Listings Söldner/Wessendorf Azure-Tutorial, Teil 3


Listing 1: Istio über die Bash installieren ISTIO_VERSION=1.4.0
curl -sL "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-linux.tar.gz" | tar xz

cd istio-$ISTIO_VERSION
sudo cp ./bin/istioctl /usr/local/bin/istioctl
sudo chmod +x /usr/local/bin/istioctl

---------

Listing 2: Passwort für Grafana erstellen
GRAFANA_USERNAME=$(echo -n "grafana" | base64)
GRAFANA_PASSPHRASE=$(echo -n "PASSWORD" | base64)

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
    name: grafana
    namespace: istio-system
    labels:
      app: grafana
type: Opaque
data:
    username: $GRAFANA_USERNAME
    passphrase: $GRAFANA_PASSPHRASE
EOF

---------

Listing 3: Konfigurationsdatei zur Installation von Istio
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
    # Use the default profile as the base
    # More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
    profile: default
    values:
      global:
        # Ensure that the Istio pods are only scheduled to run on Linux nodes
        defaultNodeSelector:
          beta.kubernetes.io/os: linux
        # Enable mutual TLS for the control plane
        controlPlaneSecurityEnabled: true
        mtls:
          # Require all service to service communication to have mtls
          enabled: false
      grafana:
        # Enable Grafana deployment for analytics and monitoring dashboards
        enabled: true
        security:
          # Enable authentication for Grafana
          enabled: true
      kiali:
        # Enable the Kiali deployment for a service mesh observability dashboard
        enabled: true
      tracing:
        # Enable the Jaeger deployment for tracing
        enabled: true

---------

Listing 4: Istio Gateway konfigurieren
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
    name: berechnungsservice-gateway
spec:
    selector:
      istio: ingressgateway # use istio default controller
    servers:
    - port:
       number: 80
       name: http
       protocol: HTTP
      hosts:
      - "*"

---------

Listing 5: Virtual Service einrichten
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
    name: berechnungsservice
spec:
    hosts:
    - "*"
    gateways:
    - berechnungsservice-gateway
    http:
    - match:
      - uri:
          exact: /my-frontend
      - uri:
          prefix: /static
      route:
      - destination:
          host: my-frontend
          port:
            number: 9080

---------


Listing 6: Azure-AD-Serverapplikation erzeugen
# Erzeugen der Azure-AD-Applikation
serverApplicationId=$(az ad app create \
    --display-name "iXAzureADServer" \
    --identifier-uris "https://aksazurereadserver" \
    --query appId -o tsv)

---------

Listing 7: Service Principal anfertigen
# Anlegen eines Service Principals für die Azure-AD-Applikation
az ad sp create --id $serverApplicationId

# Auslesen des Principal Secret
serverApplicationSecret=$(az ad sp credential reset \
    --name $serverApplicationId \
    --credential-description "AKSPassword" \
    --query password -o tsv)

---------

Listing 8: Berechtigungen in Azure Active Directory konfigurieren
az ad app permission add \
    --id $serverApplicationId \
    --api 00000003-0000-0000-c000-000000000000 \
    --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role

az ad app permission grant --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000
az ad app permission admin-consent --id  $serverApplicationId

---------

Listing 9: Azure-AD-Clientapplikation erzeugen
clientApplicationId=$(az ad app create \
    --display-name "ixAzureADClient" \
    --native-app \
    --reply-urls "https://aksazurereadclient " \
    --query appId -o tsv)

az ad sp create --id $clientApplicationId

---------

Listing 10: Berechtigungen an die Azure-AD-Applikationen zuweisen 
oAuthPermissionId=$(az ad app show --id $serverApplicationId --query "oauth2Permissions[0].id" -o tsv)

az ad app permission add --id $clientApplicationId --api $serverApplicationId --api-permissions $oAuthPermissionId=Scope

az ad app permission grant --id $clientApplicationId --api $serverApplicationId

---------

Listing 11: Den Cluster erzeugen
tenantId=$(az account show --query tenantId -o tsv)
az aks create --resource-group myResourceGroup --name $aksname --node-count 1 --generate-ssh-keys --aad-server-app-id $serverApplicationId --aad-server-app-secret $serverApplicationSecret --aad-client-app-id $clientApplicationId --aad-tenant-id $tenantId

---------

Listing 12: Adminrechte zuweisen
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
    name: ix-cluster-admins
roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
    kind: User
    name: test-admin@soeldner-consult.de


