Shawn`s Next Blog

AKS

AKS

Attention: all the command is based on Win PowerShell

Prerequisite

  1. install az 'azure-cli'
  2. az login -> copy code 到本地 brower 去打开,并粘贴进 codes
  3. install azure aks cli
# Install Azure AKS CLI
az aks install-cli
  1. 创建 aks cluster, node pool, VNet….. (手动)
  2. configure cluster creds, kube config
# Configure Cluster Creds (kube config)
az aks get-credentials --resource-group petlover-AKS --name Petlover-Prod
  1. set up powershell cmd faster way: set kubectl to k……

[Set Alias for Kubectl](https://www.techtarget.com/searchitoperations/tutorial/Manage-Kubernetes-clusters-with-PowerShell-and-kubectl#:~:text=Kubectl aliasing in PowerShell&text=Aliasing in PowerShell is the,name to reference a command.&text=After setting up this alias,make a call to Kubernetes).

Ingress Nginx Load Balancer Controller

Untitled

Untitled

  1. create a static IP address
# Get the resource group name of the AKS cluster (resource name -> aks name)
az aks show --resource-group petlover-AKS --name Petlover-Prod --query nodeResourceGroup -o tsv

# record resource group name: MC_petlover-AKS_Petlover-Prod_eastus

# TEMPLATE - Create a public IP address with the static allocation
az network public-ip create --resource-group MC_petlover-AKS_Petlover-Prod_eastus \
                            --name myAKSPublicIPForIngress \
                            --sku Standard \
                            --allocation-method static \
                            --query publicIp.ipAddress \
                            -o tsv

# record public IP address
  1. install helm (in powershell) ⇒ Jenkins server 中也需要安装

run PowerShell as admin → choco install kubernetes-helm

  1. add official stable repo
# Create a namespace for your ingress resources
kubectl create namespace ingress-basic

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

#  Customizing the Chart Before Installing.
helm show values ingress-nginx/ingress-nginx

# Use Helm to deploy an NGINX ingress controller
helm install ingress-nginx ingress-nginx/ingress-nginx \
    --namespace ingress-basic \
    --set controller.replicaCount=2 \
    --set controller.nodeSelector."kubernetes\.io/os"=linux \
    --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
    --set controller.service.externalTrafficPolicy=Local \
    --set controller.service.loadBalancerIP="20.124.104.64"

External DNS - By Managed Service Identity (MSI)

Untitled

  1. get tenantId and subscription ID
# To get Azure Tenant ID
az account show --query "tenantId"# To get Azure Subscription ID
az account show --query "id"
  1. Create MSI - Managed Service Identity for External DNS to access Azure DNS Zones

Untitled

record user assigned identity ID:

  1. create Json file

    {
  "tenantId": "b985d900-a4c4-4ea6-9e09-8d1167bac273",
  "subscriptionId": "c4c2e681-0156-457e-b1f2-88020d2efe5c",
  "resourceGroup": "petlover-AKS",
  "useManagedIdentityExtension": true,
  "userAssignedIdentityID": "cc69d3df-0680-4e72-9a58-33bc57b09587"
}

  2. associate MSI in AKS Cluster VMSS

Untitled

  1. create kub secret and deploy ExternalDNS

'kubectl create secret generic azure-config-file --from-file=azure.json'

apply external-dns.yaml

Ingress - SSL

Untitled

  • Label the ingress-basic namespace to disable resource validation

    kubectl label namespace ingress-basic [cert-manager.io/disable-validation=true](http://cert-manager.io/disable-validation=true)

  • Add the Jetstack Helm repository

    helm repo add jetstack [https://charts.jetstack.io](https://charts.jetstack.io/)

  • Update your local Helm chart repository cache

    helm repo update

  • Install the cert-manager Helm chart

    helm install \
cert-manager jetstack/cert-manager \
--namespace ingress-basic \
--version v1.8.2 \
--set installCRDs=true

    helm install cert-manager jetstack/cert-manager --namespace ingress-basic --version v1.8.2 --set installCRDs=true

ACR Connection - By Service Principle

Untitled

  1. create ACR
  2. access keys → enable admin user
  3. 用这个 username 和 password 去登录 acr,并上传 images
# Export Command
export ACR_REGISTRY=acrdemo2ss.azurecr.io
export ACR_NAMESPACE=app2
export ACR_IMAGE_NAME=acr-app2
export ACR_IMAGE_TAG=v1
echo $ACR_REGISTRY, $ACR_NAMESPACE, $ACR_IMAGE_NAME, $ACR_IMAGE_TAG

# Login to ACR
docker login $ACR_REGISTRY

# Tag
docker tag acr-app2:v1  $ACR_REGISTRY/$ACR_NAMESPACE/$ACR_IMAGE_NAME:$ACR_IMAGE_TAG
It replaces as below
docker tag acr-app2:v1 acrdemo2ss.azurecr.io/app2/acr-app2:v1

# List Docker Images to verify
docker images acr-app2:v1
docker images $ACR_REGISTRY/$ACR_NAMESPACE/$ACR_IMAGE_NAME:$ACR_IMAGE_TAG

# Push Docker Images
docker push $ACR_REGISTRY/$ACR_NAMESPACE/$ACR_IMAGE_NAME:$ACR_IMAGE_TAG

docker tag petlover-back:latest petloverprod[.azurecr.io/back/petlover-back:](http://demopublicpetlover.azurecr.io/app1/demo:v1)latest
docker push petloverprod.azurecr.io/back/petlover-back:latest
  1. create service principle
#!/bin/bash
# This script requires Azure CLI version 2.25.0 or later. Check version with `az --version`.

# Modify for your environment.
# ACR_NAME: The name of your Azure Container Registry
# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant
ACR_NAME=acrdemo2ss
SERVICE_PRINCIPAL_NAME=acr-sp-demo

# Obtain the full registry ID for subsequent command args
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)# Create the service principal with rights scoped to the registry.
# Default permissions are for docker pull access. Modify the '--role'
# argument value as desired:
# acrpull:     pull only
# acrpush:     push and pull
# owner:       push, pull, and assign roles
SP_PASSWD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
SP_APP_ID=$(az ad sp list --display-name $SERVICE_PRINCIPAL_NAME --query [].appId --output tsv)# Output the service principal's credentials; use these in your services and
# applications to authenticate to the container registry.
echo "Service principal ID: $SP_APP_ID"echo "Service principal password: $SP_PASSWD"

Or

$ACR_NAME='petloverprod'
$SERVICE_PRINCIPAL_NAME='acr-petlover-demo'
$ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

$SP_PASSWD=$(az ad sp create-for-rbac --name http://$SERVICE_PRINCIPAL_NAME --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)

$SP_APP_ID=$(az ad app list --display-name http://$SERVICE_PRINCIPAL_NAME --query [].appId --output tsv)

ps(解读,不必操作):
az ad sp create-for-rbac --name <service_principal_name> --role Contributor --scopes /subscriptions/<subscription_id>
等价于:
az ad sp create-for-rbac --name myAKSClusterServicePrincipal
az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --service-principal <appId> \
    --client-secret <password>
az role assignment create --assignee <appId> --scope <resourceScope> --role Contributor

1. 创建一个principal identity
2. 创建一个resource group并且使用该principal identity (正常可由tf创建完成)
3. role assign 给一个resource group by scope
  1. create image pull secret
kubectl create secret docker-registry <named_secret> \
    --namespace default \
    --docker-server=acrdemo.azurecr.io \
    --docker-username=<$SP_APP_ID> \
    --docker-password=<$SP_PASSWD>

kubectl create secret docker-registry my-secret --namespace default --docker-server=$ACR_NAME[.azurecr.io](http://demopublicpetlover.azurecr.io/) --docker-username=$SP_APP_ID --docker-password=$SP_PASSWD

note: kubectl delete secrete my-secret 可以删除 创建的 secret

关于 ssh 连接到对方服务器的问题

  • 发送建立链接
    1. 将自己的公钥传递给对方节点
    2. 交换公钥,是否相互信任对方
    3. 然后就可以登录
;