVER=$(az acr show --name $ACR_NAME --query loginServer --output tsv)
|
|
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
|
|
|
|
# Create a contributor role assignment with a scope of the ACR resource.
|
|
SP_PASSWD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --role Reader --scopes $ACR_REGISTRY_ID --query password --output tsv)
|
|
|
|
# Get the service principle client id.
|
|
CLIENT_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
|
|
|
|
# Output used when creating Kubernetes secret.
|
|
echo "Service principal ID: $CLIENT_ID"
|
|
echo "Service principal password: $SP_PASSWD"
|
|
|
|
#connect to the aks environment
|
|
az aks get-credentials --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME
|
|
|
|
ACR_HTTPS_LOGIN_SERVER="https://$ACR_LOGIN_SERVER"
|
|
|
|
### get password from ACR
|
|
DOCKER_PASSWORD=$(az acr credential show -n $ACR_NAME --query passwords[0].value -o tsv)
|
|
kubectl create secret docker-registry acrconnection --docker-server=$ACR_HTTPS_LOGIN_SERVER --docker-username=$DOCKER_USERNAME --docker-password=$DOCKER_PASSWORD --docker-email=$DOCKER_EMAIL
|
|
|
|
az acr login --name $ACR_NAME
|
|
|
|
echo "Completed AKS Setup"
|
|
date
|
|
#######################
|
|
# Post the following JSON payload to the endpoint, sending a valid Basic Access Token
|
|
# https://dev.azure.com/{organization}/{project}/_apis/serviceendpoint/endpoints?api-version=5.1-preview.2
|
|
|
|
{
|
|
"authorization": {
|
|
"scheme": "ServicePrincipal",
|
|
"parameters": {
|
|
"loginServer": "<ACRSERVER>.azurecr.io",
|
|
"servicePrincipalId": "<APPLICATIONid OF SPN>",
|
|
"tenantId": "<TENANTID>",
|
|
"serviceprincipalkey": "<SPN kEY>"
|
|
}
|
|
},
|
|
"description": "",
|
|
"name": "Name of Connection",
|
|
"type": "dockerregistry",
|
|
"url": "https://<ACRSERVER>.azurecr.io",
|
|
"isShared": false,
|
|
"owner": "library",
|
|
"data": {
|
|
"registryId": "/subscriptions/<SUBSCRIPTIONID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.ContainerRegistry/registries/<ACRSERVER>",
|
|
"registrytype": "ACR",
|
|
"spnObjectId": "",
|
|
"subscriptionId": "<SUBSCRIPTIONID>",
|
|
"subscriptionName": "<SUBSCRIPTIONNAME>"
|
|
}
|
|
}
|