Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
274 lines (220 sloc) 11.1 KB
# === PREPARE ========================================================================
# Set some variables that we will use throughout this demo
# SUBSCRIPTION="Your Azure Subscription Name"
LOCATION="westeurope"
LOCATION2="northeurope"
RG="dotnet-cologne-l"
RGL=$RG-linux
REG="netcol19l"
SKU="premium"
SP="netcol19l-sp"
PASSWD="P@ssw0rd123"
WEB="netcol19l-web"
IMG="helloworldweb"
EVENT_SITE="netcol19l-events"
LINUX_PLAN="netcol19lcplan"
LINUX_WEB_APP="netcol19lcweb"
APP_ENDPOINT="https://$EVENT_SITE.azurewebsites.net/api/updates"
KV="netcol19lvault"
AKS="netcol19laks"
# WHTARGET="https://your-webhook-target.could-be-logic-app.com"
GHUSR="rstropek"
# GHPAT="your-github-personal-access-token"
GHREPO="https://github.com/rstropek/acr-image-refresh-demo"
TASK="ghhelloworldl"
STORAGE="netcol19lstore"
STORAGESHARE="akssharel"
# Log in and select correct account
az login
az account set --subscription "$SUBSCRIPTION"
# Create resource group if it does not exist yet
if [ $(az group exists --name "$RG") == 'false' ]
then
az group create --name "$RG" --location "$LOCATION"
fi
if [ $(az group exists --name "$RGL") == 'false' ]
then
az group create --name "$RGL" --location "$LOCATION"
fi
# Create Keyvault to store service principal's password
if ! az keyvault show --resource-group "$RG" --name "$KV"
then
az keyvault create --resource-group "$RG" --name "$KV"
# To delete: az keyvault delete --resource-group "$RG" --name "$KV"
fi
# === CREATE =========================================================================
# Create Azure Container Registry if it does not exist yet
if [ $(az acr check-name --name "$REG" --query nameAvailable) == 'true' ]
then
# Use premium to enable geo-replication
az acr create --resource-group "$RG" --name "$REG" --location $LOCATION \
--sku "premium" --admin-enabled
# Replication ACR to second data center
az acr replication create --resource-group "$RG" --registry "$REG" \
--location $LOCATION2
# NOTE that ACR in Azure VNets is currently in preview, we will
# not go into that in this demo. For details see
# https://docs.microsoft.com/de-de/azure/container-registry/container-registry-vnet
fi
# Get ID of ACR
ACRID=$(az acr show --name "$REG" --resource-group "$RG" --query "id" -o tsv)
# =================================================================================================
# AUTHORIZATION
# You could use the following command to get the password of the admin account
az acr credential show --name "$REG" --query "passwords[0].value"
# Prefer service principals (as shown below) for production scenarios
# Log in with individual account of developer (for e.g. pushing containers using docker cli)
az acr login --name "$REG"
# Create a service principal if it does not exist yet
if [ $(az ad sp list --display-name "$SP" | jq length) == '0' ]
then
# Put service principal's password in Azure KeyVault (contributor)
az keyvault secret set --vault-name $KV --name $REG-PWD \
--value $(az ad sp create-for-rbac --name "$SP" --query password -o tsv)
# You could use the following command to delete the service principal:
# az ad sp delete --id "$SPAPPID"
# Create service principal and store the generated password in Keyvault (reader)
az keyvault secret set --vault-name $KV --name $REG-pull-pwd \
--value $(az ad sp create-for-rbac --name $REG-pull --scopes $ACRID --role reader --query password --output tsv)
# az ad sp delete --id $(az ad sp list --display-name "$REG-pull" --query "[].appId" -o tsv)
# Store service principal's name in KeyVault
az keyvault secret set --vault-name $KV --name $REG-pull \
--value $(az ad sp show --id http://$REG-pull --query appId --output tsv)
fi
# Get ID of service principal
SPAPPID=$(az ad sp list --display-name "$SP" --query "[].appId" -o tsv)
# You could use the following command to delete the service principal
# az ad sp delete --id "$SPAPPID"
# Assign service principal the "Contributor" role so it can push images
if [ $(az role assignment list --assignee "$SPAPPID" --role Contributor --scope "$ACRID" | jq length) == '0' ]
then
az role assignment create --assignee "$SPAPPID" --role Contributor --scope "$ACRID"
fi
# Use usual "docker login" with service principal to authenticate at ACR
docker login -u $SPAPPID \
-p $(az keyvault secret show --vault-name $KV --name $REG-PWD --query value -o tsv) \
$REG.azurecr.io
# === PUSH AND BUILD =================================================================
# Push an image to ACR with docker cli
docker tag nginx:alpine $REG.azurecr.io/nginx:alpine
docker push $REG.azurecr.io/nginx:alpine
# Use ACR quick task to build an image in the cloud
cd ./simple-docker
az acr build --registry "$REG" --image $IMG .
# Inspect storage limits
az acr show-usage --resource-group "$RG" --name "$REG" --output table
# You could use the following statement to delete the image from ACR:
# az acr repository delete --name "$REG" --image $IMG
# Get a list of repositories and tags in the registry
az acr repository list --name $REG
az acr repository show-tags --repository nginx --name $REG
# === START CONTAINER ================================================================
# Start container from image in ACR if it does not already exist.
# Note that we use ACI here. Other options would be App Service or AKS (Kubernetes)
if ! az container show --resource-group "$RG" --name "$WEB"
then
# Note how we get service principal data from Keyvault
az container create --resource-group "$RG" --name "$WEB" --image $REG.azurecr.io/$IMG --cpu 1 --memory 1 --ip-address public --ports 80 \
--registry-login-server $REG.azurecr.io \
--registry-username $(az keyvault secret show --vault-name $KV --name $REG-pull --query value -o tsv) \
--registry-password $(az keyvault secret show --vault-name $KV --name $REG-pull-pwd --query value -o tsv)
# You could use the following statement to see logs
# az container attach --resource-group "$RG" --name "$WEB"
# You could use the following statement to delete the container
# az container delete --resource-group "$RG" --name "$WEB" --yes
fi
# === INTEGRATION ====================================================================
# Demo demo website that displays events happening in EventGrid
if output=$(az appservice plan show --resource-group "$RG" --name "$EVENT_SITE-plan") && [ -z "$output" ]
then
az group deployment create --resource-group "$RG" \
--template-uri "https://raw.githubusercontent.com/Azure-Samples/azure-event-grid-viewer/master/azuredeploy.json" \
--parameters siteName=$EVENT_SITE hostingPlanName=$EVENT_SITE-plan
fi
# Register EventGrid provider if not already registered
if [ $(az provider show --namespace Microsoft.EventGrid --query "registrationState" --output tsv) != "Registered" ]
then
az provider register --namespace Microsoft.EventGrid
fi
# Add EventGrid subscription if not already exists
if ! az eventgrid event-subscription show --name event-sub-acr --source-resource-id $ACRID
then
az eventgrid event-subscription create --name event-sub-acr --source-resource-id $ACRID --endpoint $APP_ENDPOINT
# az eventgrid event-subscription delete --name event-sub-acr --resource-id $ACRID
fi
# Create a webhook so we get notified about container pushes
if ! az acr webhook show --registry "$REG" --name "webhook1$REG"
then
az acr webhook create --registry "$REG" --name "webhook1$REG" --actions push --uri $WHTARGET
# After creating the webhook, trigger a push and see how the webhook is triggered
fi
# Create a task that listens to change in GitHub and rebuilds images if necessary
if ! az acr task show --registry "$REG" --name "$TASK"
then
az acr task create --registry "$REG" --name "$TASK" --image $TASK:{{.Run.ID}} \
--context $GHREPO --branch master --file Dockerfile --git-access-token $GHPAT
fi
# Use the following command to manually trigger the task
az acr task run --registry "$REG" --name "$TASK"
# Use the following command to see a list of task runs
az acr task list-runs --registry "$REG" --output table
# === APP SERVICE ====================================================================
# Create Linux app service plan if it does not exist
if output=$(az appservice plan show --resource-group "$RGL" --name "$LINUX_PLAN") && [ -z "$output" ]
then
az appservice plan create --name "$LINUX_PLAN" --resource-group "$RGL" --sku b1 --is-linux
fi
# Deploy container web app. Note that at the time of writing, Azure CLI does not support ACR.
# If you want to deploy images from ACR, use PowerShell or the Portal. Support for this feature
# is on Azure's roadmap.
# See https://github.com/Azure/azure-cli/issues/7261
if ! az webapp show --resource-group "$RGL" --name "$LINUX_WEB_APP"
then
az webapp create --resource-group "$RGL" --plan "$LINUX_PLAN" --name "$LINUX_WEB_APP" \
--deployment-container-image-name nginx:alpine
fi
# Switch to image from our ACR via portal, update it, and see updated web app
# === AKS ============================================================
# Register Kubernetes provider if not already registered
if [ $(az provider show --namespace Microsoft.ContainerService --query "registrationState" --output tsv) != "Registered" ]
then
az provider register --namespace Microsoft.ContainerService
fi
# Create Kubernetes cluster
if ! az aks show --resource-group "$RG" --name "$AKS"
then
az aks create --resource-group "$RG" --name "$AKS" --node-count 3 --generate-ssh-keys \
--location westeurope \
--client-secret $(az keyvault secret show --vault-name $KV --name $REG-pull-pwd --query value -o tsv) \
--service-principal $(az keyvault secret show --vault-name $KV --name $REG-pull --query value -o tsv)
fi
# Connect kubectl with AKS
az aks get-credentials --resource-group "$RG" --name "$AKS"
# Check connection to AKS
kubectl get nodes
# Create Kubernetes deployments and services
cd ./kube-deploy
kubectl apply -f .
kubectl get all
kubectl scale deploy web --replicas 10
kubectl get service web-svc --watch
# Try to reach web app via public IP
# Create service account with cluster-admin role
# (see https://helm.sh/docs/using_helm/#tiller-and-role-based-access-control)
kubectl create -f rbac-config.yaml
# Initialize helm
helm init --service-account tiller --history-max 200 --upgrade
# Install AKS ACI connector
az aks install-connector --resource-group $RG --name $AKS --connector-name aciconnector
# Get ACI connector pod
kubectl --namespace=default get pods -l "app=aciconnector-linux-westeurope-virtual-kubelet-for-aks"
# Create Kubernetes deployments and services
cd ./kube-aci-deploy
kubectl apply -f .
kubectl get all
kubectl get pod -o=custom-columns=NAME:.metadata.name,STATUS:.status.phase,NODE:.spec.nodeName --all-namespaces
kubectl scale deploy web-aci --replicas 5
# Create a ClusterRoleBinding which gives the role dashboard-admin to the ServiceAccount
kubectl create clusterrolebinding kubernetes-dashboard -n kube-system --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard
# Start Kubernetes dashboard (CMD, not bash as we need to start a local browser)
az aks browse --resource-group "$RG" --name "$AKS"
You can’t perform that action at this time.