Let's do it without logMonitor

PoshCode · Sep 30, 2023 · e2f97a0 · e2f97a0
1 parent f1c8351
commit e2f97a0
Show file tree

Hide file tree

Showing 27 changed files with 1,491 additions and 78 deletions.
diff --git a/Initialize-Azure.ps1 b/Initialize-Azure.ps1
@@ -28,7 +28,7 @@ param(
 # "CiliumDataplanePreview" is not working as far as I can tell
 Get-AzProviderFeature -ProviderNamespace Microsoft.ContainerService -OutVariable enabledFeatures
 foreach ($feature in "AKS-KedaPreview", "AKSNetworkModePreview", "AzureOverlayPreview",
-    "EnableBlobCSIDriver", "EnableNetworkPolicy", "EnableWorkloadIdentityPreview",
+    "EnableBlobCSIDriver", "EnableNetworkPolicy", "EnableWorkloadIdentityPreview", "NRGLockdownPreview",
     "NodeOSUpgradeChannelPreview", "IPBasedLoadBalancerPreview") {
     if ($enabledFeatures.Name -notcontains $feature ) {
         Register-AzProviderFeature -FeatureName $feature -ProviderNamespace Microsoft.ContainerService
@@ -38,7 +38,7 @@ foreach ($feature in "AKS-KedaPreview", "AKSNetworkModePreview", "AzureOverlayPr
 Get-AzProviderFeature -ProviderNamespace Microsoft.KubernetesConfiguration -OutVariable enabledFeatures
 foreach ($feature in "FluxConfigurations") {
     if ($enabledFeatures.Name -notcontains $feature ) {
-        Register-AzProviderFeature -FeatureName $feature -ProviderNamespace Microsoft.ContainerService
+        Register-AzProviderFeature -FeatureName $feature -ProviderNamespace Microsoft.KubernetesConfiguration
     }
 }
 
@@ -69,7 +69,7 @@ gh secret set --repo https://github.com/$repo AZURE_RG -b $resourceGroupName
 # gh secret set --repo https://github.com/$repo USER_OBJECT_ID -b $spId
 
 # This stuff doesn't HAVE to be done...
-$admins = (Get-AzADGroup -Filter "DisplayName eq 'AksAdmins'") ??
+$admins   = (Get-AzADGroup -Filter "DisplayName eq 'AksAdmins'") ??
             (New-AzADGroup -DisplayName AksAdmins -MailNickname AksAdmins -Description "Kubernetes Admins")
 
 gh secret set --repo https://github.com/$repo ADMIN_GROUP_ID -b $admins.Id
diff --git a/apps/podinfo/deployment.yaml b/apps/podinfo/deployment.yaml
@@ -1,5 +1,5 @@
-apiVersion: apps/v1
 kind: Deployment
+apiVersion: apps/v1
 metadata:
   name: podinfo
 spec:

diff --git a/apps/podinfo/hpa.yaml b/apps/podinfo/hpa.yaml
@@ -1,5 +1,5 @@
-apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
+apiVersion: autoscaling/v2
 metadata:
   name: podinfo
 spec:

diff --git a/apps/podinfo/ingress.yaml b/apps/podinfo/ingress.yaml
@@ -15,8 +15,8 @@
 #               number: 9000
 #         pathType: Prefix
 # ---
-kind: Ingress
 apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
   name: podinfo
   namespace: podinfo
@@ -33,18 +33,18 @@ spec:
             name: podinfo
             port:
               name: http
----
-kind: IngressBackend
-apiVersion: policy.openservicemesh.io/v1alpha1
-metadata:
-  name: podinfo
-  namespace: podinfo
-spec:
-  backends:
-  - name: podinfo
-    port:
-      number: 80 # targetPort of podinfo service
-      protocol: http
-  sources:
-  - kind: IPRange
-    name: 10.0.0.0/8
+# ---
+# kind: IngressBackend
+# apiVersion: policy.openservicemesh.io/v1alpha1
+# metadata:
+#   name: podinfo
+#   namespace: podinfo
+# spec:
+#   backends:
+#   - name: podinfo
+#     port:
+#       number: 80 # targetPort of podinfo service
+#       protocol: http
+#   sources:
+#   - kind: IPRange
+#     name: 10.0.0.0/8
diff --git a/apps/podinfo/kustomization.yaml b/apps/podinfo/kustomization.yaml
@@ -1,5 +1,5 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
 namespace: podinfo
 resources:
   - namespace.yaml

diff --git a/apps/podinfo/namespace.yaml b/apps/podinfo/namespace.yaml
@@ -1,4 +1,4 @@
-apiVersion: v1
 kind: Namespace
+apiVersion: v1
 metadata:
   name: podinfo
diff --git a/apps/podinfo/service.yaml b/apps/podinfo/service.yaml
@@ -1,5 +1,5 @@
-apiVersion: v1
 kind: Service
+apiVersion: v1
 metadata:
   name: podinfo
 spec:

diff --git a/infrastructure/Cluster.bicep b/infrastructure/Cluster.bicep
@@ -43,6 +43,7 @@ param dnsServiceIP string = '10.100.0.10'
 @description('Optional. Pod CIDR for this cluster. Defaults to: 10.192.0.0/16')
 param podCidr string = '10.192.0.0/16'
 
+/*
 @description('The Log Analytics retention period')
 param logRetentionInDays int = 30
 
@@ -56,6 +57,7 @@ param diagnosticCategories array = [
   'kube-audit-admin'
   'guard'
 ]
+*/
 
 @description('Optional. The AKS AutoscaleProfile has complex defaults I expect to change in production.')
 param AutoscaleProfile object = {
@@ -167,6 +169,7 @@ var deploymentName = deployment().name
 //   ]
 // }
 
+// The actual cluster's identity does not need federation
 module uai 'modules/userAssignedIdentity.bicep' = {
   name: '${deploymentName}_uai'
   params: {
@@ -290,6 +293,6 @@ output userAssignedIdentityPrincipalId string = uai.outputs.principalId
 @description('User Assigned Identity Client ID, used for application config (so we can use this identity from code)')
 output userAssignedIdentityClientId string = uai.outputs.clientId
 
-output LogAnalyticsName string = logAnalytics.name
-output LogAnalyticsGuid string = logAnalytics.properties.customerId
-output LogAnalyticsId string = logAnalytics.id
+// output LogAnalyticsName string = logAnalytics.name
+// output LogAnalyticsGuid string = logAnalytics.properties.customerId
+// output LogAnalyticsId string = logAnalytics.id
diff --git a/infrastructure/modules/managedCluster.bicep b/infrastructure/modules/managedCluster.bicep
@@ -255,7 +255,8 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2023-05-02-preview'
     dnsPrefix: baseName
     enablePodSecurityPolicy: false
     enableRBAC: true
-    fqdnSubdomain: baseName
+    // For private clusters? Public clusters use dnsPrefix
+    //fqdnSubdomain: baseName
 
     kubernetesVersion: kubernetesVersion
     linuxProfile: {

diff --git a/infrastructure/modules/users.bicep b/infrastructure/modules/users.bicep
@@ -1,8 +1,14 @@
 // ATTENTION PERSON WHO COPIES THIS IN THE FUTURE:
-// baseName MUST be hard-coded here (change "Required" to "Optional" and uncomment the deffinition)
-// baseName MUST also match the name of your app in Kubernetes (do not leave it as an empty string!)
-@description('Required. The base name')
-param baseName string // = ''
+// namespace MUST be hard-coded here (change "Required" to "Optional" and uncomment the deffinition)
+// namespace MUST match the namespace of your app in Kubernetes (do not leave it as an empty string!)
+@description('Required. The kubernetes namespace for your user')
+param namespace string // = ''
+
+@description('Required. The name of the service account. E.g. namespace-workload-identity')
+param serviceAccountName string = '${namespace}-workload-identity'
+
+@description('Required. The OpenID Connect Issuerl URL. E.g. aks.oidcIssuerUrl')
+param oidcIssuerUrl string
 
 // 63 is our max deployment name, and the longest name in our sub-deployments is 12 characters, 63-12 = 51
 @description('Optional. Provide unique deployment name prefix for the module references. Defaults to take(deploymentName().name, 51)')
@@ -15,30 +21,15 @@ param location string = resourceGroup().location
 @description('Optional. Override default tagging with your own tags. Defaults to resourceGroup().tags')
 param tags object = resourceGroup().tags
 
-module names 'br/lookups:names:7' = {
-  name: '${deploymentNamePrefix}__names'
-  params: {
-    baseName: baseName
-    location: location
-  }
-}
-
-module cluster 'br/lookups:akscluster:1' = {
-  name: '${deploymentNamePrefix}__cluster'
-  params: {
-    location: location
-  }
-}
-
-module uai 'br/resources:userassignedidentity:2.1.0' = {
+module uai 'userAssignedIdentity.bicep' = {
   name: '${deploymentNamePrefix}_uai'
   params: {
-    name: names.outputs.userAssignedIdentityName
+    baseName: '${namespace}-${serviceAccountName}'
     location: location
     tags: tags
     // This is the part that makes it work with AKS -- but the right-hand-side value must be YOUR workload identity
     azureADTokenExchangeFederatedIdentityCredentials: {
-      '${cluster.outputs.oidcIssuerUrl}': 'system:serviceaccount:${baseName}:${baseName}-workload-identity'
+      '${oidcIssuerUrl}': 'system:serviceaccount:${namespace}:${serviceAccountName}'
     }
   }
 }
@@ -70,14 +61,14 @@ module keyvault_kubelet_iam 'br/resources:resourceroleassignment:1.0.2' = {
 // */
 
 @description('The ResourceId is sometimes used for deployment scripts')
-output userAssignedResourceId string = uai.outputs.userAssignedResourceID
+output userAssignedResourceId string = uai.outputs.id
 
 @description('The PrincipalId is used for Azure Resource Role Assignements')
-output userAssignedIdentityPrincipalId string = uai.outputs.userAssignedIdentityPrincipalId
+output userAssignedIdentityPrincipalId string = uai.outputs.principalId
 
 @description('''User Assigned Client ID, put this in your patch-ServiceAccount.yaml:
 metadata:
-  name: ${app_name}-workload-identity
+  name: serviceAccountName
   annotations:
     azure.workload.identity/client-id: HERE''')
-output userAssignedIdentityClientId string = uai.outputs.userAssignedIdentityClientId
+output userAssignedIdentityClientId string = uai.outputs.clientId
diff --git a/system/services/contour/kustomization.yaml b/system/services/contour/kustomization.yaml
diff --git a/system/services/traefik/kustomization.yaml b/system/services/traefik/kustomization.yaml
@@ -0,0 +1,18 @@
+resources:
+  - namespace.yaml
+  - repository.yaml
+  #- mesh-release.yaml
+  - traefik-release.yaml
+
+configMapGenerator:
+  - name: mesh-values
+    namespace: flux-system
+    files:
+      - values.yaml=traefik-mesh-4.1.1-values.yaml
+  - name: traefik-values
+    namespace: flux-system
+    files:
+      - values.yaml=traefik-24.0.0-values.yaml
+
+configurations:
+  - valuesfrom.yaml
diff --git a/system/services/contour/helm-release.yaml → system/services/traefik/mesh-release.yaml b/system/services/contour/helm-release.yaml → system/services/traefik/mesh-release.yaml
@@ -1,20 +1,19 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
-  name: contour
+  name: traefik-mesh
   namespace: flux-system
 spec:
   interval: 30m
   timeout: 5m
-  releaseName: contour
-  targetNamespace: contour
+  targetNamespace: ingress
   chart:
     spec:
-      chart: contour
-      version: "13.1.x"
+      chart: traefik-mesh
+      version: "4.x"
       sourceRef:
         kind: HelmRepository
-        name: bitnami
+        name: traefik
         namespace: flux-system
       interval: 12h
   install:
@@ -27,4 +26,4 @@ spec:
     timeout: 5m
   valuesFrom:
   - kind: ConfigMap
-    name: contour-values
+    name: mesh-values
diff --git a/system/services/contour/namespace.yaml → system/services/traefik/namespace.yaml b/system/services/contour/namespace.yaml → system/services/traefik/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: contour
+  name: ingress
diff --git a/system/services/traefik/repository.yaml b/system/services/traefik/repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: traefik
+  namespace: flux-system
+spec:
+  interval: 24h
+  url: https://traefik.github.io/charts