diff --git a/content/containers/azure-kubernetes-service/aks-networking/assets/12-acr-private-ep.sh b/content/containers/azure-kubernetes-service/aks-networking/assets/12-acr-private-ep.sh index 1db2b393..32d57d37 100644 --- a/content/containers/azure-kubernetes-service/aks-networking/assets/12-acr-private-ep.sh +++ b/content/containers/azure-kubernetes-service/aks-networking/assets/12-acr-private-ep.sh @@ -4,44 +4,52 @@ LOCATION='australiaeast' RG_NAME='12-acr-cluster-rg' -ACR_NAME= +# create resource group az group create -n $RG_NAME --location $LOCATION +# create unique string from resource group fqdn +AFFIX=$(az group show -n $RG_NAME --query id | md5sum | head -c 10; echo) +VNET_NAME="$AFFIX-vnet" +ACR_NAME="acr$AFFIX" +CLUSTER_NAME="acr-cluster-$AFFIX" + +# creatwe vnet & subnets az network vnet create \ - -g $RG_NAME \ - -n 'acr-vnet' \ + --resource-group $RG_NAME \ + -n $VNET_NAME \ --address-prefixes '192.168.0.0/16' \ --subnet-name 'pe-subnet' \ --subnet-prefix '192.168.1.0/24' SUBNET_ID=$(az network vnet subnet show \ - -g $RG_NAME \ - --vnet-name 'acr-vnet' \ + --resource-group $RG_NAME \ + --vnet-name $VNET_NAME \ -n 'pe-subnet' \ --query id -o tsv) az network vnet subnet update \ --name 'pe-subnet' \ - --vnet-name 'acr-vnet' \ + --vnet-name $VNET_NAME \ --resource-group $RG_NAME \ --disable-private-endpoint-network-policies az network vnet subnet create \ - -g $RG_NAME \ - --vnet-name 'acr-vnet' \ - -n 'aks-subnet' \ + --resource-group $RG_NAME \ + --vnet-name $VNET_NAME \ + --name 'aks-subnet' \ --address-prefixes 192.168.2.0/24 AKS_SUBNET_ID=$(az network vnet subnet show \ - -g $RG_NAME \ - --vnet-name 'acr-vnet' \ - -n 'aks-subnet' \ - --query id -o tsv) + --resource-group $RG_NAME \ + --vnet-name $VNET_NAME \ + --name 'aks-subnet' \ + --query id -o tsv) # create ACR -az acr create -n $ACR_NAME -g $RG_NAME --sku premium +az acr create --name $ACR_NAME --resource-group $RG_NAME --sku premium +# create private DNS zone & link it to the vnet az network private-dns zone create \ --resource-group $RG_NAME \ --name "privatelink.azurecr.io" @@ -50,34 +58,35 @@ az network private-dns link vnet create \ --resource-group $RG_NAME \ --zone-name "privatelink.azurecr.io" \ --name 'acr-dns-link' \ - --virtual-network 'acr-vnet' \ + --virtual-network $VNET_NAME \ --registration-enabled false -REGISTRY_ID=$(az acr show -n $ACR_NAME -g $RG_NAME --query 'id' --output tsv) +# create private endpoint for ACR & required DNS records +REGISTRY_ID=$(az acr show -n $ACR_NAME --resource-group $RG_NAME --query 'id' --output tsv) az network private-endpoint create \ - --name 'acr-pe' \ - --resource-group $RG_NAME \ - --vnet-name 'acr-vnet' \ - --subnet 'pe-subnet' \ - --private-connection-resource-id $REGISTRY_ID \ - --group-ids registry \ - --connection-name 'acr-pe-cxn' + --name "acr-pe-$AFFIX" \ + --resource-group $RG_NAME \ + --vnet-name $VNET_NAME \ + --subnet 'pe-subnet' \ + --private-connection-resource-id $REGISTRY_ID \ + --group-ids registry \ + --connection-name "acr-pe-cxn-$AFFIX" NETWORK_INTERFACE_ID=$(az network private-endpoint show \ - --name 'acr-pe' \ + --name "acr-pe-$AFFIX" \ --resource-group $RG_NAME \ --query 'networkInterfaces[0].id' \ --output tsv) REGISTRY_PRIVATE_IP=$(az network nic show \ --ids $NETWORK_INTERFACE_ID \ - --query "ipConfigurations[?privateLinkConnectionProperties.requiredMemberName=='registry'].privateIpAddress" \ + --query "ipConfigurations[?privateLinkConnectionProperties.requiredMemberName=='registry'].privateIPAddress" \ --output tsv) DATA_ENDPOINT_PRIVATE_IP=$(az network nic show \ --ids $NETWORK_INTERFACE_ID \ - --query "ipConfigurations[?privateLinkConnectionProperties.requiredMemberName=='registry_data_$LOCATION'].privateIpAddress" \ + --query "ipConfigurations[?privateLinkConnectionProperties.requiredMemberName=='registry_data_$LOCATION'].privateIPAddress" \ --output tsv) # An FQDN is associated with each IP address in the IP configurations @@ -96,7 +105,6 @@ az network private-dns record-set a create \ --zone-name privatelink.azurecr.io \ --resource-group $RG_NAME -# Specify registry region in data endpoint name az network private-dns record-set a create \ --name ${ACR_NAME}.${LOCATION}.data \ --zone-name privatelink.azurecr.io \ @@ -108,38 +116,36 @@ az network private-dns record-set a add-record \ --resource-group $RG_NAME \ --ipv4-address $REGISTRY_PRIVATE_IP -# Specify registry region in data endpoint name az network private-dns record-set a add-record \ --record-set-name ${ACR_NAME}.${LOCATION}.data \ --zone-name privatelink.azurecr.io \ --resource-group $RG_NAME \ --ipv4-address $DATA_ENDPOINT_PRIVATE_IP -az aks create -n 'acr-cluster' \ +# create AKS cluster +az aks create -n $CLUSTER_NAME \ --vnet-subnet-id $AKS_SUBNET_ID \ --node-count 1 \ --network-plugin azure \ - -g $RG_NAME \ + --resource-group $RG_NAME \ --generate-ssh-keys \ --attach-acr $ACR_NAME -az aks update -n 'acr-cluster' -g $RG_NAME --attach-acr $ACR_NAME - -# get kube config -az aks get-credentials -g $RG_NAME -n 'acr-cluster' --admin --context '12-acr-cluster' -kubectl config use-context '12-acr-cluster-admin' +# add ACR auth to cluster +az aks update --name $CLUSTER_NAME --resource-group $RG_NAME --attach-acr $ACR_NAME # import container image from Dockerhub az acr import -n $ACR_NAME --source docker.io/stefanprodan/podinfo:latest -t podinfo:latest +# get kube config +az aks get-credentials --resource-group $RG_NAME --name $CLUSTER_NAME --admin --context '12-acr-cluster' +kubectl config use-context '12-acr-cluster-admin' + # start container -kubectl run podinfo +kubectl run podinfo --image=$ACR_NAME.azurecr.io/podinfo:latest +kubectl get pod az aks show --resource-group $RG_NAME \ - --name 'acr-cluster' \ + --name $CLUSTER_NAME \ --query servicePrincipalProfile.clientId \ --output tsv - -az acr update --name $ACR_NAME --anonymous-pull-enabled - -kubectl run -it testpod --image=mcr.microsoft.com/dotnet/runtime-deps:6.0