Giter Site home page Giter Site logo

briandenicola / kubernetes-cluster-setup Goto Github PK

View Code? Open in Web Editor NEW
24.0 2.0 12.0 734 KB

An opiniated method to create a private AKS cluster/app environment.

License: MIT License

HCL 82.75% Shell 16.14% Smarty 1.11%
azure azure-kubernetes-service terraform flux istio kubernetes

kubernetes-cluster-setup's Introduction

Introduction

This repository is covers how to stand up a secure, private AKS/Kubernetes cluster. This is not intended to be an AKS 101 or cover all possible secure AKS designs (for example using HTTP Proxy instead of Azure Firewall). Azure has plenty of awesome documentation and guides that go into depth on the overall design and best practices.

This code is an opiniated method of applying the standards into an end to end solution using Terraform, GitHub Actions, Flux and Istio.

Detail Deployment Guide

Follow this guide to stand up a cluster in your environment

Resources Created

Every kuberernetes cluster has several moving parts - even those deployed in a managed cloud environment. More so, if the cluster is to be private with egress filtering. Several resources in Azure must in place for the code to work properly. Typically these resources are stood-up by an Enterprise Platform Team following Azure's Cloud Adoption Framework so for more secure AKS builds, these are out of scope. There is an example Azure Firewall and RouteTable ARM Template that can elp with some of the prereqs.

Infrastructure

Log Analytics Workspace Application Insights
KeyVault (Private endpoint) TLS Certificate: *.bjdazure.tech
KeyVault Secret: OpenTelemetry/Zipkin Configuration
Managed User identities AKS Cluster Identity
AKS Kubelet Identity
Istio Pod Identity
Private AKS cluster Add-Ons: OMS Policy Agent, KeyVault CSI Driver, Azure Pod Identity v1, FluxCDv2
Azure Internal Load Balancer

Diagram

resources

Kubernetes Resources

Flux Istio
Istio Operator Ingress Gateway with TLS
Istio Service Mesh Egress Gateway
Open Telemetry Collector Distributive Tracing forwarded to Zipkin/Otel Collector
Kured Reboot Daemon Catch-all Virtual Service
Dapr Distributive Runtime
Keda Autoscaler
Azure Monitor configuration update for Prometheus
Istio Bookinfo
eShopOnDapr

Diagram

namespaces|100x100

kubernetes-cluster-setup's People

Contributors

briandenicola avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar

kubernetes-cluster-setup's Issues

Overlay Network and VNet Integration

3.40 provider for Terraform has support for Overlay networking and VNet Integration. This issue is to track the adoption of those technologies into this repo.

Migrate off Pod Identities to Workload Identities

Workload Identities is the direction forward for identity and authorization with AKS.

This repository currently uses Pod Identities to authenticate with Key Vault for Istio Service Mesh. This needs to be ported to Workload Identities

Updated resources include: Zipkin Key Vault CSI configuration , Github Actions workflows, Istio AAD Pod Label and

IstioOperator is not recognized during first run

null_resource.flux_setup_bf1e8068f: Still creating... [20s elapsed]
null_resource.flux_setup_bf1e8068f (local-exec): error: unable to recognize "/tmp/flux-bootstrap-2649416710/cluster-manifests/uat/flux-system": no matches for kind "IstioOperator" in version "install.istio.io/v1alpha1"

gitrepository/flux-system Falseauth secret error: Secret "flux-system" not found

Rename ingress identity to Service Mesh pod identity

Rename cluster as well.

grep -ir bjdk8s-istio *
apps/istio/ingress/deployment.yaml: aadpodidbinding: bjdk8s-istio-ingress-identity
apps/istio/ingress/ingress.yaml: keyvaultName: bjdk8s-istio-kv
infrastructure/istio.tfvars:cluster_name = "bjdk8s-istio"

grep -ir bjdk8s-osm *
apps/bookstore/tls.yaml: keyvaultName: bjdk8s-osm-kv
apps/bookstore/bookstore.yaml: aadpodidbinding: bjdk8s-osm-ingress-identity
apps/bookstore/identity.yaml: name: bjdk8s-osm-ingress-identity
apps/bookstore/identity.yaml: resourceID: /subscriptions/bfafbd89-a2a3-43a5-af72-fb4ef0c514c1/resourcegroups/DevSub02_K8S_OSM_RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/bjdk8s-osm-ingress-identity
apps/bookstore/identity.yaml: name: bjdk8s-osm-ingress-identity-binding
apps/bookstore/identity.yaml: azureIdentity: bjdk8s-osm-ingress-identity
apps/bookstore/identity.yaml: selector: bjdk8s-osm-ingress-identity
infrastructure/osm.tfvars:cluster_name = "bjdk8s-osm"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.