-
Notifications
You must be signed in to change notification settings - Fork 67
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add a module aks-manifest.bicep to manage resources on AKS clusters. this can be used to * create expected `Namespaces` * create exüected `ServiceAccounts` with MIWI annotations for cloud resource access via Entra * create expected `ConfigMaps` and `Secrets` holding configuration information for cloud resources, e.g. DB hostnames, ... An example usage can be seen in the aks-cluster-base.bicep template, where the namespace and serviceaccount are created for each federated managed identity. part of [SD-DDR-0030](https://docs.google.com/document/d/1sxnNGscIuEaLRjbILlQrb3sepa4ZVddvj1-COHwQvSQ/edit#heading=h.bupciudrwmna) Signed-off-by: Gerd Oberlechner <[email protected]>
- Loading branch information
Showing
2 changed files
with
113 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| param name string | ||
| param aksClusterName string | ||
| param location string | ||
| param aksManagedIdentityId string | ||
| param manifests array | ||
|
|
||
| var namespaces = [for manifest in manifests: manifest.metadata.namespace] | ||
| var uniqueNamespaces = union(namespaces, []) | ||
| var namespaceManifests = [ | ||
| for i in range(0, length(uniqueNamespaces)): { | ||
| apiVersion: 'v1' | ||
| kind: 'Namespace' | ||
| metadata: { | ||
| name: uniqueNamespaces[i] | ||
| } | ||
| } | ||
| ] | ||
| var namespaceManifestList = { | ||
| apiVersion: 'v1' | ||
| kind: 'List' | ||
| items: namespaceManifests | ||
| } | ||
|
|
||
| var mainfestList = { | ||
| apiVersion: 'v1' | ||
| kind: 'List' | ||
| items: manifests | ||
| } | ||
|
|
||
| resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = { | ||
| name: name | ||
| location: location | ||
| kind: 'AzureCLI' | ||
| identity: { | ||
| type: 'UserAssigned' | ||
| userAssignedIdentities: { | ||
| '${aksManagedIdentityId}': {} | ||
| } | ||
| } | ||
|
|
||
| properties: { | ||
| azCliVersion: '2.30.0' | ||
| cleanupPreference: 'OnSuccess' | ||
| retentionInterval: 'P1D' | ||
| scriptContent: ''' | ||
| az login --identity | ||
| az aks install-cli | ||
| az aks get-credentials --resource-group ${AKS_CLUSTER_RG} --name ${AKS_CLUSTER_NAME} --overwrite-existing -a | ||
| echo "${NAMESPACE_MANIFESTS}" | base64 -d | kubectl apply -f - | ||
| echo "${MANIFESTS}" | base64 -d | kubectl apply -f - | ||
| ''' | ||
| // todo figure out how to leverage az aks command invoke to | ||
| // * avoid installing kubectl | ||
| // * avoid the need for a network path to the cluster | ||
| // | ||
| // right now az aks command invoke fails with `MissingAADClusterToken` when run within a deploymentscript | ||
| environmentVariables: [ | ||
| { | ||
| name: 'AKS_CLUSTER_RG' | ||
| value: resourceGroup().name | ||
| } | ||
| { | ||
| name: 'AKS_CLUSTER_NAME' | ||
| value: aksClusterName | ||
| } | ||
| { | ||
| name: 'NAMESPACE_MANIFESTS' | ||
| value: base64(string(namespaceManifestList)) | ||
| } | ||
| { | ||
| name: 'MANIFESTS' | ||
| value: base64(string(mainfestList)) | ||
| } | ||
| ] | ||
| timeout: 'PT30M' | ||
| } | ||
| } |