Skip to content
This repository was archived by the owner on Dec 6, 2024. It is now read-only.

Cbellee patch 1 #287

Open
cbellee wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Cbellee patch 1 #287

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
95cf6d0
added code to create deterministic hash of resource group id
cbellee Jun 18, 2024
fdd27f5
added code to create deterministic hash of resource group id
cbellee Jun 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 47 additions & 41 deletions content/containers/azure-kubernetes-service/aks-networking/assets/12-acr-private-ep.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,44 +4,52 @@

LOCATION='australiaeast'
RG_NAME='12-acr-cluster-rg'
ACR_NAME=<redacted>

# create resource group
az group create -n $RG_NAME --location $LOCATION

# create unique string from resource group fqdn
AFFIX=$(az group show -n $RG_NAME --query id | md5sum | head -c 10; echo)
VNET_NAME="$AFFIX-vnet"
ACR_NAME="acr$AFFIX"
CLUSTER_NAME="acr-cluster-$AFFIX"

# creatwe vnet & subnets
az network vnet create \
-g $RG_NAME \
-n 'acr-vnet' \
--resource-group $RG_NAME \
-n $VNET_NAME \
--address-prefixes '192.168.0.0/16' \
--subnet-name 'pe-subnet' \
--subnet-prefix '192.168.1.0/24'

SUBNET_ID=$(az network vnet subnet show \
-g $RG_NAME \
--vnet-name 'acr-vnet' \
--resource-group $RG_NAME \
--vnet-name $VNET_NAME \
-n 'pe-subnet' \
--query id -o tsv)

az network vnet subnet update \
--name 'pe-subnet' \
--vnet-name 'acr-vnet' \
--vnet-name $VNET_NAME \
--resource-group $RG_NAME \
--disable-private-endpoint-network-policies

az network vnet subnet create \
-g $RG_NAME \
--vnet-name 'acr-vnet' \
-n 'aks-subnet' \
--resource-group $RG_NAME \
--vnet-name $VNET_NAME \
--name 'aks-subnet' \
--address-prefixes 192.168.2.0/24

AKS_SUBNET_ID=$(az network vnet subnet show \
-g $RG_NAME \
--vnet-name 'acr-vnet' \
-n 'aks-subnet' \
--query id -o tsv)
--resource-group $RG_NAME \
--vnet-name $VNET_NAME \
--name 'aks-subnet' \
--query id -o tsv)

# create ACR
az acr create -n $ACR_NAME -g $RG_NAME --sku premium
az acr create --name $ACR_NAME --resource-group $RG_NAME --sku premium

# create private DNS zone & link it to the vnet
az network private-dns zone create \
--resource-group $RG_NAME \
--name "privatelink.azurecr.io"
Expand All @@ -50,34 +58,35 @@ az network private-dns link vnet create \
--resource-group $RG_NAME \
--zone-name "privatelink.azurecr.io" \
--name 'acr-dns-link' \
--virtual-network 'acr-vnet' \
--virtual-network $VNET_NAME \
--registration-enabled false

REGISTRY_ID=$(az acr show -n $ACR_NAME -g $RG_NAME --query 'id' --output tsv)
# create private endpoint for ACR & required DNS records
REGISTRY_ID=$(az acr show -n $ACR_NAME --resource-group $RG_NAME --query 'id' --output tsv)

az network private-endpoint create \
--name 'acr-pe' \
--resource-group $RG_NAME \
--vnet-name 'acr-vnet' \
--subnet 'pe-subnet' \
--private-connection-resource-id $REGISTRY_ID \
--group-ids registry \
--connection-name 'acr-pe-cxn'
--name "acr-pe-$AFFIX" \
--resource-group $RG_NAME \
--vnet-name $VNET_NAME \
--subnet 'pe-subnet' \
--private-connection-resource-id $REGISTRY_ID \
--group-ids registry \
--connection-name "acr-pe-cxn-$AFFIX"

NETWORK_INTERFACE_ID=$(az network private-endpoint show \
--name 'acr-pe' \
--name "acr-pe-$AFFIX" \
--resource-group $RG_NAME \
--query 'networkInterfaces[0].id' \
--output tsv)

REGISTRY_PRIVATE_IP=$(az network nic show \
--ids $NETWORK_INTERFACE_ID \
--query "ipConfigurations[?privateLinkConnectionProperties.requiredMemberName=='registry'].privateIpAddress" \
--query "ipConfigurations[?privateLinkConnectionProperties.requiredMemberName=='registry'].privateIPAddress" \
--output tsv)

DATA_ENDPOINT_PRIVATE_IP=$(az network nic show \
--ids $NETWORK_INTERFACE_ID \
--query "ipConfigurations[?privateLinkConnectionProperties.requiredMemberName=='registry_data_$LOCATION'].privateIpAddress" \
--query "ipConfigurations[?privateLinkConnectionProperties.requiredMemberName=='registry_data_$LOCATION'].privateIPAddress" \
--output tsv)

# An FQDN is associated with each IP address in the IP configurations
Expand All @@ -96,7 +105,6 @@ az network private-dns record-set a create \
--zone-name privatelink.azurecr.io \
--resource-group $RG_NAME

# Specify registry region in data endpoint name
az network private-dns record-set a create \
--name ${ACR_NAME}.${LOCATION}.data \
--zone-name privatelink.azurecr.io \
Expand All @@ -108,38 +116,36 @@ az network private-dns record-set a add-record \
--resource-group $RG_NAME \
--ipv4-address $REGISTRY_PRIVATE_IP

# Specify registry region in data endpoint name
az network private-dns record-set a add-record \
--record-set-name ${ACR_NAME}.${LOCATION}.data \
--zone-name privatelink.azurecr.io \
--resource-group $RG_NAME \
--ipv4-address $DATA_ENDPOINT_PRIVATE_IP

az aks create -n 'acr-cluster' \
# create AKS cluster
az aks create -n $CLUSTER_NAME \
--vnet-subnet-id $AKS_SUBNET_ID \
--node-count 1 \
--network-plugin azure \
-g $RG_NAME \
--resource-group $RG_NAME \
--generate-ssh-keys \
--attach-acr $ACR_NAME

az aks update -n 'acr-cluster' -g $RG_NAME --attach-acr $ACR_NAME

# get kube config
az aks get-credentials -g $RG_NAME -n 'acr-cluster' --admin --context '12-acr-cluster'
kubectl config use-context '12-acr-cluster-admin'
# add ACR auth to cluster
az aks update --name $CLUSTER_NAME --resource-group $RG_NAME --attach-acr $ACR_NAME

# import container image from Dockerhub
az acr import -n $ACR_NAME --source docker.io/stefanprodan/podinfo:latest -t podinfo:latest

# get kube config
az aks get-credentials --resource-group $RG_NAME --name $CLUSTER_NAME --admin --context '12-acr-cluster'
kubectl config use-context '12-acr-cluster-admin'

# start container
kubectl run podinfo <redacted>
kubectl run podinfo --image=$ACR_NAME.azurecr.io/podinfo:latest
kubectl get pod

az aks show --resource-group $RG_NAME \
--name 'acr-cluster' \
--name $CLUSTER_NAME \
--query servicePrincipalProfile.clientId \
--output tsv

az acr update --name $ACR_NAME --anonymous-pull-enabled

kubectl run -it testpod --image=mcr.microsoft.com/dotnet/runtime-deps:6.0