From 6ec36bd8cd9ddbbc10477664da192d98fffe1054 Mon Sep 17 00:00:00 2001
From: Bryan Cox <brcox@redhat.com>
Date: Tue, 5 Mar 2024 08:32:09 -0500
Subject: [PATCH] Add AKS setup docs to contrib

Signed-off-by: Bryan Cox <brcox@redhat.com>
---
 contrib/aks/pki-rbac.yaml              | 13 ++++++
 contrib/aks/setup_aks_cluster.sh       | 32 +++++++++++++
 contrib/aks/setup_external_dns.sh      | 42 +++++++++++++++++
 contrib/aks/setup_install_ho_on_aks.sh | 64 ++++++++++++++++++++++++++
 4 files changed, 151 insertions(+)
 create mode 100644 contrib/aks/pki-rbac.yaml
 create mode 100644 contrib/aks/setup_aks_cluster.sh
 create mode 100644 contrib/aks/setup_external_dns.sh
 create mode 100644 contrib/aks/setup_install_ho_on_aks.sh

diff --git a/contrib/aks/pki-rbac.yaml b/contrib/aks/pki-rbac.yaml
new file mode 100644
index 00000000000..943571cb120
--- /dev/null
+++ b/contrib/aks/pki-rbac.yaml
@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: authentication-reader-for-authenticated-users
+  namespace: kube-system
+roleRef:
+  kind: Role
+  name: extension-apiserver-authentication-reader
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: system:authenticated
diff --git a/contrib/aks/setup_aks_cluster.sh b/contrib/aks/setup_aks_cluster.sh
new file mode 100644
index 00000000000..91b8ce1fd4b
--- /dev/null
+++ b/contrib/aks/setup_aks_cluster.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+set -x
+
+# Constants
+RG="aks-test"
+LOCATION="eastus"
+AKS_CLUSTER_NAME="test"
+
+# Clear out existing Azure RG
+az group delete -n ${RG} --yes
+
+# Create Azure RG
+az group create \
+--name ${RG} \
+--location ${LOCATION}
+
+# Create AKS Cluster
+az aks create \
+--resource-group ${RG} \
+--name ${AKS_CLUSTER_NAME} \
+--node-count 2 \
+--generate-ssh-keys \
+--load-balancer-sku standard \
+--os-sku AzureLinux
+
+# Get kubeconfig access
+az aks get-credentials \
+--resource-group ${RG} \
+--name ${AKS_CLUSTER_NAME} \
+--overwrite-existing
+
+set +x
\ No newline at end of file
diff --git a/contrib/aks/setup_external_dns.sh b/contrib/aks/setup_external_dns.sh
new file mode 100644
index 00000000000..e30a72cf6e8
--- /dev/null
+++ b/contrib/aks/setup_external_dns.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+set -x
+
+# Constants
+RG="external-dns"
+LOCATION="eastus"
+DNS_ZONE_NAME="blah-blah-blah.com"
+EXTERNAL_DNS_NEW_SP_NAME="ExternalDnsServicePrincipal"
+
+# Clear out existing Azure RG
+az group delete -n ${RG} --yes
+
+# Create Azure RG and DNS Zone
+az group create --name ${RG} --location ${LOCATION}
+az network dns zone create --resource-group ${RG} --name ${DNS_ZONE_NAME}
+
+# Creating a service principal
+DNS_SP=$(az ad sp create-for-rbac --name ${EXTERNAL_DNS_NEW_SP_NAME})
+EXTERNAL_DNS_SP_APP_ID=$(echo "$DNS_SP" | jq -r '.appId')
+EXTERNAL_DNS_SP_PASSWORD=$(echo "$DNS_SP" | jq -r '.password')
+
+# Assign the rights for the service principal
+DNS_ID=$(az network dns zone show --name ${DNS_ZONE_NAME} --resource-group ${RG} --query "id" --output tsv)
+az role assignment create --role "Reader" --assignee "${EXTERNAL_DNS_SP_APP_ID}" --scope "${DNS_ID}"
+az role assignment create --role "Contributor" --assignee "${EXTERNAL_DNS_SP_APP_ID}" --scope "${DNS_ID}"
+
+# Creating a configuration file for our service principal
+cat <<-EOF > /Users/myuser/azure.json
+{
+  "tenantId": "$(az account show --query tenantId -o tsv)",
+  "subscriptionId": "$(az account show --query id -o tsv)",
+  "resourceGroup": "$RG",
+  "aadClientId": "$EXTERNAL_DNS_SP_APP_ID",
+  "aadClientSecret": "$EXTERNAL_DNS_SP_PASSWORD"
+}
+EOF
+
+# Create needed secret with azure.json
+kubectl delete secret/azure-config-file --namespace "default"
+kubectl create secret generic azure-config-file --namespace "default" --from-file /Users/myuser/azure.json
+
+set +x
\ No newline at end of file
diff --git a/contrib/aks/setup_install_ho_on_aks.sh b/contrib/aks/setup_install_ho_on_aks.sh
new file mode 100644
index 00000000000..12c95d4bb35
--- /dev/null
+++ b/contrib/aks/setup_install_ho_on_aks.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+set -x
+
+# Constants
+LOCATION="eastus"
+RG="hc-test"
+DNS_ZONE_NAME="azure.blah.com"
+EXTERNAL_DNS_NEW_SP_NAME="ExternalDnsServicePrincipal"
+
+######################################## ExternalDNS Setup ########################################
+# Clear out existing Azure RG
+az group delete -n ${RG} --yes
+
+# Create Azure RG and DNS Zone
+az group create --name ${RG} --location ${LOCATION}
+az network dns zone create --resource-group ${RG} --name ${DNS_ZONE_NAME}
+
+# Creating a service principal
+DNS_SP=$(az ad sp create-for-rbac --name ${EXTERNAL_DNS_NEW_SP_NAME})
+EXTERNAL_DNS_SP_APP_ID=$(echo "$DNS_SP" | jq -r '.appId')
+EXTERNAL_DNS_SP_PASSWORD=$(echo "$DNS_SP" | jq -r '.password')
+
+# Assign the rights for the service principal
+DNS_ID=$(az network dns zone show --name ${DNS_ZONE_NAME} --resource-group ${RG} --query "id" --output tsv)
+az role assignment create --role "Reader" --assignee "${EXTERNAL_DNS_SP_APP_ID}" --scope "${DNS_ID}"
+az role assignment create --role "Contributor" --assignee "${EXTERNAL_DNS_SP_APP_ID}" --scope "${DNS_ID}"
+
+# Creating a configuration file for our service principal
+cat <<-EOF > /Users/myuser/azure.json
+{
+  "tenantId": "$(az account show --query tenantId -o tsv)",
+  "subscriptionId": "$(az account show --query id -o tsv)",
+  "resourceGroup": "$RG",
+  "aadClientId": "$EXTERNAL_DNS_SP_APP_ID",
+  "aadClientSecret": "$EXTERNAL_DNS_SP_PASSWORD"
+}
+EOF
+
+# Create needed secret with azure.json
+kubectl delete secret/azure-config-file --namespace "default"
+kubectl create secret generic azure-config-file --namespace "default" --from-file /Users/myuser/azure.json
+
+######################################## HyperShift Operator Install ########################################
+
+# Apply some CRDs that are missing
+oc apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
+oc apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
+oc apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
+oc apply -f https://raw.githubusercontent.com/openshift/api/master/route/v1/route.crd.yaml
+
+# Install HO
+# 2024-03-01 it will fail if you have the conversion webhook enabled
+/<path to hypershift binary>/bin/hypershift install \
+--enable-conversion-webhook=false \
+--external-dns-provider=azure \
+--external-dns-credentials /Users/myuser/azure.json \
+--external-dns-domain-filter ${DNS_ZONE_NAME} \
+
+######################################## Create Hosted Cluster ########################################
+
+oc apply -f pki_rbac.yaml
+# Add this annotation to the HC hypershift.openshift.io/pod-security-admission-label-override: baseline
+
+set +x
\ No newline at end of file