-
Notifications
You must be signed in to change notification settings - Fork 12
/
demo-workshop.azcli
273 lines (220 loc) · 11.1 KB
/
demo-workshop.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
# === PREPARE ========================================================================
# Set some variables that we will use throughout this demo
# SUBSCRIPTION="Your Azure Subscription Name"
LOCATION="westeurope"
LOCATION2="northeurope"
RG="dotnet-cologne-l"
RGL=$RG-linux
REG="netcol19l"
SKU="premium"
SP="netcol19l-sp"
PASSWD="P@ssw0rd123"
WEB="netcol19l-web"
IMG="helloworldweb"
EVENT_SITE="netcol19l-events"
LINUX_PLAN="netcol19lcplan"
LINUX_WEB_APP="netcol19lcweb"
APP_ENDPOINT="https://$EVENT_SITE.azurewebsites.net/api/updates"
KV="netcol19lvault"
AKS="netcol19laks"
# WHTARGET="https://your-webhook-target.could-be-logic-app.com"
GHUSR="rstropek"
# GHPAT="your-github-personal-access-token"
GHREPO="https://github.com/rstropek/acr-image-refresh-demo"
TASK="ghhelloworldl"
STORAGE="netcol19lstore"
STORAGESHARE="akssharel"
# Log in and select correct account
az login
az account set --subscription "$SUBSCRIPTION"
# Create resource group if it does not exist yet
if [ $(az group exists --name "$RG") == 'false' ]
then
az group create --name "$RG" --location "$LOCATION"
fi
if [ $(az group exists --name "$RGL") == 'false' ]
then
az group create --name "$RGL" --location "$LOCATION"
fi
# Create Keyvault to store service principal's password
if ! az keyvault show --resource-group "$RG" --name "$KV"
then
az keyvault create --resource-group "$RG" --name "$KV"
# To delete: az keyvault delete --resource-group "$RG" --name "$KV"
fi
# === CREATE =========================================================================
# Create Azure Container Registry if it does not exist yet
if [ $(az acr check-name --name "$REG" --query nameAvailable) == 'true' ]
then
# Use premium to enable geo-replication
az acr create --resource-group "$RG" --name "$REG" --location $LOCATION \
--sku "premium" --admin-enabled
# Replication ACR to second data center
az acr replication create --resource-group "$RG" --registry "$REG" \
--location $LOCATION2
# NOTE that ACR in Azure VNets is currently in preview, we will
# not go into that in this demo. For details see
# https://docs.microsoft.com/de-de/azure/container-registry/container-registry-vnet
fi
# Get ID of ACR
ACRID=$(az acr show --name "$REG" --resource-group "$RG" --query "id" -o tsv)
# =================================================================================================
# AUTHORIZATION
# You could use the following command to get the password of the admin account
az acr credential show --name "$REG" --query "passwords[0].value"
# Prefer service principals (as shown below) for production scenarios
# Log in with individual account of developer (for e.g. pushing containers using docker cli)
az acr login --name "$REG"
# Create a service principal if it does not exist yet
if [ $(az ad sp list --display-name "$SP" | jq length) == '0' ]
then
# Put service principal's password in Azure KeyVault (contributor)
az keyvault secret set --vault-name $KV --name $REG-PWD \
--value $(az ad sp create-for-rbac --name "$SP" --query password -o tsv)
# You could use the following command to delete the service principal:
# az ad sp delete --id "$SPAPPID"
# Create service principal and store the generated password in Keyvault (reader)
az keyvault secret set --vault-name $KV --name $REG-pull-pwd \
--value $(az ad sp create-for-rbac --name $REG-pull --scopes $ACRID --role reader --query password --output tsv)
# az ad sp delete --id $(az ad sp list --display-name "$REG-pull" --query "[].appId" -o tsv)
# Store service principal's name in KeyVault
az keyvault secret set --vault-name $KV --name $REG-pull \
--value $(az ad sp show --id http://$REG-pull --query appId --output tsv)
fi
# Get ID of service principal
SPAPPID=$(az ad sp list --display-name "$SP" --query "[].appId" -o tsv)
# You could use the following command to delete the service principal
# az ad sp delete --id "$SPAPPID"
# Assign service principal the "Contributor" role so it can push images
if [ $(az role assignment list --assignee "$SPAPPID" --role Contributor --scope "$ACRID" | jq length) == '0' ]
then
az role assignment create --assignee "$SPAPPID" --role Contributor --scope "$ACRID"
fi
# Use usual "docker login" with service principal to authenticate at ACR
docker login -u $SPAPPID \
-p $(az keyvault secret show --vault-name $KV --name $REG-PWD --query value -o tsv) \
$REG.azurecr.io
# === PUSH AND BUILD =================================================================
# Push an image to ACR with docker cli
docker tag nginx:alpine $REG.azurecr.io/nginx:alpine
docker push $REG.azurecr.io/nginx:alpine
# Use ACR quick task to build an image in the cloud
cd ./simple-docker
az acr build --registry "$REG" --image $IMG .
# Inspect storage limits
az acr show-usage --resource-group "$RG" --name "$REG" --output table
# You could use the following statement to delete the image from ACR:
# az acr repository delete --name "$REG" --image $IMG
# Get a list of repositories and tags in the registry
az acr repository list --name $REG
az acr repository show-tags --repository nginx --name $REG
# === START CONTAINER ================================================================
# Start container from image in ACR if it does not already exist.
# Note that we use ACI here. Other options would be App Service or AKS (Kubernetes)
if ! az container show --resource-group "$RG" --name "$WEB"
then
# Note how we get service principal data from Keyvault
az container create --resource-group "$RG" --name "$WEB" --image $REG.azurecr.io/$IMG --cpu 1 --memory 1 --ip-address public --ports 80 \
--registry-login-server $REG.azurecr.io \
--registry-username $(az keyvault secret show --vault-name $KV --name $REG-pull --query value -o tsv) \
--registry-password $(az keyvault secret show --vault-name $KV --name $REG-pull-pwd --query value -o tsv)
# You could use the following statement to see logs
# az container attach --resource-group "$RG" --name "$WEB"
# You could use the following statement to delete the container
# az container delete --resource-group "$RG" --name "$WEB" --yes
fi
# === INTEGRATION ====================================================================
# Demo demo website that displays events happening in EventGrid
if output=$(az appservice plan show --resource-group "$RG" --name "$EVENT_SITE-plan") && [ -z "$output" ]
then
az group deployment create --resource-group "$RG" \
--template-uri "https://raw.githubusercontent.com/Azure-Samples/azure-event-grid-viewer/master/azuredeploy.json" \
--parameters siteName=$EVENT_SITE hostingPlanName=$EVENT_SITE-plan
fi
# Register EventGrid provider if not already registered
if [ $(az provider show --namespace Microsoft.EventGrid --query "registrationState" --output tsv) != "Registered" ]
then
az provider register --namespace Microsoft.EventGrid
fi
# Add EventGrid subscription if not already exists
if ! az eventgrid event-subscription show --name event-sub-acr --source-resource-id $ACRID
then
az eventgrid event-subscription create --name event-sub-acr --source-resource-id $ACRID --endpoint $APP_ENDPOINT
# az eventgrid event-subscription delete --name event-sub-acr --resource-id $ACRID
fi
# Create a webhook so we get notified about container pushes
if ! az acr webhook show --registry "$REG" --name "webhook1$REG"
then
az acr webhook create --registry "$REG" --name "webhook1$REG" --actions push --uri $WHTARGET
# After creating the webhook, trigger a push and see how the webhook is triggered
fi
# Create a task that listens to change in GitHub and rebuilds images if necessary
if ! az acr task show --registry "$REG" --name "$TASK"
then
az acr task create --registry "$REG" --name "$TASK" --image $TASK:{{.Run.ID}} \
--context $GHREPO --branch master --file Dockerfile --git-access-token $GHPAT
fi
# Use the following command to manually trigger the task
az acr task run --registry "$REG" --name "$TASK"
# Use the following command to see a list of task runs
az acr task list-runs --registry "$REG" --output table
# === APP SERVICE ====================================================================
# Create Linux app service plan if it does not exist
if output=$(az appservice plan show --resource-group "$RGL" --name "$LINUX_PLAN") && [ -z "$output" ]
then
az appservice plan create --name "$LINUX_PLAN" --resource-group "$RGL" --sku b1 --is-linux
fi
# Deploy container web app. Note that at the time of writing, Azure CLI does not support ACR.
# If you want to deploy images from ACR, use PowerShell or the Portal. Support for this feature
# is on Azure's roadmap.
# See https://github.com/Azure/azure-cli/issues/7261
if ! az webapp show --resource-group "$RGL" --name "$LINUX_WEB_APP"
then
az webapp create --resource-group "$RGL" --plan "$LINUX_PLAN" --name "$LINUX_WEB_APP" \
--deployment-container-image-name nginx:alpine
fi
# Switch to image from our ACR via portal, update it, and see updated web app
# === AKS ============================================================
# Register Kubernetes provider if not already registered
if [ $(az provider show --namespace Microsoft.ContainerService --query "registrationState" --output tsv) != "Registered" ]
then
az provider register --namespace Microsoft.ContainerService
fi
# Create Kubernetes cluster
if ! az aks show --resource-group "$RG" --name "$AKS"
then
az aks create --resource-group "$RG" --name "$AKS" --node-count 3 --generate-ssh-keys \
--location westeurope \
--client-secret $(az keyvault secret show --vault-name $KV --name $REG-pull-pwd --query value -o tsv) \
--service-principal $(az keyvault secret show --vault-name $KV --name $REG-pull --query value -o tsv)
fi
# Connect kubectl with AKS
az aks get-credentials --resource-group "$RG" --name "$AKS"
# Check connection to AKS
kubectl get nodes
# Create Kubernetes deployments and services
cd ./kube-deploy
kubectl apply -f .
kubectl get all
kubectl scale deploy web --replicas 10
kubectl get service web-svc --watch
# Try to reach web app via public IP
# Create service account with cluster-admin role
# (see https://helm.sh/docs/using_helm/#tiller-and-role-based-access-control)
kubectl create -f rbac-config.yaml
# Initialize helm
helm init --service-account tiller --history-max 200 --upgrade
# Install AKS ACI connector
az aks install-connector --resource-group $RG --name $AKS --connector-name aciconnector
# Get ACI connector pod
kubectl --namespace=default get pods -l "app=aciconnector-linux-westeurope-virtual-kubelet-for-aks"
# Create Kubernetes deployments and services
cd ./kube-aci-deploy
kubectl apply -f .
kubectl get all
kubectl get pod -o=custom-columns=NAME:.metadata.name,STATUS:.status.phase,NODE:.spec.nodeName --all-namespaces
kubectl scale deploy web-aci --replicas 5
# Create a ClusterRoleBinding which gives the role dashboard-admin to the ServiceAccount
kubectl create clusterrolebinding kubernetes-dashboard -n kube-system --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard
# Start Kubernetes dashboard (CMD, not bash as we need to start a local browser)
az aks browse --resource-group "$RG" --name "$AKS"