added kube static egress TF

HoussemDellai · Nov 24, 2024 · 2b1cef1 · 2b1cef1
1 parent 9a46f45
commit 2b1cef1
Show file tree

Hide file tree

Showing 21 changed files with 637 additions and 1 deletion.
diff --git a/415_acr_oci_oras_app_artifacts/download/newtonsoft.json.13.0.3.nupkg b/415_acr_oci_oras_app_artifacts/download/newtonsoft.json.13.0.3.nupkg
diff --git a/415_acr_oci_oras_app_artifacts/download/readme.md b/415_acr_oci_oras_app_artifacts/download/readme.md
@@ -0,0 +1,93 @@
+# Deploying application artifacts in ACR
+
+## Introduction
+
+This is how you can use ACR to deploy app packages like `nuget`, `npm`, `maven`, `docker` etc.
+
+Azure container registry (ACR) helps you manage both the Open container initiative (OCI) artifacts and supply chain artifacts. This article guides you how to use ACR for managing OCI artifacts and supply chain artifacts effectively. Learn to store, manage, and retrieve both OCI artifacts and a graph of supply chain artifacts, including signatures, software bill of materials (SBOM), security scan results, and other types.
+
+![](images/architecture.png)
+
+Documentation: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-manage-artifact
+Oras project: https://oras.land/
+
+## Lab
+
+```sh
+winget install oras --version 1.2.0
+
+$RG="rg-acr-oci"
+$ACR_NAME="acrociregistry13"
+$REGISTRY="$ACR_NAME.azurecr.io"
+$REPO="net-monitor"
+$TAG="v1"
+$IMAGE="$REGISTRY/${REPO}:$TAG"
+
+az login
+az group create -n $RG -l swedencentral
+az acr create -n $ACR_NAME -g $RG --sku Standard
+az acr login -n $REGISTRY --expose-token
+
+$TOKEN=$(az acr login -n $REGISTRY --expose-token --output tsv --query accessToken)
+
+# Sign in with ORAS
+
+oras login $REGISTRY --username "00000000-0000-0000-0000-000000000000" --password $TOKEN
+# Login Succeeded
+# oras login $REGISTRY --username $USER_NAME --password $PASSWORD
+
+# Push and Pull OCI Artifacts with ORAS
+
+oras push $REGISTRY/samples/artifact:readme --artifact-type readme/example ./readme.md:application/markdown
+# ✓ Uploaded  readme.md                                                                                                                                                         589/589  B 100.00%  635ms
+#   └─ sha256:f132432a5cb35e8e34c9669cc4c72390ca93cfc24802882941cc82b5d05133bf
+# ✓ Uploaded  application/vnd.oci.empty.v1+json                                                                                                                                     2/2  B 100.00%  490ms
+#   └─ sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
+# ✓ Uploaded  application/vnd.oci.image.manifest.v1+json                                                                                                                        550/550  B 100.00%  287ms
+#   └─ sha256:370e076ad19b329536da11f27a7db4a34b7f367452f0b615e905525b122cc28b
+# Pushed [registry] acrociregistry13.azurecr.io/samples/artifact:readme
+# ArtifactType: readme/example
+# Digest: sha256:370e076ad19b329536da11f27a7db4a34b7f367452f0b615e905525b122cc28b
+
+# To view the manifest created as a result of oras push, use oras manifest fetch:
+
+oras manifest fetch --pretty $REGISTRY/samples/artifact:readme
+# {
+#   "schemaVersion": 2,
+#   "mediaType": "application/vnd.oci.image.manifest.v1+json",
+#   "artifactType": "readme/example",
+#   "config": {
+#     "mediaType": "application/vnd.oci.empty.v1+json",
+#     "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+#     "size": 2,
+#     "data": "e30="
+#   },
+#   "layers": [
+#     {
+#       "mediaType": "application/markdown",
+#       "digest": "sha256:f132432a5cb35e8e34c9669cc4c72390ca93cfc24802882941cc82b5d05133bf",
+#       "size": 589,
+#       "annotations": {
+#         "org.opencontainers.image.title": "readme.md"
+#       }
+#     }
+#   ],
+#   "annotations": {
+#     "org.opencontainers.image.created": "2024-10-24T10:18:02Z"
+#   }
+# }
+
+# Pull an artifact
+
+mkdir ./download
+
+oras pull -o ./download $REGISTRY/samples/artifact:readme
+
+# Remove the artifact (optional)
+
+oras manifest delete $REGISTRY/samples/artifact:readme
+
+# push a nuget package
+
+oras push $REGISTRY/nuget/newtonsoft:13.0.3 --artifact-type package/nuget ./newtonsoft.json.13.0.3.nupkg
+```
diff --git a/68_kube_egress_gateway/commands.ps1 b/68_kube_egress_gateway/commands.ps1
@@ -54,4 +54,10 @@ kubectl apply -f nginx-deployment.yaml
 
 kubectl get pods
 
-kubectl exec <pod name> -it -- curl ifconfig.me
+kubectl exec <pod name> -it -- curl ifconfig.me
+
+# test private IP
+
+az aks nodepool add -g $AKS_RG --cluster-name $AKS_NAME --name npegresspr --mode gateway --node-count 2 --gateway-prefix-size $GW_PREFIX_SIZE --node-vm-size standard_d2pds_v6
+
+kubectl apply -f static_gateway_config_private.yaml
diff --git a/69_kube_egress_gateway_private/aks.tf b/69_kube_egress_gateway_private/aks.tf
@@ -0,0 +1,84 @@
+resource "azurerm_kubernetes_cluster" "aks" {
+  name                = "aks-cluster-swc"
+  location            = azurerm_resource_group.rg-spoke.location
+  resource_group_name = azurerm_resource_group.rg-spoke.name
+  dns_prefix          = "aks"
+  kubernetes_version  = "1.30.5"
+
+  network_profile {
+    network_plugin      = "azure"
+    network_plugin_mode = "overlay"
+    outbound_type       = "userDefinedRouting"
+  }
+
+  default_node_pool {
+    name                        = "systempool"
+    temporary_name_for_rotation = "syspool"
+    node_count                  = 3
+    vm_size                     = "standard_b2als_v2"
+    zones                       = [1, 2, 3]
+    vnet_subnet_id              = azurerm_subnet.snet-aks.id
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      default_node_pool.0.upgrade_settings
+    ]
+  }
+
+  depends_on = [
+    azurerm_subnet_route_table_association.association_route_table_subnet_spoke,
+    azurerm_route.route-to-nva-spoke,
+    azurerm_route.route-firewall-ip
+  ]
+}
+
+resource "azapi_resource" "nodepool-egress" {
+  type                      = "Microsoft.ContainerService/managedClusters/agentPools@2024-09-02-preview"
+  parent_id                 = azurerm_kubernetes_cluster.aks.id
+  name                      = "npegresspr"
+  schema_validation_enabled = false
+
+  body = {
+    properties = {
+      count  = 2
+      mode   = "Gateway"
+      vmSize = "standard_d2pds_v6"
+      nodeTaints = [
+        "kubernetes.azure.com/mode=gateway:NoSchedule"
+      ]
+    }
+  }
+
+  depends_on = [azapi_update_resource.enable-aks-static-egress-gateway]
+}
+
+resource "terraform_data" "aks-get-credentials" {
+  triggers_replace = [azurerm_kubernetes_cluster.aks.id]
+
+  provisioner "local-exec" {
+    command = "az aks get-credentials -n ${azurerm_kubernetes_cluster.aks.name} -g ${azurerm_kubernetes_cluster.aks.resource_group_name} --overwrite-existing"
+  }
+}
+
+resource "azurerm_role_assignment" "network-contributor" {
+  scope                = azurerm_resource_group.rg-spoke.id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_kubernetes_cluster.aks.identity.0.principal_id
+}
+
+resource "azurerm_role_assignment" "network-contributor-aks" {
+  scope                = azurerm_kubernetes_cluster.aks.node_resource_group_id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_kubernetes_cluster.aks.identity.0.principal_id
+}
+
+resource "azurerm_role_assignment" "virtual-machine-contributor" {
+  scope                = azurerm_kubernetes_cluster.aks.node_resource_group_id
+  role_definition_name = "Virtual Machine Contributor"
+  principal_id         = azurerm_kubernetes_cluster.aks.identity.0.principal_id
+}
diff --git a/69_kube_egress_gateway_private/enable-aks-kube-egress.tf b/69_kube_egress_gateway_private/enable-aks-kube-egress.tf
@@ -0,0 +1,38 @@
+resource "azapi_update_resource" "enable-aks-static-egress-gateway" {
+  type        = "Microsoft.ContainerService/ManagedClusters@2024-09-02-preview"
+  resource_id = azurerm_kubernetes_cluster.aks.id
+
+  body = {
+    properties = {
+      networkProfile = {
+        staticEgressGatewayProfile = {
+          enabled = true
+        }
+      }
+    }
+  }
+}
+
+# resource "terraform_data" "enable-aks-static-egress-gateway" {
+#   triggers_replace = [azurerm_kubernetes_cluster.aks.id]
+
+#   provisioner "local-exec" {
+#     command = "az aks update -n ${azurerm_kubernetes_cluster.aks.name} -g ${azurerm_kubernetes_cluster.aks.resource_group_name} --enable-static-egress-gateway"
+#   }
+# }
+
+# az aks nodepool add -g $AKS_RG --cluster-name $AKS_NAME --name $NODEPOOL_NAME --mode gateway --node-count 2 --gateway-prefix-size $GW_PREFIX_SIZE --node-vm-size standard_d2pds_v6
+
+# resource "terraform_data" "add-static-egress-gateway-nodepool" {
+#   triggers_replace = [
+#     azurerm_kubernetes_cluster.aks.id
+#   ]
+
+#   provisioner "local-exec" {
+#     command = "az aks nodepool add --cluster-name ${azurerm_kubernetes_cluster.aks.name} -g ${azurerm_kubernetes_cluster.aks.resource_group_name} --name npegresspr --mode gateway --node-count 2 --gateway-prefix-size 30 --node-vm-size standard_d2pds_v6"
+#   }
+
+#   depends_on = [
+#     terraform_data.enable-aks-static-egress-gateway
+#   ]
+# }
diff --git a/69_kube_egress_gateway_private/firewall-policy.tf b/69_kube_egress_gateway_private/firewall-policy.tf
@@ -0,0 +1,51 @@
+resource "azurerm_firewall_policy" "firewall-policy" {
+  name                = "firewall-policy"
+  resource_group_name = azurerm_resource_group.rg-hub.name
+  location            = azurerm_resource_group.rg-hub.location
+  sku                 = "Standard" # "Basic" # "Standard" # "Premium" #
+
+  dns {
+    proxy_enabled = true
+    servers       = ["168.63.129.16"]
+  }
+}
+
+resource "azurerm_firewall_policy_rule_collection_group" "policy-group-allow" {
+  name               = "policy-group-allow"
+  firewall_policy_id = azurerm_firewall_policy.firewall-policy.id
+  priority           = 1000
+
+  application_rule_collection {
+    name     = "allow-all-application"
+    priority = 100
+    action   = "Allow"
+
+    rule {
+      name              = "allow-all"
+      source_addresses  = azurerm_virtual_network.vnet-spoke.address_space
+      destination_fqdns = ["*"]
+      protocols {
+        type = "Http"
+        port = 80
+      }
+      protocols {
+        type = "Https"
+        port = 443
+      }
+    }
+  }
+
+  network_rule_collection {
+    name     = "allow-all-network"
+    priority = 200
+    action   = "Allow"
+
+    rule {
+      name                  = "allow-all"
+      protocols             = ["TCP", "UDP", "ICMP", "Any"]
+      source_addresses      = azurerm_virtual_network.vnet-spoke.address_space
+      destination_addresses = ["*"]
+      destination_ports     = ["*"]
+    }
+  }
+}
diff --git a/69_kube_egress_gateway_private/firewall.tf b/69_kube_egress_gateway_private/firewall.tf
@@ -0,0 +1,24 @@
+resource "azurerm_public_ip" "pip-firewall" {
+  name                = "pip-firewall"
+  location            = azurerm_resource_group.rg-hub.location
+  resource_group_name = azurerm_resource_group.rg-hub.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+  zones               = ["1"] # ["1", "2", "3"]
+}
+
+resource "azurerm_firewall" "firewall" {
+  name                = "firewall"
+  location            = azurerm_resource_group.rg-hub.location
+  resource_group_name = azurerm_resource_group.rg-hub.name
+  sku_name            = "AZFW_VNet"
+  sku_tier            = "Standard"
+  zones               = ["1"] # ["1", "2", "3"]
+  firewall_policy_id  = azurerm_firewall_policy.firewall-policy.id
+
+  ip_configuration {
+    name                 = "configuration"
+    subnet_id            = azurerm_subnet.snet-firewall.id
+    public_ip_address_id = azurerm_public_ip.pip-firewall.id
+  }
+}
diff --git a/69_kube_egress_gateway_private/log_analytics.tf b/69_kube_egress_gateway_private/log_analytics.tf
@@ -0,0 +1,44 @@
+resource "azurerm_log_analytics_workspace" "log_analytics" {
+  name                       = "log-analytics"
+  location                   = azurerm_resource_group.rg-hub.location
+  resource_group_name        = azurerm_resource_group.rg-hub.name
+  internet_ingestion_enabled = true
+  internet_query_enabled     = true
+  sku                        = "PerGB2018"
+  retention_in_days          = 30
+  daily_quota_gb             = -1
+}
+
+data "azurerm_monitor_diagnostic_categories" "categories" {
+  resource_id = azurerm_firewall.firewall.id
+}
+
+resource "azurerm_monitor_diagnostic_setting" "diagnostics_firewall" {
+  name                           = "diagnostics-firewall"
+  target_resource_id             = azurerm_firewall.firewall.id
+  log_analytics_workspace_id     = azurerm_log_analytics_workspace.log_analytics.id
+  log_analytics_destination_type = "Dedicated"
+
+
+  dynamic "enabled_log" {
+    for_each = data.azurerm_monitor_diagnostic_categories.categories.log_category_types
+
+    content {
+      category = enabled_log.key
+    }
+  }
+
+  dynamic "metric" {
+    for_each = data.azurerm_monitor_diagnostic_categories.categories.metrics
+
+    content {
+      category = metric.key
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      log_analytics_destination_type
+    ]
+  }
+}
diff --git a/69_kube_egress_gateway_private/nginx-deployment-private.yaml b/69_kube_egress_gateway_private/nginx-deployment-private.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-private
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      annotations:
+        kubernetes.azure.com/static-gateway-configuration: my-static-egress-gateway-private
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+        ports:
+        - containerPort: 80