Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Bryan Cox <brcox@redhat.com>
- Loading branch information
Showing
4 changed files
with
151 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| kind: RoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: authentication-reader-for-authenticated-users | ||
| namespace: kube-system | ||
| roleRef: | ||
| kind: Role | ||
| name: extension-apiserver-authentication-reader | ||
| apiGroup: rbac.authorization.k8s.io | ||
| subjects: | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Group | ||
| name: system:authenticated |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| #!/bin/bash | ||
| set -x | ||
|
|
||
| # Constants | ||
| RG="aks-test" | ||
| LOCATION="eastus" | ||
| AKS_CLUSTER_NAME="test" | ||
|
|
||
| # Clear out existing Azure RG | ||
| az group delete -n ${RG} --yes | ||
|
|
||
| # Create Azure RG | ||
| az group create \ | ||
| --name ${RG} \ | ||
| --location ${LOCATION} | ||
|
|
||
| # Create AKS Cluster | ||
| az aks create \ | ||
| --resource-group ${RG} \ | ||
| --name ${AKS_CLUSTER_NAME} \ | ||
| --node-count 2 \ | ||
| --generate-ssh-keys \ | ||
| --load-balancer-sku standard \ | ||
| --os-sku AzureLinux | ||
|
|
||
| # Get kubeconfig access | ||
| az aks get-credentials \ | ||
| --resource-group ${RG} \ | ||
| --name ${AKS_CLUSTER_NAME} \ | ||
| --overwrite-existing | ||
|
|
||
| set +x |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| #!/bin/bash | ||
| set -x | ||
|
|
||
| # Constants | ||
| RG="external-dns" | ||
| LOCATION="eastus" | ||
| DNS_ZONE_NAME="blah-blah-blah.com" | ||
| EXTERNAL_DNS_NEW_SP_NAME="ExternalDnsServicePrincipal" | ||
|
|
||
| # Clear out existing Azure RG | ||
| az group delete -n ${RG} --yes | ||
|
|
||
| # Create Azure RG and DNS Zone | ||
| az group create --name ${RG} --location ${LOCATION} | ||
| az network dns zone create --resource-group ${RG} --name ${DNS_ZONE_NAME} | ||
|
|
||
| # Creating a service principal | ||
| DNS_SP=$(az ad sp create-for-rbac --name ${EXTERNAL_DNS_NEW_SP_NAME}) | ||
| EXTERNAL_DNS_SP_APP_ID=$(echo "$DNS_SP" | jq -r '.appId') | ||
| EXTERNAL_DNS_SP_PASSWORD=$(echo "$DNS_SP" | jq -r '.password') | ||
|
|
||
| # Assign the rights for the service principal | ||
| DNS_ID=$(az network dns zone show --name ${DNS_ZONE_NAME} --resource-group ${RG} --query "id" --output tsv) | ||
| az role assignment create --role "Reader" --assignee "${EXTERNAL_DNS_SP_APP_ID}" --scope "${DNS_ID}" | ||
| az role assignment create --role "Contributor" --assignee "${EXTERNAL_DNS_SP_APP_ID}" --scope "${DNS_ID}" | ||
|
|
||
| # Creating a configuration file for our service principal | ||
| cat <<-EOF > /Users/myuser/azure.json | ||
| { | ||
| "tenantId": "$(az account show --query tenantId -o tsv)", | ||
| "subscriptionId": "$(az account show --query id -o tsv)", | ||
| "resourceGroup": "$RG", | ||
| "aadClientId": "$EXTERNAL_DNS_SP_APP_ID", | ||
| "aadClientSecret": "$EXTERNAL_DNS_SP_PASSWORD" | ||
| } | ||
| EOF | ||
|
|
||
| # Create needed secret with azure.json | ||
| kubectl delete secret/azure-config-file --namespace "default" | ||
| kubectl create secret generic azure-config-file --namespace "default" --from-file /Users/myuser/azure.json | ||
|
|
||
| set +x |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| #!/bin/bash | ||
| set -x | ||
|
|
||
| # Constants | ||
| LOCATION="eastus" | ||
| RG="hc-test" | ||
| DNS_ZONE_NAME="azure.blah.com" | ||
| EXTERNAL_DNS_NEW_SP_NAME="ExternalDnsServicePrincipal" | ||
|
|
||
| ######################################## ExternalDNS Setup ######################################## | ||
| # Clear out existing Azure RG | ||
| az group delete -n ${RG} --yes | ||
|
|
||
| # Create Azure RG and DNS Zone | ||
| az group create --name ${RG} --location ${LOCATION} | ||
| az network dns zone create --resource-group ${RG} --name ${DNS_ZONE_NAME} | ||
|
|
||
| # Creating a service principal | ||
| DNS_SP=$(az ad sp create-for-rbac --name ${EXTERNAL_DNS_NEW_SP_NAME}) | ||
| EXTERNAL_DNS_SP_APP_ID=$(echo "$DNS_SP" | jq -r '.appId') | ||
| EXTERNAL_DNS_SP_PASSWORD=$(echo "$DNS_SP" | jq -r '.password') | ||
|
|
||
| # Assign the rights for the service principal | ||
| DNS_ID=$(az network dns zone show --name ${DNS_ZONE_NAME} --resource-group ${RG} --query "id" --output tsv) | ||
| az role assignment create --role "Reader" --assignee "${EXTERNAL_DNS_SP_APP_ID}" --scope "${DNS_ID}" | ||
| az role assignment create --role "Contributor" --assignee "${EXTERNAL_DNS_SP_APP_ID}" --scope "${DNS_ID}" | ||
|
|
||
| # Creating a configuration file for our service principal | ||
| cat <<-EOF > /Users/myuser/azure.json | ||
| { | ||
| "tenantId": "$(az account show --query tenantId -o tsv)", | ||
| "subscriptionId": "$(az account show --query id -o tsv)", | ||
| "resourceGroup": "$RG", | ||
| "aadClientId": "$EXTERNAL_DNS_SP_APP_ID", | ||
| "aadClientSecret": "$EXTERNAL_DNS_SP_PASSWORD" | ||
| } | ||
| EOF | ||
|
|
||
| # Create needed secret with azure.json | ||
| kubectl delete secret/azure-config-file --namespace "default" | ||
| kubectl create secret generic azure-config-file --namespace "default" --from-file /Users/myuser/azure.json | ||
|
|
||
| ######################################## HyperShift Operator Install ######################################## | ||
|
|
||
| # Apply some CRDs that are missing | ||
| oc apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml | ||
| oc apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml | ||
| oc apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml | ||
| oc apply -f https://raw.githubusercontent.com/openshift/api/master/route/v1/route.crd.yaml | ||
|
|
||
| # Install HO | ||
| # 2024-03-01 it will fail if you have the conversion webhook enabled | ||
| /<path to hypershift binary>/bin/hypershift install \ | ||
| --enable-conversion-webhook=false \ | ||
| --external-dns-provider=azure \ | ||
| --external-dns-credentials /Users/myuser/azure.json \ | ||
| --external-dns-domain-filter ${DNS_ZONE_NAME} \ | ||
|
|
||
| ######################################## Create Hosted Cluster ######################################## | ||
|
|
||
| oc apply -f pki_rbac.yaml | ||
| # Add this annotation to the HC hypershift.openshift.io/pod-security-admission-label-override: baseline | ||
|
|
||
| set +x |