A method of creating a private AKS cluster without Egress filtering using Terraforms and the Flux gitOps operator.
- Private AKS Cluster with Azure AD Pod Identity, KeyVault CSI Driver and OpenService Mesh extensions
- Jumpbox VM
- KeyVault
- Private Zones for AKS and Keyvault
- Virtual Network with subnets
- kubernetes
- private-endpoint
- servers
- AzureBastionSubnet
- Azure Container Repostiory
- Azure Blob Storage - Terraform state storage
- Azure Bastion - to access jumpbox VM
- Azure AD Group - for Administrator access to the cluster
- Update infrastructure/production.tfvars with correct values
- az extension add --name aks-preview
- az extension update --name aks-preview
- az login
- az feature register --namespace "Microsoft.ContainerService" --name "AKS-AzureKeyVaultSecretsProvider"
- az feature register --namespace "Microsoft.ContainerService" --name "EnablePodIdentityPreview"
- az feature register --namespace "Microsoft.ContainerService" --name "AKS-OpenServiceMesh"
- az feature register --namespace "Microsoft.ContainerService" --name "DisableLocalAccountsPreview"
- az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService')].{Name:name,State:properties.state}"
- Wait till the above features are enabled
- az provider register --namespace Microsoft.ContainerService
- terraform init -backend=true -backend-config="access_key=${access_key}" -backend-config="key=production.terraform.tfstate"
- terraform plan -out="production.plan" -var "resource_group_name=DevSub01_AKS_RG" -var-file="production.tfvars"
- terraform apply -auto-approve "production.plan"
- Access the Jump VM through Azure Bastion
- curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
- wget https://github.com/Azure/kubelogin/releases/download/v0.0.10/kubelogin-linux-amd64.zip
- curl -s https://fluxcd.io/install.sh | sudo bash
- unzip kubelogin-linux-amd64.zip
- mkdir bin
- mv kubectl bin/.
- mv bin/linux_amd64/kubelogin bin/.
- chmod 755 bin/*
- az login --identity
- az aks install-cli
- az aks get-credentials -n ${CLUSTER_NAME} -g ${CLUSTER_RESOURCE_GROUP}
- kubelogin convert-kubeconfig -l msi
- flux bootstrap git --url=ssh://[email protected]/${user}/kubernetes-cluster-setup --branch=master --path=./cluster-manifests/uat --private-key-file=/home/manager/.ssh/id_rsa
- If you are using Azure DevOps then you can setup a pipeline using the multistage-pipeline.yaml file in the pipelines folder.
- The steps for GitOps will be incorporated into the pipeline eventually.