├── .devcontainer ├── Dockerfile ├── devcontainer.json ├── post-create.sh └── post-start.sh ├── .gitattributes ├── .github └── workflows │ └── main.yaml ├── .gitignore ├── LICENSE ├── README.md ├── aca ├── authentication │ ├── README.md │ ├── Taskfile.yaml │ ├── apps │ │ └── httpbin.yaml │ ├── authConfig │ │ ├── azuredeploy.json │ │ └── azuredeploy.parameters.json │ ├── bastion.tf │ ├── cae.tf │ ├── dns.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── random.tf │ ├── references.tf │ ├── variables.tf │ └── vm.tf ├── basic │ ├── Taskfile.yaml │ ├── ca-httpbin.tf │ ├── cae.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ └── variables.tf ├── ingress-labels │ ├── Taskfile.yaml │ ├── ca-httpbin.tf │ ├── cae.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── revisions.tfvars │ └── variables.tf ├── jobs │ ├── Taskfile.yaml │ ├── ca-job.tf │ ├── ca-utils.tf │ ├── cae.tf │ ├── dns.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ └── variables.tf ├── nat │ ├── Taskfile.yaml │ ├── ca-httpbin.tf │ ├── cae.tf │ ├── dns.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── nat.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ └── variables.tf ├── workloadprofile-consumptiononly │ ├── Taskfile.yaml │ ├── bastion.tf │ ├── ca-httpbin.tf │ ├── ca-utils.tf │ ├── cae.tf │ ├── dns.tf │ ├── identities.tf │ ├── linux.tf │ ├── logging.tf │ ├── main.tf │ ├── nat.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── random.tf │ ├── rg.tf │ └── variables.tf ├── workloadprofile-fw │ ├── Taskfile.yaml │ ├── ca-httpbin.tf │ ├── cae.tf │ ├── dns.tf │ ├── firewall.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── routes.tf │ └── variables.tf ├── workloadprofile │ ├── Taskfile.yaml │ ├── ca-utils.tf │ ├── cae.tf │ ├── dns.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ └── variables.tf └── yaml-deployment │ ├── Taskfile.yaml │ ├── apps │ └── httpbin.yaml │ ├── cae.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ └── variables.tf ├── acr └── multi-region │ ├── Taskfile.yaml │ ├── acr.tf │ ├── assets │ └── private-acr-multi-regions.png │ ├── main.tf │ ├── monitoring.tf │ ├── outputs.tf │ ├── providers.tf │ ├── readme.md │ ├── references.tf │ ├── regional.tf │ ├── regional │ ├── acr.tf │ ├── bastion.tf │ ├── dns.tf │ ├── linux.tf │ ├── main.tf │ ├── monitoring.tf │ ├── network.tf │ ├── nsg.tf │ ├── outputs.tf │ ├── random.tf │ ├── references.tf │ ├── rg.tf │ └── variables.tf │ ├── roles.tf │ └── variables.tf ├── aks ├── aks-backups │ ├── Taskfile.yaml │ ├── cluster-extension.tf │ ├── cluster.tf │ ├── dataprotection.tf │ ├── main.tf │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ ├── roles.tf │ ├── storage.tf │ └── variables.tf ├── app-gateway-4-containers │ ├── Taskfile.yaml │ ├── cluster-config │ │ ├── httpbin │ │ │ ├── backend.yaml │ │ │ ├── gateway.tmpl │ │ │ ├── gateway.yaml │ │ │ └── kustomization.yaml │ │ ├── hubble │ │ │ ├── hubble-dashboard.yaml │ │ │ └── kustomization.yaml │ │ ├── kustomization.yaml │ │ ├── prometheus │ │ │ ├── ama-metrics-settings-configmap.yaml │ │ │ ├── container-azm-ms-agentconfig.yaml │ │ │ ├── kustomization.yaml │ │ │ └── prometheus-config.yaml │ │ └── websocket │ │ │ ├── backend.yaml │ │ │ ├── gateway.tmpl │ │ │ ├── gateway.yaml │ │ │ └── kustomization.yaml │ ├── cluster.tf │ ├── flux.tf │ ├── gateway.tf │ ├── identity.tf │ ├── main.tf │ ├── observability.tf │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ ├── rg.tf │ ├── roles.tf │ └── variables.tf ├── automatic │ ├── Taskfile.yaml │ ├── cluster.tf │ ├── grafana.tf │ ├── logging.tf │ ├── main.tf │ ├── outputs.tf │ ├── prometheus-recording-rules.tf │ ├── prometheus.tf │ ├── providers.tf │ ├── references.tf │ ├── roles.tf │ └── variables.tf ├── azure-file │ ├── Readme.md │ ├── Taskfile.yaml │ ├── chart │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── pod.yaml │ │ │ ├── pv.yaml │ │ │ └── sa.yaml │ │ └── values.yaml │ └── infrastructure │ │ ├── identities.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── references.tf │ │ ├── roles.tf │ │ ├── storage.tf │ │ └── variables.tf ├── azure-nfs │ ├── Readme.md │ ├── Taskfile.yaml │ ├── chart │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── pod.yaml │ │ │ ├── pv.yaml │ │ │ ├── sa.yaml │ │ │ └── sc.yaml │ │ └── values.yaml │ └── infrastructure │ │ ├── identities.tf │ │ ├── main.tf │ │ ├── network.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── references.tf │ │ ├── roles.tf │ │ ├── storage.tf │ │ └── variables.tf ├── azureml-extension │ ├── README.md │ ├── Taskfile.yaml │ ├── acr.tf │ ├── cluster-extension.tf │ ├── cluster.tf │ ├── dns.tf │ ├── keyvault.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ ├── roles.tf │ ├── storage.tf │ ├── variables.tf │ ├── workspace-compute.tf │ └── workspace.tf ├── basic │ ├── README.md │ ├── Taskfile.yaml │ ├── cluster.tf │ ├── main.tf │ ├── observability.tf │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ └── variables.tf ├── blob-fuse │ ├── Readme.md │ ├── Taskfile.yaml │ ├── chart │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── pod.yaml │ │ │ ├── pv.yaml │ │ │ ├── sa.yaml │ │ │ └── sc.yaml │ │ └── values.yaml │ └── infrastructure │ │ ├── cluster.tf │ │ ├── identities.tf │ │ ├── main.tf │ │ ├── observability.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── references.tf │ │ ├── rg.tf │ │ ├── roles.tf │ │ ├── storage.tf │ │ └── variables.tf ├── chaos-studio │ ├── README.md │ ├── Taskfile.yaml │ ├── azurechaos.experiment.json │ └── azuredeploy.deployment.json ├── cni-classic │ ├── README.md │ ├── Taskfile.yaml │ ├── cluster.tf │ ├── dns.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── roles.tf │ └── variables.tf ├── cni-overlay │ ├── README.md │ ├── Taskfile.yaml │ ├── cluster.azapi_method │ ├── cluster.tf │ ├── dns.tf │ ├── flux.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── roles.tf │ └── variables.tf ├── container-storage │ ├── Taskfile.yaml │ ├── azurecontainerstorage.tf │ ├── cluster-config │ │ ├── azuredisk-demo │ │ │ ├── kustomization.yaml │ │ │ ├── pod.yaml │ │ │ ├── pvc.yaml │ │ │ └── storagepool.yaml │ │ ├── esan-demo │ │ │ ├── kustomization.yaml │ │ │ ├── pod.yaml │ │ │ ├── pvc.yaml │ │ │ └── storagepool.yaml │ │ └── kustomization.yaml │ ├── cluster-post-config.tf │ ├── cluster.tf │ ├── flux.tf │ ├── main.tf │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ ├── roles.tf │ └── variables.tf ├── dapr │ ├── Taskfile.yaml │ ├── cluster-config │ │ ├── kured.yaml │ │ └── kustomization.yaml │ ├── cluster.tf │ ├── dapr.tf │ ├── flux.tf │ ├── main.tf │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ └── variables.tf ├── disk-encryption-set │ ├── Taskfile.yaml │ ├── bastion.tf │ ├── cluster-disk-encryption.tf │ ├── cluster-etcd-encryption.tf │ ├── cluster-logging.tf │ ├── cluster.tf │ ├── dns.tf │ ├── identities.tf │ ├── keyvault.tf │ ├── linux.tf │ ├── main.tf │ ├── nat.tf │ ├── network.tf │ ├── observability.tf │ ├── outputs.tf │ ├── providers.tf │ ├── random.tf │ ├── references.tf │ ├── rg.tf │ ├── roles.tf │ └── variables.tf ├── github-arc-runner-dind │ ├── setup.sh │ └── values.yaml ├── http-proxy │ ├── create_aks_cluster.sh │ ├── infrastructure │ │ ├── azurefirewall.template.json │ │ ├── identities.template.json │ │ └── squidproxy.template.json │ ├── install_squid.sh │ └── proxy.json ├── isolated │ ├── Taskfile.yaml │ ├── acr.tf │ ├── aks │ │ ├── cluster.azapi.tf │ │ ├── flux.tf │ │ ├── identities.tf │ │ ├── main.tf │ │ ├── network.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── references.tf │ │ ├── roles.tf │ │ └── variables.tf │ ├── azure.tfvars │ ├── bastion │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── references.tf │ │ └── variables.tf │ ├── dns.tf │ ├── jumpbox │ │ ├── main.tf │ │ ├── output.tf │ │ ├── references.tf │ │ └── variables.tf │ ├── logging.tf │ ├── main.tf │ ├── modules.tf │ ├── nat.tf │ ├── network.tf │ ├── nsg.tf │ ├── outputs.tf │ ├── providers.tf │ ├── random.tf │ ├── references.tf │ ├── rg.tf │ └── variables.tf ├── istio-san-certs │ ├── .gitignore │ ├── Taskfile.yaml │ ├── cluster.tf │ ├── identities.tf │ ├── keyvault.tf │ ├── main.tf │ ├── manifests │ │ ├── app1.yaml │ │ ├── app2.yaml │ │ └── gateway │ │ │ ├── istio-ingress-gateway.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── kustomize.sh │ │ │ ├── secretsprovider.tmpl │ │ │ ├── serviceaccount.tmpl │ │ │ └── volumeMount-ingress-gw-customization.yaml │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ ├── roles.tf │ └── variables.tf ├── istio │ ├── Taskfile.yaml │ ├── cluster-config │ │ ├── bookstore │ │ │ ├── bookinfo-gateway.yaml │ │ │ ├── bookinfo.yaml │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ ├── gateways │ │ │ ├── default-ingress.yaml │ │ │ ├── istio-ingress-gateway.yaml │ │ │ └── kustomization.yaml │ │ └── kustomization.yaml │ ├── cluster-nodepools.tf │ ├── cluster.tf │ ├── flux.tf │ ├── main.tf │ ├── observability.tf │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ └── variables.tf ├── kata │ ├── README.md │ ├── Taskfile.yaml │ ├── cluster.tf │ ├── main.tf │ ├── manifests │ │ └── pods.yaml │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ └── variables.tf ├── keyvault-csi-example │ ├── README.md │ ├── Taskfile.yaml │ ├── chart │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── templates │ │ │ └── deployment.yaml │ │ └── values.yaml │ ├── infrastructure │ │ ├── cluster-logging.tf │ │ ├── cluster.tf │ │ ├── identities.tf │ │ ├── keyvault.tf │ │ ├── logging.tf │ │ ├── main.tf │ │ ├── network.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── roles.tf │ │ └── variables.tf │ └── scripts │ │ └── setup-env.sh ├── keyvault-csi-traefik-demo │ ├── identityv2-creation.sh │ ├── pod.yaml │ ├── secrets-store.yaml │ ├── traefik-csi-example.yaml │ ├── traefik-csi-tls-readme.md │ └── traefik-values.yaml ├── managed-prometheus │ ├── Taskfile.yaml │ ├── cluster.tf │ ├── identities.tf │ ├── main.tf │ ├── manifests │ │ ├── ama-metrics-settings-configmap.yaml │ │ ├── container-azm-ms-agentconfig.yaml │ │ └── prometheus-config.yaml │ ├── observability.tf │ ├── outputs.tf │ ├── providers.tf │ ├── random.tf │ ├── references.tf │ └── variables.tf ├── modules │ ├── aks.cni │ │ ├── cluster-logging.tf │ │ ├── cluster.tf │ │ ├── identities.tf │ │ ├── main.tf │ │ ├── network.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── roles.tf │ │ └── variables.tf │ ├── aks.v3 │ │ ├── cluster-addons.tf │ │ ├── cluster-logging.tf │ │ ├── cluster.tf │ │ ├── identities.tf │ │ ├── main.tf │ │ ├── network.tf │ │ ├── observability.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── roles.tf │ │ └── variables.tf │ ├── aks.v4 │ │ ├── cluster-addons.tf │ │ ├── cluster-logging.tf │ │ ├── cluster.tf │ │ ├── identities.tf │ │ ├── main.tf │ │ ├── nat.tf │ │ ├── network.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── roles.tf │ │ └── variables.tf │ └── observability │ │ ├── data-collection-rules.tf │ │ ├── grafana.tf │ │ ├── logs.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── prometheus-kubernetes-rule-group.tf │ │ ├── prometheus-node-rule-group.tf │ │ ├── prometheus-ux-rule-group.tf │ │ ├── prometheus.tf │ │ ├── providers.tf │ │ ├── roles.tf │ │ └── variables.tf ├── multi-cluster │ ├── Readme.md │ ├── Taskfile.yaml │ ├── deploy │ │ ├── cluster-app-multi-cluster-service.yaml │ │ ├── fleet-app-deployment.yaml │ │ ├── fleet-app-export-service.yaml │ │ └── fleet-cluster-placement.yaml │ └── infrastructure │ │ ├── Taskfile.patches.yaml │ │ ├── Taskfile.regional.yaml │ │ ├── cluster │ │ ├── cluster-logging.tf │ │ ├── cluster.tf │ │ ├── dns.tf │ │ ├── identities.tf │ │ ├── logging.tf │ │ ├── main.tf │ │ ├── network.tf │ │ ├── outputs.tf │ │ ├── roles.tf │ │ └── variables.tf │ │ ├── multiregion-demo │ │ ├── clusters.tf │ │ ├── fleet.tf │ │ ├── identities.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── references.tf │ │ ├── regions.tfvars │ │ ├── rg.tf │ │ └── variables.tf │ │ └── patch-demo │ │ ├── clusters.tf │ │ ├── environments.tfvars │ │ ├── fleet.tf │ │ ├── identities.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── references.tf │ │ ├── rg.tf │ │ └── variables.tf ├── node-autoprovisioner │ ├── README.md │ ├── Taskfile.yaml │ ├── cluster-logging.tf │ ├── cluster.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── manifests │ │ └── nodepool-config.yaml │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── roles.tf │ └── variables.tf ├── nsg-lockdown │ ├── Taskfile.yaml │ ├── bastion.tf │ ├── cluster-logging.tf │ ├── cluster.tf │ ├── dns.tf │ ├── firewall-policy.tf │ ├── firewall.tf │ ├── identities.tf │ ├── linux.tf │ ├── main.tf │ ├── network.tf │ ├── nsg.tf │ ├── observability.tf │ ├── outputs.tf │ ├── providers.tf │ ├── random.tf │ ├── references.tf │ ├── rg.tf │ ├── roles.tf │ ├── routing.tf │ └── variables.tf ├── premium │ ├── README.md │ ├── Taskfile.yaml │ ├── cluster-logging.tf │ ├── cluster.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── roles.tf │ └── variables.tf ├── private │ ├── Taskfile.yaml │ ├── aks │ │ ├── acr.tf │ │ ├── cluster-disk-encryption.tf │ │ ├── cluster-etcd-encryption.tf │ │ ├── cluster-logging.tf │ │ ├── cluster-updates.tf │ │ ├── cluster.tf │ │ ├── dns.tf │ │ ├── identities.tf │ │ ├── keyvault.tf │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── providers.tf │ │ ├── random.tf │ │ ├── references.tf │ │ ├── roles.tf │ │ └── variables.tf │ ├── azure.tfvars │ ├── bastion │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── references.tf │ │ └── variables.tf │ ├── jumpbox │ │ ├── main.tf │ │ ├── output.tf │ │ ├── references.tf │ │ └── variables.tf │ ├── main.tf │ ├── modules.tf │ ├── nat.tf │ ├── network.tf │ ├── nsg.tf │ ├── outputs.tf │ ├── providers.tf │ ├── random.tf │ ├── references.tf │ ├── rg.tf │ └── variables.tf ├── proximity-groups │ ├── README.md │ ├── Taskfile.yaml │ ├── cluster-agentpools.tf │ ├── cluster-logging.tf │ ├── cluster-post-config.tf │ ├── cluster.tf │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── proximity-groups.tf │ ├── roles.tf │ └── variables.tf ├── scripts │ ├── aad-auth-demo.ps1 │ ├── aks-up.sh │ ├── aks-update-defender-workspace.sh │ └── update_storageaccount_secret.sh ├── spn-auth-example │ ├── client-pod.yaml │ ├── grant-spn-ns-access.tf │ ├── helm │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── templates │ │ │ └── deployment.yaml │ │ └── values.yaml │ └── kubectl-config ├── storageclass-removal │ ├── cluster-storageclass.tf │ ├── cluster.tf │ ├── identities.tf │ ├── kubernetes.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── outputs.tf │ ├── providers.tf │ ├── roles.tf │ └── variables.tf ├── vnet-injection │ ├── README.md │ ├── Taskfile.yaml │ ├── cluster.tf │ ├── main.tf │ ├── observability.tf │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ └── variables.tf └── windows2022 │ ├── README.md │ ├── Taskfile.yaml │ ├── cluster-nodepools.tf │ ├── cluster.tf │ ├── main.tf │ ├── manifests │ ├── ama-metrics-settings-configmap.yaml │ ├── kustomization.yaml │ └── windows-exporter-daemonset.yaml │ ├── observability.tf │ ├── outputs.tf │ ├── providers.tf │ ├── references.tf │ └── variables.tf ├── aro ├── basic │ ├── Taskfile.yaml │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── openshift.tf │ ├── outputs.tf │ ├── providers.tf │ ├── random.tf │ ├── references.tf │ ├── roles.tf │ └── variables.tf ├── private │ ├── Taskfile.yaml │ ├── identities.tf │ ├── logging.tf │ ├── main.tf │ ├── network.tf │ ├── openshift.tf │ ├── outputs.tf │ ├── providers.tf │ ├── random.tf │ ├── references.tf │ ├── roles.tf │ └── variables.tf └── workload-identity-support.md ├── demo-apps ├── httpbin │ ├── azure-pipeline-build.yaml │ ├── azure-pipeline-deploy.yaml │ ├── chart │ │ ├── Chart.yaml │ │ ├── templates │ │ │ └── deployment.yaml │ │ └── values.yaml │ ├── default-serviceaccount-rolebinding.yaml │ ├── deployment.yaml │ └── dockerfile ├── otel-prometheus │ ├── chart │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── deployment.yaml │ │ │ ├── namespace.yaml │ │ │ └── serviceaccount.yaml │ │ └── values.yaml │ └── src │ │ ├── Dockerfile │ │ ├── Dockerfile.Windows │ │ ├── GlobalUsing.cs │ │ ├── Program.cs │ │ ├── Taskfile.yaml │ │ ├── WeatherForecast.cs │ │ ├── appsettings.json │ │ └── otel-prometheus.csproj └── todo │ ├── Taskfile.yaml │ ├── chart │ ├── .helmignore │ ├── Chart.yaml │ ├── templates │ │ └── deployment.yaml │ └── values.yaml │ └── infrastructure │ ├── identities.tf │ ├── keyvault.tf │ ├── main.tf │ ├── output.tf │ ├── providers.tf │ ├── references.tf │ ├── roles.tf │ ├── sql.tf │ └── variables.tf ├── dns └── nodelocaldns.yaml ├── gke └── basic │ ├── cluster.tf │ ├── network.tf │ ├── providers.tf │ └── variables.tf ├── jobs └── istio-sidecarcontainer-test-job.yaml ├── namespace ├── cpu-limits.yaml ├── memory-limits.yaml ├── namespace-taints-annotation.yaml └── quotas.yaml ├── network-observability ├── hubble-certs.sh └── hubble-dashboard.yaml ├── network-policies ├── allow-traffic-labels.yaml ├── allow-traffic-namespace.yaml ├── deny-all-traffic.yaml └── k8s-documentation-example.yaml ├── persistent-volumes ├── azfiles-pod.yaml ├── azfiles-storageclass.yaml ├── azfiles1tb-pod.yaml ├── aznfs-blobstorage-pod.yaml ├── aznfs-server-pod.yaml ├── fio-test-cmd.txt ├── keyvault-blob-csi-example.yaml ├── storage-disks.yaml ├── storage-files-dynamic.yaml ├── storage-files-static.yaml └── storage-localdisk.yaml ├── pods ├── busybox.yml ├── downwardapi.yml ├── init-container.yml ├── mongo-stateful.yaml ├── node-customizations.yaml ├── sleep.yaml └── topologyspreadconstraints.yaml ├── roles ├── aad-groups.yaml ├── aad-users.yaml ├── cluster-admin-role.yaml ├── istio.yaml └── rbac-for-deployer-role.yaml ├── scripts └── aks-preview-features.sh └── windows ├── dockerfile.iis.ssl ├── legacy ├── Register-Win2K22AksSupport.ps1 ├── assets │ ├── curl.png │ ├── nodes.png │ ├── pods.png │ ├── services.png │ └── windows.png ├── create_windows_cluster.sh ├── mssql │ ├── Readme.md │ ├── mssql2017-stateful.yml │ ├── mssql2019-stateful-alwayson-read-replica.yaml │ └── mssql2019-stateful.yaml ├── self-hosted-windows-cluster.md ├── windows-iis-ssl-win10.yaml └── windows-iis-win19-with-ssl.yaml ├── prometheus-servicemonitor.yaml ├── virtual-kubelet-windows.yaml ├── windows-aspnet-sample.yaml └── windows-iis-win22.yaml /.devcontainer/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG VARIANT="8.0-bullseye-slim" 2 | FROM mcr.microsoft.com/vscode/devcontainers/dotnet:${VARIANT} 3 | 4 | ARG NODE_VERSION="none" 5 | RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi -------------------------------------------------------------------------------- /.devcontainer/post-start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # this runs each time the container starts 4 | 5 | echo "$(date) post-start start" >> ~/status 6 | sudo az aks install-cli 7 | sudo az extension add --name application-insights -y 8 | sudo az extension add --name aks-preview -y 9 | echo "$(date) post-start complete" >> ~/status 10 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /aca/authentication/apps/httpbin.yaml: -------------------------------------------------------------------------------- 1 | identity: 2 | type: SystemAssigned 3 | properties: 4 | workloadProfileName: Consumption 5 | configuration: 6 | ingress: 7 | external: true 8 | allowInsecure: false 9 | targetPort: 8080 10 | template: 11 | containers: 12 | - image: bjd145/httpbin:1088 13 | name: httpbin 14 | resources: 15 | cpu: 1 16 | memory: 2Gi 17 | scale: 18 | minReplicas: 1 19 | maxReplicas: 5 20 | rules: 21 | - name: httpscalingrule 22 | custom: 23 | type: http 24 | metadata: 25 | concurrentRequests: 50 -------------------------------------------------------------------------------- /aca/authentication/authConfig/azuredeploy.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "clientId": { 6 | "value": "REPLACE_ME with Container App Registration. Follow: https://learn.microsoft.com/en-us/azure/container-apps/authentication-entra" 7 | } 8 | } 9 | } -------------------------------------------------------------------------------- /aca/authentication/bastion.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_bastion_host" "this" { 2 | name = local.bastion_name 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "Developer" 6 | virtual_network_id = azurerm_virtual_network.this.id 7 | } 8 | -------------------------------------------------------------------------------- /aca/authentication/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } 16 | -------------------------------------------------------------------------------- /aca/authentication/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "APP_ENVIRONMENT" { 7 | value = azurerm_container_app_environment.this.name 8 | } 9 | 10 | output "APP_ENVIRONMENT_ID" { 11 | value = azurerm_container_app_environment.this.id 12 | } 13 | 14 | output "AAD_TENANT_ID" { 15 | value = data.azurerm_client_config.current.tenant_id 16 | } 17 | 18 | output "VM_CLIENT_ID" { 19 | value = azurerm_user_assigned_identity.this.client_id 20 | } -------------------------------------------------------------------------------- /aca/authentication/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aca/authentication/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | resource "random_integer" "vnet_cidr" { 11 | min = 10 12 | max = 250 13 | } 14 | 15 | resource "random_integer" "vm_zone" { 16 | min = 1 17 | max = 3 18 | } -------------------------------------------------------------------------------- /aca/authentication/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | 4 | data "http" "myip" { 5 | url = "http://checkip.amazonaws.com/" 6 | } 7 | -------------------------------------------------------------------------------- /aca/authentication/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "canadaeast" 4 | } 5 | 6 | variable "tags" { 7 | description = "The name of the node pool" 8 | type = string 9 | default = "Basic ACA Environment" 10 | } 11 | 12 | variable "zones" { 13 | description = "Enable Availability Zones for the Container Apps Environment" 14 | type = bool 15 | default = true 16 | } -------------------------------------------------------------------------------- /aca/basic/cae.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | zonal = var.region == "canadaeast" || var.region == "northcentralus" ? false : true 3 | } 4 | 5 | resource "azurerm_container_app_environment" "this" { 6 | name = local.aca_name 7 | location = azurerm_resource_group.this.location 8 | resource_group_name = azurerm_resource_group.this.name 9 | log_analytics_workspace_id = azurerm_log_analytics_workspace.this.id 10 | internal_load_balancer_enabled = false 11 | infrastructure_subnet_id = azurerm_subnet.nodes.id 12 | zone_redundancy_enabled = local.zonal 13 | } -------------------------------------------------------------------------------- /aca/basic/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aca_identity" { 2 | name = "${local.aca_name}-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | -------------------------------------------------------------------------------- /aca/basic/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 0.5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } 16 | -------------------------------------------------------------------------------- /aca/basic/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "APP_URL" { 7 | value = azurerm_container_app.httpbin.ingress[0].fqdn 8 | } 9 | -------------------------------------------------------------------------------- /aca/basic/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aca/basic/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "canadaeast" 4 | } 5 | 6 | variable "tags" { 7 | description = "The name of the node pool" 8 | type = string 9 | default = "Basic ACA Environment" 10 | } -------------------------------------------------------------------------------- /aca/ingress-labels/cae.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | zonal = var.region == "canadaeast" || var.region == "northcentralus" ? false : true 3 | } 4 | 5 | resource "azurerm_container_app_environment" "this" { 6 | name = local.aca_name 7 | location = azurerm_resource_group.this.location 8 | resource_group_name = azurerm_resource_group.this.name 9 | log_analytics_workspace_id = azurerm_log_analytics_workspace.this.id 10 | internal_load_balancer_enabled = false 11 | infrastructure_subnet_id = azurerm_subnet.nodes.id 12 | zone_redundancy_enabled = local.zonal 13 | } 14 | -------------------------------------------------------------------------------- /aca/ingress-labels/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aca_identity" { 2 | name = "${local.aca_name}-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | -------------------------------------------------------------------------------- /aca/ingress-labels/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 0.5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } -------------------------------------------------------------------------------- /aca/ingress-labels/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "APP_URL" { 7 | value = azurerm_container_app.httpbin.ingress[0].fqdn 8 | } 9 | -------------------------------------------------------------------------------- /aca/ingress-labels/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aca/ingress-labels/revisions.tfvars: -------------------------------------------------------------------------------- 1 | ingress_labels = { 2 | v1 = { 3 | label = "v1" 4 | latest_revision = false 5 | traffic_weight = 50 6 | revision_suffix = "viu34fx" //The revision suffix is a unique identifier for the revision for example: httpbin--viu34fx 7 | } 8 | v2 = { 9 | label = "v2" 10 | latest_revision = true 11 | traffic_weight = 50 12 | revision_suffix = null 13 | } 14 | } 15 | 16 | # ingress_labels = { 17 | # v1 = { 18 | # label = "v1" 19 | # latest_revision = true 20 | # traffic_weight = 100 21 | # revision_suffix = null 22 | # } 23 | # } -------------------------------------------------------------------------------- /aca/ingress-labels/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "canadaeast" 4 | } 5 | 6 | variable "tags" { 7 | description = "The name of the node pool" 8 | type = string 9 | default = "Basic ACA Environment" 10 | } 11 | variable "ingress_labels" { 12 | description = "Ingress labels for the app" 13 | type = map(object({ 14 | label = string 15 | latest_revision = bool 16 | traffic_weight = number 17 | revision_suffix = string 18 | })) 19 | } -------------------------------------------------------------------------------- /aca/jobs/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aca_identity" { 2 | name = "${local.resource_name}-app-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | -------------------------------------------------------------------------------- /aca/jobs/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } -------------------------------------------------------------------------------- /aca/jobs/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "JOB_NAME" { 7 | value = local.app_name 8 | } -------------------------------------------------------------------------------- /aca/jobs/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aca/jobs/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "canadaeast" 4 | } 5 | 6 | variable "tags" { 7 | description = "The name of the node pool" 8 | type = string 9 | default = "Basic ACA Environment" 10 | } -------------------------------------------------------------------------------- /aca/nat/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aca_identity" { 2 | name = "${local.resource_name}-${local.app_name}-app-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | -------------------------------------------------------------------------------- /aca/nat/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 0.5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } -------------------------------------------------------------------------------- /aca/nat/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "APP_URL" { 7 | value = data.azurerm_container_app.httpbin.ingress[0].fqdn 8 | } -------------------------------------------------------------------------------- /aca/nat/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aca/nat/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "canadaeast" 4 | } 5 | 6 | variable "tags" { 7 | description = "The name of the node pool" 8 | type = string 9 | default = "Basic ACA Environment" 10 | } -------------------------------------------------------------------------------- /aca/workloadprofile-consumptiononly/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aca_identity" { 2 | name = "${local.resource_name}-app-identity" 3 | resource_group_name = azurerm_resource_group.this["aca"].name 4 | location = azurerm_resource_group.this["aca"].location 5 | } 6 | -------------------------------------------------------------------------------- /aca/workloadprofile-consumptiononly/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this["monitor"].location 4 | resource_group_name = azurerm_resource_group.this["monitor"].name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 0.5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this["monitor"].location 12 | resource_group_name = azurerm_resource_group.this["monitor"].name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } -------------------------------------------------------------------------------- /aca/workloadprofile-consumptiononly/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this["aca"].name 3 | sensitive = false 4 | } 5 | 6 | output "VM_IP" { 7 | value = azurerm_network_interface.this.private_ip_address 8 | sensitive = false 9 | } 10 | -------------------------------------------------------------------------------- /aca/workloadprofile-consumptiononly/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aca/workloadprofile-consumptiononly/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | resource "random_integer" "vnet_cidr" { 11 | min = 10 12 | max = 250 13 | } 14 | 15 | resource "random_integer" "services_cidr" { 16 | min = 64 17 | max = 99 18 | } 19 | 20 | resource "random_integer" "pod_cidr" { 21 | min = 100 22 | max = 127 23 | } 24 | 25 | resource "random_integer" "vm_zone" { 26 | min = 1 27 | max = 3 28 | } -------------------------------------------------------------------------------- /aca/workloadprofile-consumptiononly/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "canadaeast" 4 | } 5 | 6 | variable "tags" { 7 | description = "The name of the node pool" 8 | type = string 9 | default = "Basic ACA Environment" 10 | } -------------------------------------------------------------------------------- /aca/workloadprofile-fw/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aca_identity" { 2 | name = "${local.resource_name}-${local.app_name}-app-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | -------------------------------------------------------------------------------- /aca/workloadprofile-fw/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } -------------------------------------------------------------------------------- /aca/workloadprofile-fw/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | # output "APP_URL" { 7 | # value = azurerm_container_app.httpbin.ingress[0].fqdn 8 | # } 9 | -------------------------------------------------------------------------------- /aca/workloadprofile-fw/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aca/workloadprofile-fw/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "canadaeast" 4 | } 5 | 6 | variable "tags" { 7 | description = "The name of the node pool" 8 | type = string 9 | default = "Basic ACA Environment" 10 | } -------------------------------------------------------------------------------- /aca/workloadprofile/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aca_identity" { 2 | name = "${local.resource_name}-app-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | -------------------------------------------------------------------------------- /aca/workloadprofile/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } -------------------------------------------------------------------------------- /aca/workloadprofile/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } -------------------------------------------------------------------------------- /aca/workloadprofile/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aca/workloadprofile/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "canadaeast" 4 | } 5 | 6 | variable "tags" { 7 | description = "The name of the node pool" 8 | type = string 9 | default = "Basic ACA Environment" 10 | } -------------------------------------------------------------------------------- /aca/yaml-deployment/apps/httpbin.yaml: -------------------------------------------------------------------------------- 1 | identity: 2 | type: SystemAssigned 3 | properties: 4 | workloadProfileName: Consumption 5 | configuration: 6 | ingress: 7 | external: true 8 | allowInsecure: false 9 | targetPort: 8080 10 | template: 11 | containers: 12 | - image: bjd145/httpbin:1088 13 | name: httpbin 14 | resources: 15 | cpu: 1 16 | memory: 2Gi 17 | scale: 18 | minReplicas: 1 19 | maxReplicas: 5 20 | rules: 21 | - name: httpscalingrule 22 | custom: 23 | type: http 24 | metadata: 25 | concurrentRequests: 50 -------------------------------------------------------------------------------- /aca/yaml-deployment/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 0.5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } 16 | -------------------------------------------------------------------------------- /aca/yaml-deployment/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "APP_ENVIRONMENT" { 7 | value = data.azurerm_container_app_environment.this.name 8 | } 9 | 10 | output "APP_ENVIRONMENT_ID" { 11 | value = data.azurerm_container_app_environment.this.id 12 | } -------------------------------------------------------------------------------- /aca/yaml-deployment/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aca/yaml-deployment/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "canadaeast" 4 | } 5 | 6 | variable "tags" { 7 | description = "The name of the node pool" 8 | type = string 9 | default = "Basic ACA Environment" 10 | } -------------------------------------------------------------------------------- /acr/multi-region/assets/private-acr-multi-regions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/acr/multi-region/assets/private-acr-multi-regions.png -------------------------------------------------------------------------------- /acr/multi-region/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/acr/multi-region/outputs.tf -------------------------------------------------------------------------------- /acr/multi-region/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /acr/multi-region/readme.md: -------------------------------------------------------------------------------- 1 | # Design a private Azure Container Registry (ACR) with multi-regions 2 | ![](./assets/private-acr-multi-regions.png) -------------------------------------------------------------------------------- /acr/multi-region/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | 4 | data "http" "myip" { 5 | url = "http://checkip.amazonaws.com/" 6 | } -------------------------------------------------------------------------------- /acr/multi-region/regional.tf: -------------------------------------------------------------------------------- 1 | module "regional_resources" { 2 | depends_on = [azurerm_container_registry.this] 3 | for_each = toset(var.regions) 4 | source = "./regional" 5 | location = each.value 6 | primary_location = element(var.regions, 0) 7 | app_name = local.resource_name 8 | authorized_ip_ranges = local.authorized_ip_ranges 9 | tags = var.tags 10 | } 11 | -------------------------------------------------------------------------------- /acr/multi-region/regional/bastion.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_bastion_host" "this" { 2 | name = local.bastion_name 3 | location = azurerm_resource_group.regional_rg.location 4 | resource_group_name = azurerm_resource_group.regional_rg.name 5 | virtual_network_id = azurerm_virtual_network.regional_rg.id 6 | sku = "Developer" 7 | } 8 | -------------------------------------------------------------------------------- /acr/multi-region/regional/dns.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_private_dns_zone" "privatelink_azurecr_io" { 2 | name = "privatelink.azurecr.io" 3 | resource_group_name = azurerm_resource_group.regional_rg.name 4 | } 5 | 6 | resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_azurecr_io" { 7 | name = "${azurerm_virtual_network.regional_rg.name}-link" 8 | private_dns_zone_name = azurerm_private_dns_zone.privatelink_azurecr_io.name 9 | resource_group_name = azurerm_resource_group.regional_rg.name 10 | virtual_network_id = azurerm_virtual_network.regional_rg.id 11 | } -------------------------------------------------------------------------------- /acr/multi-region/regional/monitoring.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_log_analytics_workspace" "this" { 2 | name = local.la_name 3 | resource_group_name = local.global_rg_name 4 | } 5 | 6 | data "azurerm_application_insights" "this" { 7 | name = local.ai_name 8 | resource_group_name = local.global_rg_name 9 | } 10 | -------------------------------------------------------------------------------- /acr/multi-region/regional/nsg.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_network_security_group" "this" { 2 | name = "${var.app_name}-default-nsg" 3 | location = azurerm_resource_group.regional_rg.location 4 | resource_group_name = azurerm_resource_group.regional_rg.name 5 | } 6 | 7 | resource "azurerm_subnet_network_security_group_association" "compute" { 8 | subnet_id = azurerm_subnet.nodes.id 9 | network_security_group_id = azurerm_network_security_group.this.id 10 | } 11 | 12 | resource "azurerm_subnet_network_security_group_association" "pe" { 13 | subnet_id = azurerm_subnet.private_endpoints.id 14 | network_security_group_id = azurerm_network_security_group.this.id 15 | } -------------------------------------------------------------------------------- /acr/multi-region/regional/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/acr/multi-region/regional/outputs.tf -------------------------------------------------------------------------------- /acr/multi-region/regional/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_integer" "zone" { 2 | min = 1 3 | max = 3 4 | } -------------------------------------------------------------------------------- /acr/multi-region/regional/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | 4 | data "http" "myip" { 5 | url = "http://checkip.amazonaws.com/" 6 | } 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } -------------------------------------------------------------------------------- /acr/multi-region/regional/rg.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_resource_group" "regional_rg" { 2 | name = local.apps_rg_name 3 | location = var.location 4 | tags = { 5 | Application = var.tags 6 | AppName = var.app_name 7 | Components = "Azure Virtual Network, Azure Container Registry" 8 | DeployedOn = timestamp() 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /acr/multi-region/regional/variables.tf: -------------------------------------------------------------------------------- 1 | variable "location" { 2 | description = "The location for this application deployment" 3 | } 4 | 5 | variable "tags" { 6 | description = "The value for the tags applied to the resource group" 7 | } 8 | 9 | variable "primary_location" { 10 | description = "The primary location for this application deployment" 11 | } 12 | 13 | variable "app_name" { 14 | description = "The root name for this application deployment" 15 | } 16 | 17 | variable "authorized_ip_ranges" { 18 | description = "The IP ranges that are allowed to access the Azure resources" 19 | } -------------------------------------------------------------------------------- /acr/multi-region/roles.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/acr/multi-region/roles.tf -------------------------------------------------------------------------------- /acr/multi-region/variables.tf: -------------------------------------------------------------------------------- 1 | variable "regions" { 2 | description = "The location for this application deployment" 3 | default = ["westus3", "canadaeast"] 4 | } 5 | 6 | variable "tags" { 7 | description = "The value for the tags applied to the resource group" 8 | } -------------------------------------------------------------------------------- /aks/aks-backups/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/aks-backups/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "4.0.4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/aks-backups/storage.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_storage_account" "this" { 2 | name = local.storage_account_name 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = var.region 5 | account_tier = "Standard" 6 | account_replication_type = "LRS" 7 | account_kind = "StorageV2" 8 | enable_https_traffic_only = true 9 | min_tls_version = "TLS1_2" 10 | } 11 | 12 | resource "azurerm_storage_container" "this" { 13 | name = local.container_name 14 | storage_account_name = azurerm_storage_account.this.name 15 | } 16 | -------------------------------------------------------------------------------- /aks/aks-backups/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "vm_size" { 7 | description = "The SKU for the default node pool" 8 | default = "Standard_B4ms" 9 | } 10 | 11 | variable "node_count" { 12 | description = "The default number of nodes to scale the cluster to" 13 | default = 1 14 | } 15 | 16 | variable "nodepool_name" { 17 | description = "The name of the node pool" 18 | type = string 19 | default = "system" 20 | } 21 | 22 | variable "tags" { 23 | description = "The name of the node pool" 24 | type = string 25 | default = "Basic AKS Cluster" 26 | } 27 | -------------------------------------------------------------------------------- /aks/app-gateway-4-containers/cluster-config/httpbin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - backend.yaml 5 | - gateway.yaml -------------------------------------------------------------------------------- /aks/app-gateway-4-containers/cluster-config/hubble/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - hubble-dashboard.yaml -------------------------------------------------------------------------------- /aks/app-gateway-4-containers/cluster-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ./prometheus 5 | - ./httpbin 6 | - ./websocket 7 | #- ./hubble 8 | -------------------------------------------------------------------------------- /aks/app-gateway-4-containers/cluster-config/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - container-azm-ms-agentconfig.yaml 5 | - ama-metrics-settings-configmap.yaml 6 | - prometheus-config.yaml -------------------------------------------------------------------------------- /aks/app-gateway-4-containers/cluster-config/websocket/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - backend.yaml 5 | - gateway.yaml -------------------------------------------------------------------------------- /aks/app-gateway-4-containers/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/app-gateway-4-containers/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } -------------------------------------------------------------------------------- /aks/app-gateway-4-containers/rg.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_resource_group" "this" { 2 | depends_on = [ 3 | module.azure_monitor, 4 | module.cluster 5 | ] 6 | name = module.cluster.AKS_RESOURCE_GROUP 7 | } 8 | -------------------------------------------------------------------------------- /aks/app-gateway-4-containers/roles.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_assignment" "alb_identity_network_contributor" { 2 | scope = module.cluster.VNET_ID 3 | role_definition_name = "Network Contributor" 4 | principal_id = azurerm_user_assigned_identity.alb_identity.principal_id 5 | skip_service_principal_aad_check = true 6 | } 7 | 8 | resource "azurerm_role_assignment" "alb_identity_appgw_config_manager" { 9 | scope = data.azurerm_resource_group.this.id 10 | role_definition_name = "AppGw for Containers Configuration Manager" 11 | principal_id = azurerm_user_assigned_identity.alb_identity.principal_id 12 | skip_service_principal_aad_check = true 13 | } -------------------------------------------------------------------------------- /aks/automatic/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = local.aks_name 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = azapi_resource.aks.id 13 | sensitive = false 14 | } 15 | -------------------------------------------------------------------------------- /aks/automatic/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features { 17 | resource_group { 18 | prevent_deletion_if_contains_resources = false 19 | } 20 | } 21 | } 22 | 23 | provider "azapi" { 24 | } 25 | -------------------------------------------------------------------------------- /aks/automatic/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | -------------------------------------------------------------------------------- /aks/automatic/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "westus3" 4 | } 5 | 6 | variable "tags" { 7 | description = "Tags to apply to Resource Group" 8 | } -------------------------------------------------------------------------------- /aks/azure-file/Readme.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | 3 | * https://github.com/kubernetes-sigs/azurefile-csi-driver/issues/1763 4 | * https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/docs/workload-identity-static-pv-mount.md 5 | 6 | ## Environment 7 | ```bash 8 | az login --scope https://graph.microsoft.com/.default 9 | task up 10 | task deploy 11 | ``` 12 | 13 | ## Clean up 14 | ```bash 15 | task down 16 | ``` 17 | 18 | # Validate 19 | ``` 20 | kubectl describe pod azurefiles01 21 | kubectl -n default exec -it azurefiles01 -- cat hello world >> /mnt/files/sample.txt 22 | ```~~ -------------------------------------------------------------------------------- /aks/azure-file/chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: azure-file-workloadid 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.16.0" 7 | -------------------------------------------------------------------------------- /aks/azure-file/chart/templates/sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ print .Values.APP_NAME "-app-identity" }} 5 | namespace: {{ .Values.NAMESPACE }} 6 | annotations: 7 | azure.workload.identity/client-id: {{ .Values.ARM_WORKLOAD_APP_ID }} 8 | azure.workload.identity/tenant-id: {{ .Values.ARM_TENANT_ID }} 9 | labels: 10 | azure.workload.identity/use: "true" -------------------------------------------------------------------------------- /aks/azure-file/chart/values.yaml: -------------------------------------------------------------------------------- 1 | NAMESPACE: 'default' -------------------------------------------------------------------------------- /aks/azure-file/infrastructure/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "azure/azapi" 10 | version = "~> 1" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | storage_use_azuread = true 17 | features { 18 | resource_group { 19 | prevent_deletion_if_contains_resources = false 20 | } 21 | } 22 | } -------------------------------------------------------------------------------- /aks/azure-file/infrastructure/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } -------------------------------------------------------------------------------- /aks/azure-file/infrastructure/storage.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_storage_account" "this" { 2 | name = local.storage_name 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | account_tier = "Premium" 6 | account_replication_type = "LRS" 7 | account_kind = "FileStorage" 8 | shared_access_key_enabled = true 9 | } 10 | 11 | resource "azurerm_storage_share" "this" { 12 | name = local.storage_container_name 13 | storage_account_name = azurerm_storage_account.this.name 14 | quota = 1024 15 | } 16 | -------------------------------------------------------------------------------- /aks/azure-file/infrastructure/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "tags" { 7 | description = "The value for RG tag" 8 | } 9 | 10 | variable "namespace" { 11 | default = "default" 12 | description = "The namespace to deploy to" 13 | } -------------------------------------------------------------------------------- /aks/azure-nfs/Readme.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | This is a simple example of how to use Azure Files with Kubernetes. 3 | 4 | 5 | ## Environment 6 | ```bash 7 | az login 8 | task up 9 | task deploy 10 | ``` 11 | 12 | ## Clean up 13 | ```bash 14 | task down 15 | ``` 16 | 17 | # Validate 18 | ``` 19 | kubectl describe pod azurenfsfiles01 20 | kubectl -n default exec -it azurenfsfiles01 -- echo hello world >> /mnt/files/sample.txt 21 | kubectl -n default exec -it azurenfsfiles02 -- cat /mnt/files/sample.txt 22 | ```~~ -------------------------------------------------------------------------------- /aks/azure-nfs/chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: nfs-demo 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.16.0" 7 | -------------------------------------------------------------------------------- /aks/azure-nfs/chart/templates/pv.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: persistent-storage 6 | spec: 7 | storageClassName: azurefile-csi-nfs 8 | accessModes: [ "ReadWriteMany" ] 9 | resources: 10 | requests: 11 | storage: 100Gi -------------------------------------------------------------------------------- /aks/azure-nfs/chart/templates/sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ print .Values.APP_NAME "-app-identity" }} 5 | namespace: {{ .Values.NAMESPACE }} 6 | annotations: 7 | azure.workload.identity/client-id: {{ .Values.ARM_WORKLOAD_APP_ID }} 8 | azure.workload.identity/tenant-id: {{ .Values.ARM_TENANT_ID }} 9 | labels: 10 | azure.workload.identity/use: "true" -------------------------------------------------------------------------------- /aks/azure-nfs/chart/templates/sc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: azurefile-csi-nfs 5 | provisioner: file.csi.azure.com 6 | allowVolumeExpansion: true 7 | parameters: 8 | protocol: nfs 9 | mountOptions: 10 | - nconnect=4 11 | - noresvport 12 | - actimeo=30 -------------------------------------------------------------------------------- /aks/azure-nfs/chart/values.yaml: -------------------------------------------------------------------------------- 1 | NAMESPACE: 'default' -------------------------------------------------------------------------------- /aks/azure-nfs/infrastructure/network.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_private_dns_zone" "privatelink_file_core_windows_net" { 2 | name = "privatelink.file.core.windows.net" 3 | resource_group_name = azurerm_resource_group.this.name 4 | } 5 | 6 | resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_file_core_windows_net" { 7 | name = "${local.vnet_name}-link" 8 | private_dns_zone_name = azurerm_private_dns_zone.privatelink_file_core_windows_net.name 9 | resource_group_name = azurerm_resource_group.this.name 10 | virtual_network_id = data.azurerm_virtual_network.cluster_vnet.id 11 | } -------------------------------------------------------------------------------- /aks/azure-nfs/infrastructure/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "azure/azapi" 10 | version = "~> 1" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | storage_use_azuread = true 17 | features { 18 | resource_group { 19 | prevent_deletion_if_contains_resources = false 20 | } 21 | } 22 | } -------------------------------------------------------------------------------- /aks/azure-nfs/infrastructure/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "tags" { 7 | description = "The value for RG tag" 8 | } 9 | 10 | variable "namespace" { 11 | default = "default" 12 | description = "The namespace to deploy to" 13 | } -------------------------------------------------------------------------------- /aks/azureml-extension/cluster.tf: -------------------------------------------------------------------------------- 1 | module "cluster" { 2 | source = "../modules/aks.v3" 3 | region = var.region 4 | resource_name = local.resource_name 5 | public_key_openssh = tls_private_key.rsa.public_key_openssh 6 | tags = var.tags 7 | kubernetes_version = "1.32" 8 | sdlc_environment = "dev" 9 | vm_sku = var.vm_size 10 | vm_os = "Ubuntu" 11 | node_count = var.node_count 12 | enable_mesh = false 13 | } -------------------------------------------------------------------------------- /aks/azureml-extension/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } 15 | 16 | output "ML_WORKSPACE_NAME" { 17 | value = azurerm_machine_learning_workspace.this.name 18 | sensitive = false 19 | } -------------------------------------------------------------------------------- /aks/azureml-extension/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "4.0.4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/azureml-extension/roles.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_assignment" "aks_cluster_access" { 2 | scope = data.azurerm_kubernetes_cluster.this.id 3 | role_definition_name = "Azure Kubernetes Service RBAC Cluster Admin" 4 | principal_id = azurerm_machine_learning_workspace.this.identity[0].principal_id 5 | skip_service_principal_aad_check = true 6 | } -------------------------------------------------------------------------------- /aks/azureml-extension/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "vm_size" { 7 | description = "The SKU for the default node pool" 8 | default = "Standard_B4ms" 9 | } 10 | 11 | variable "node_count" { 12 | description = "The default number of nodes to scale the cluster to" 13 | default = 1 14 | } 15 | 16 | variable "nodepool_name" { 17 | description = "The name of the node pool" 18 | type = string 19 | default = "system" 20 | } 21 | 22 | variable "tags" { 23 | description = "The name of the node pool" 24 | type = string 25 | } 26 | -------------------------------------------------------------------------------- /aks/azureml-extension/workspace-compute.tf: -------------------------------------------------------------------------------- 1 | # resource "azurerm_machine_learning_inference_cluster" "this" { 2 | # depends_on = [ 3 | # azurerm_kubernetes_cluster_extension.azureml, 4 | # azurerm_machine_learning_workspace.this 5 | # ] 6 | 7 | # name = "k8s-compute" 8 | # location = local.location 9 | # cluster_purpose = "DevTest" 10 | # kubernetes_cluster_id = data.azurerm_kubernetes_cluster.this.id 11 | # machine_learning_workspace_id = azurerm_machine_learning_workspace.this.id 12 | 13 | # identity { 14 | # type = "SystemAssigned" 15 | # } 16 | # } 17 | -------------------------------------------------------------------------------- /aks/basic/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | ```bash 10 | task down 11 | ``` 12 | # Validate 13 | ``` 14 | kubectl get pods -A 15 | ``` 16 | 17 | # Notes 18 | # Backlog -------------------------------------------------------------------------------- /aks/basic/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | location = var.region 12 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 13 | authorized_ip_ranges = ["${chomp(data.http.myip.response_body)}/32"] 14 | environment_type = "dev" 15 | k8s_version = "1.32" 16 | } 17 | -------------------------------------------------------------------------------- /aks/basic/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/basic/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/basic/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } -------------------------------------------------------------------------------- /aks/blob-fuse/chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: blob-fuse-workloadid 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 0.1.0 6 | appVersion: "1.16.0" 7 | -------------------------------------------------------------------------------- /aks/blob-fuse/chart/templates/sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ print .Values.APP_NAME "-app-identity" }} 5 | namespace: {{ .Values.NAMESPACE }} 6 | annotations: 7 | azure.workload.identity/client-id: {{ .Values.ARM_WORKLOAD_APP_ID }} 8 | azure.workload.identity/tenant-id: {{ .Values.ARM_TENANT_ID }} 9 | labels: 10 | azure.workload.identity/use: "true" -------------------------------------------------------------------------------- /aks/blob-fuse/chart/values.yaml: -------------------------------------------------------------------------------- 1 | NAMESPACE: 'default' 2 | KUBE_IDENTITY_OBJECT_ID: "" 3 | RESOURCE_GROUP: "" 4 | STORAGE_ACCOUNT_NAME: "" 5 | STORAGE_CONTAINER_NAME: "" 6 | SUBSCRIPTION_ID: "" 7 | APP_NAME: "" -------------------------------------------------------------------------------- /aks/blob-fuse/infrastructure/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 12 | authorized_ip_ranges = ["${chomp(data.http.myip.response_body)}/32"] 13 | workload_identity = "${local.resource_name}-app-identity" 14 | storage_name = "${replace(local.resource_name, "-", "")}sa" 15 | storage_container_name = "test" 16 | tags = "Blob Fuse with Workload Identity" 17 | k8s_version = "1.31" 18 | environment_type = "dev" 19 | } -------------------------------------------------------------------------------- /aks/blob-fuse/infrastructure/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "azure/azapi" 10 | version = "~> 1" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | storage_use_azuread = true 17 | features { 18 | resource_group { 19 | prevent_deletion_if_contains_resources = false 20 | } 21 | } 22 | } -------------------------------------------------------------------------------- /aks/blob-fuse/infrastructure/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } 12 | 13 | data "azurerm_kubernetes_cluster" "this" { 14 | name = module.aks_cluster.AKS_CLUSTER_NAME 15 | resource_group_name = module.aks_cluster.AKS_RESOURCE_GROUP 16 | } -------------------------------------------------------------------------------- /aks/blob-fuse/infrastructure/rg.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_resource_group" "this" { 2 | name = "${local.resource_name}_rg" 3 | location = var.region 4 | 5 | tags = { 6 | Application = local.tags 7 | Components = "AKS; Storage; Workload Identity" 8 | DeployedOn = timestamp() 9 | } 10 | } -------------------------------------------------------------------------------- /aks/blob-fuse/infrastructure/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "namespace" { 7 | default = "default" 8 | description = "The namespace to deploy to" 9 | } 10 | 11 | variable "enable_managed_offerings" { 12 | description = "Deploy with Managed Prometheus and Managed Grafana" 13 | default = true 14 | } -------------------------------------------------------------------------------- /aks/chaos-studio/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | _TBD_ 10 | 11 | # Validate 12 | _TBD_ 13 | 14 | # Notes 15 | # Backlog -------------------------------------------------------------------------------- /aks/cni-classic/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | ```bash 10 | task down 11 | ``` 12 | 13 | # Validate 14 | ``` 15 | kubectl get pods -A 16 | ``` 17 | 18 | # Notes 19 | # Backlog -------------------------------------------------------------------------------- /aks/cni-classic/dns.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_private_dns_zone" "aks_private_zone" { 2 | name = "privatelink.${local.location}.azmk8s.io" 3 | resource_group_name = azurerm_resource_group.this.name 4 | } 5 | 6 | resource "azurerm_private_dns_zone_virtual_network_link" "aks_private_zone" { 7 | name = "${azurerm_virtual_network.this.name}-link" 8 | private_dns_zone_name = azurerm_private_dns_zone.aks_private_zone.name 9 | resource_group_name = azurerm_resource_group.this.name 10 | virtual_network_id = azurerm_virtual_network.this.id 11 | } -------------------------------------------------------------------------------- /aks/cni-classic/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } -------------------------------------------------------------------------------- /aks/cni-classic/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = local.aks_name 8 | sensitive = false 9 | } 10 | -------------------------------------------------------------------------------- /aks/cni-classic/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "3.40.0" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "1.0.0" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features { 17 | resource_group { 18 | prevent_deletion_if_contains_resources = false 19 | } 20 | } 21 | } 22 | 23 | provider "azapi" { 24 | } 25 | -------------------------------------------------------------------------------- /aks/cni-classic/variables.tf: -------------------------------------------------------------------------------- 1 | variable "namespace" { 2 | description = "The namespace for the workload identity" 3 | type = string 4 | default = "default" 5 | } 6 | 7 | variable "region" { 8 | description = "Region to deploy in Azure" 9 | default = "northcentralus" 10 | } -------------------------------------------------------------------------------- /aks/cni-overlay/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | ```bash 10 | task down 11 | ``` 12 | 13 | # Validate 14 | ``` 15 | kubectl get pods -A 16 | ``` 17 | 18 | # Notes 19 | # Backlog -------------------------------------------------------------------------------- /aks/cni-overlay/dns.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_private_dns_zone" "aks_private_zone" { 2 | name = "privatelink.${local.location}.azmk8s.io" 3 | resource_group_name = azurerm_resource_group.this.name 4 | } 5 | 6 | resource "azurerm_private_dns_zone_virtual_network_link" "aks_private_zone" { 7 | name = "${azurerm_virtual_network.this.name}-link" 8 | private_dns_zone_name = azurerm_private_dns_zone.aks_private_zone.name 9 | resource_group_name = azurerm_resource_group.this.name 10 | virtual_network_id = azurerm_virtual_network.this.id 11 | } -------------------------------------------------------------------------------- /aks/cni-overlay/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } -------------------------------------------------------------------------------- /aks/cni-overlay/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = local.aks_name 8 | sensitive = false 9 | } 10 | -------------------------------------------------------------------------------- /aks/cni-overlay/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "3.40.0" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "1.0.0" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features { 17 | resource_group { 18 | prevent_deletion_if_contains_resources = false 19 | } 20 | } 21 | } 22 | 23 | provider "azapi" { 24 | } 25 | -------------------------------------------------------------------------------- /aks/cni-overlay/variables.tf: -------------------------------------------------------------------------------- 1 | variable "namespace" { 2 | description = "The namespace for the workload identity" 3 | type = string 4 | default = "default" 5 | } 6 | 7 | variable "region" { 8 | description = "Region to deploy in Azure" 9 | default = "northcentralus" 10 | } -------------------------------------------------------------------------------- /aks/container-storage/azurecontainerstorage.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_kubernetes_cluster" "this" { 2 | depends_on = [ 3 | module.cluster 4 | ] 5 | name = module.cluster.AKS_CLUSTER_NAME 6 | resource_group_name = module.cluster.AKS_RESOURCE_GROUP 7 | } 8 | 9 | resource "azurerm_kubernetes_cluster_extension" "storage" { 10 | depends_on = [ 11 | data.azurerm_kubernetes_cluster.this 12 | ] 13 | 14 | name = "azurecontainerstorage" 15 | cluster_id = data.azurerm_kubernetes_cluster.this.id 16 | extension_type = "microsoft.azurecontainerstorage" 17 | release_train = "stable" 18 | release_namespace = "acstor" 19 | } 20 | 21 | -------------------------------------------------------------------------------- /aks/container-storage/cluster-config/azuredisk-demo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - storagepool.yaml 5 | - pvc.yaml 6 | - pod.yaml -------------------------------------------------------------------------------- /aks/container-storage/cluster-config/azuredisk-demo/pod.yaml: -------------------------------------------------------------------------------- 1 | kind: Pod 2 | apiVersion: v1 3 | metadata: 4 | name: fiopod 5 | namespace: default 6 | spec: 7 | nodeSelector: 8 | acstor.azure.com/io-engine: acstor 9 | volumes: 10 | - name: azurediskpv 11 | persistentVolumeClaim: 12 | claimName: azurediskpvc 13 | containers: 14 | - name: fio 15 | image: nixery.dev/shell/fio 16 | args: 17 | - sleep 18 | - "1000000" 19 | resources: 20 | requests: 21 | cpu: "0.5" 22 | memory: ".5Gi" 23 | limits: 24 | cpu: "1" 25 | memory: "1Gi" 26 | volumeMounts: 27 | - mountPath: "/volume" 28 | name: azurediskpv -------------------------------------------------------------------------------- /aks/container-storage/cluster-config/azuredisk-demo/pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: azurediskpvc 5 | namespace: default 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | storageClassName: acstor-azuredisk 10 | resources: 11 | requests: 12 | storage: 100Gi -------------------------------------------------------------------------------- /aks/container-storage/cluster-config/azuredisk-demo/storagepool.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: containerstorage.azure.com/v1beta1 2 | kind: StoragePool 3 | metadata: 4 | name: azuredisk 5 | namespace: acstor 6 | spec: 7 | poolType: 8 | azureDisk: 9 | skuName: Premium_LRS 10 | resources: 11 | requests: 12 | storage: 1Ti -------------------------------------------------------------------------------- /aks/container-storage/cluster-config/esan-demo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - storagepool.yaml 5 | - pvc.yaml 6 | - pod.yaml -------------------------------------------------------------------------------- /aks/container-storage/cluster-config/esan-demo/pod.yaml: -------------------------------------------------------------------------------- 1 | kind: Pod 2 | apiVersion: v1 3 | metadata: 4 | name: fiopodsan 5 | namespace: default 6 | spec: 7 | nodeSelector: 8 | acstor.azure.com/io-engine: acstor 9 | volumes: 10 | - name: managedpv 11 | persistentVolumeClaim: 12 | claimName: managedpvc 13 | containers: 14 | - name: fio 15 | image: nixery.dev/shell/fio 16 | args: 17 | - sleep 18 | - "1000000" 19 | volumeMounts: 20 | - mountPath: "/volume" 21 | name: managedpv 22 | resources: 23 | requests: 24 | cpu: "0.5" 25 | memory: ".5Gi" 26 | limits: 27 | cpu: "1" 28 | memory: "1Gi" -------------------------------------------------------------------------------- /aks/container-storage/cluster-config/esan-demo/pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: managedpvc 5 | namespace: default 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | storageClassName: acstor-esan 10 | resources: 11 | requests: 12 | storage: 100Gi -------------------------------------------------------------------------------- /aks/container-storage/cluster-config/esan-demo/storagepool.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: containerstorage.azure.com/v1alpha1 2 | kind: StoragePool 3 | metadata: 4 | name: esan 5 | namespace: acstor 6 | spec: 7 | poolType: 8 | elasticSan: {} 9 | resources: 10 | requests: {"storage": 1Ti} 11 | 12 | # This will create an Elastic SAN resource in the AKS Nodepool RG. 13 | # Currently, it will fail on volume group creation because Storage Container require the virtual network to also be in the AKS Nodepool RG 14 | # The volume group (named: acstor) can be manually created and associated with AKS's virtual network 15 | -------------------------------------------------------------------------------- /aks/container-storage/cluster-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ./azuredisk-demo 5 | #- ./esan-demo 6 | -------------------------------------------------------------------------------- /aks/container-storage/cluster-post-config.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/aks/container-storage/cluster-post-config.tf -------------------------------------------------------------------------------- /aks/container-storage/cluster.tf: -------------------------------------------------------------------------------- 1 | module "cluster" { 2 | source = "../modules/aks.v3" 3 | region = var.region 4 | authorized_ip_ranges = local.authorized_ip_ranges 5 | resource_name = local.resource_name 6 | public_key_openssh = tls_private_key.rsa.public_key_openssh 7 | tags = local.tags 8 | kubernetes_version = "1.31" 9 | sdlc_environment = "dev" 10 | vm_sku = var.vm_size 11 | vm_os = "Ubuntu" 12 | node_count = var.node_count 13 | node_labels = { 14 | "acstor.azure.com/io-engine" = "acstor" 15 | "acstor.azure.com/accept-ephemeral-storage" = true 16 | } 17 | } -------------------------------------------------------------------------------- /aks/container-storage/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | location = var.region 12 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 13 | authorized_ip_ranges = [ "${chomp(data.http.myip.response_body)}/32" ] 14 | app_path = "./aks/container-storage/cluster-config" 15 | flux_repository = "https://github.com/briandenicola/kubernetes" 16 | tags = "Azure Container Storage Demo" 17 | } 18 | -------------------------------------------------------------------------------- /aks/container-storage/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/container-storage/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "azure/azapi" 10 | version = "~> 1" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features { 17 | resource_group { 18 | prevent_deletion_if_contains_resources = false 19 | } 20 | } 21 | } 22 | 23 | provider "azapi" { 24 | } 25 | -------------------------------------------------------------------------------- /aks/container-storage/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } -------------------------------------------------------------------------------- /aks/container-storage/roles.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_resource_group" "aks_nodepool_rg" { 2 | depends_on = [ 3 | module.cluster 4 | ] 5 | name = module.cluster.AKS_NODE_RG_NAME 6 | } 7 | 8 | resource "azurerm_role_assignment" "container_storage_role" { 9 | depends_on = [ 10 | data.azurerm_resource_group.aks_nodepool_rg 11 | ] 12 | scope = data.azurerm_resource_group.aks_nodepool_rg.id 13 | role_definition_name = "Contributor" 14 | principal_id = data.azurerm_kubernetes_cluster.this.kubelet_identity[0].object_id 15 | skip_service_principal_aad_check = true 16 | } -------------------------------------------------------------------------------- /aks/container-storage/variables.tf: -------------------------------------------------------------------------------- 1 | variable "nodepool_name" { 2 | description = "The name of the node pool" 3 | type = string 4 | default = "system" 5 | } 6 | 7 | variable "region" { 8 | description = "Azure region to deploy to" 9 | default = "southcentralus" 10 | } 11 | 12 | variable "vm_size" { 13 | description = "The value for the VM SKU" 14 | } 15 | 16 | variable "node_count" { 17 | description = "The node count for the default node pool" 18 | } 19 | -------------------------------------------------------------------------------- /aks/dapr/cluster-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ./kured.yaml 5 | -------------------------------------------------------------------------------- /aks/dapr/cluster.tf: -------------------------------------------------------------------------------- 1 | module "cluster" { 2 | source = "../modules/aks.v3" 3 | region = var.region 4 | authorized_ip_ranges = local.authorized_ip_ranges 5 | resource_name = local.resource_name 6 | public_key_openssh = tls_private_key.rsa.public_key_openssh 7 | tags = var.tags 8 | kubernetes_version = "1.32" 9 | sdlc_environment = "dev" 10 | vm_sku = var.vm_size 11 | vm_os = "Ubuntu" 12 | node_count = var.node_count 13 | enable_mesh = true 14 | } -------------------------------------------------------------------------------- /aks/dapr/dapr.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_kubernetes_cluster_extension" "dapr" { 2 | depends_on = [ 3 | azurerm_kubernetes_cluster_extension.flux, 4 | ] 5 | name = "dapr" 6 | cluster_id = module.cluster.AKS_CLUSTER_ID 7 | extension_type = "microsoft.dapr" 8 | release_namespace = "dapr-system" 9 | } 10 | -------------------------------------------------------------------------------- /aks/dapr/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | location = var.region 12 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 13 | authorized_ip_ranges = [ "${chomp(data.http.myip.response_body)}/32" ] 14 | app_path = "./aks/dapr/cluster-config" 15 | flux_repository = "https://github.com/briandenicola/kubernetes" 16 | } 17 | -------------------------------------------------------------------------------- /aks/dapr/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/dapr/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "4.0.4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/dapr/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } -------------------------------------------------------------------------------- /aks/dapr/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "vm_size" { 7 | description = "The SKU for the default node pool" 8 | default = "Standard_B4ms" 9 | } 10 | 11 | variable "node_count" { 12 | description = "The default number of nodes to scale the cluster to" 13 | default = 1 14 | } 15 | 16 | variable "nodepool_name" { 17 | description = "The name of the node pool" 18 | type = string 19 | default = "system" 20 | } 21 | 22 | variable "tags" { 23 | description = "The name of the node pool" 24 | type = string 25 | default = "Basic AKS Cluster" 26 | } 27 | -------------------------------------------------------------------------------- /aks/disk-encryption-set/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this["aks"].name 4 | location = azurerm_resource_group.this["aks"].location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this["aks"].name 10 | location = azurerm_resource_group.this["aks"].location 11 | } 12 | -------------------------------------------------------------------------------- /aks/disk-encryption-set/observability.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = local.log_analytics_workspace_name 3 | location = azurerm_resource_group.this["monitor"].location 4 | resource_group_name = azurerm_resource_group.this["monitor"].name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = local.app_insights_name 11 | location = azurerm_resource_group.this["monitor"].location 12 | resource_group_name = azurerm_resource_group.this["monitor"].name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } -------------------------------------------------------------------------------- /aks/disk-encryption-set/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/disk-encryption-set/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | resource "random_integer" "vnet_cidr" { 11 | min = 10 12 | max = 250 13 | } 14 | 15 | resource "random_integer" "services_cidr" { 16 | min = 64 17 | max = 99 18 | } 19 | 20 | resource "random_integer" "pod_cidr" { 21 | min = 100 22 | max = 127 23 | } 24 | 25 | resource "random_integer" "zone" { 26 | min = 1 27 | max = 3 28 | } -------------------------------------------------------------------------------- /aks/disk-encryption-set/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | 4 | data "http" "myip" { 5 | url = "http://checkip.amazonaws.com/" 6 | } 7 | 8 | data "azurerm_kubernetes_service_versions" "current" { 9 | location = local.location 10 | } 11 | 12 | resource "tls_private_key" "rsa" { 13 | algorithm = "RSA" 14 | rsa_bits = 4096 15 | } -------------------------------------------------------------------------------- /aks/disk-encryption-set/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "vm_size" { 7 | description = "The value for the VM SKU" 8 | default = "Standard_D4ads_v5" 9 | } 10 | 11 | variable "vm_os" { 12 | description = "The value for the VM OS" 13 | default = "AzureLinux" 14 | } 15 | 16 | variable "tags" { 17 | description = "Tags to apply for this resource" 18 | } 19 | 20 | variable "node_count" { 21 | description = "The node count for the default node pool" 22 | default = 1 23 | } -------------------------------------------------------------------------------- /aks/isolated/aks/flux.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_kubernetes_cluster_extension" "flux" { 2 | depends_on = [ 3 | azapi_resource.aks 4 | ] 5 | 6 | count = var.aks_cluster.flux.enabled ? 1 : 0 7 | name = "flux" 8 | cluster_id = azapi_resource.aks.id 9 | extension_type = "microsoft.flux" 10 | } -------------------------------------------------------------------------------- /aks/isolated/aks/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = var.aks_cluster.resource_group.name 4 | location = var.aks_cluster.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = var.aks_cluster.resource_group.name 10 | location = var.aks_cluster.location 11 | 12 | } -------------------------------------------------------------------------------- /aks/isolated/aks/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_integer" "pod_cidr" { 2 | min = 100 3 | max = 127 4 | } 5 | 6 | resource "random_integer" "services_cidr" { 7 | min = 64 8 | max = 99 9 | } 10 | 11 | locals { 12 | aks_name = var.aks_cluster.name 13 | non_az_regions = ["northcentralus", "canadaeast", "westcentralus", "westus"] 14 | aks_node_rg_name = "${local.aks_name}_nodes_rg" 15 | location = var.aks_cluster.location 16 | istio_version = [var.aks_cluster.istio.version] 17 | kubernetes_version = var.aks_cluster.version 18 | aks_zones = ["3"] #contains(local.non_az_regions, local.location) ? null : var.zones 19 | } 20 | -------------------------------------------------------------------------------- /aks/isolated/aks/network.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_private_dns_zone" "aks_private_zone" { 2 | name = "privatelink.${local.location}.azmk8s.io" 3 | resource_group_name = var.aks_cluster.resource_group.name 4 | } 5 | 6 | resource "azurerm_private_dns_zone_virtual_network_link" "aks_private_zone" { 7 | name = "${var.aks_cluster.name}-link" 8 | private_dns_zone_name = azurerm_private_dns_zone.aks_private_zone.name 9 | resource_group_name = var.aks_cluster.resource_group.name 10 | virtual_network_id = var.aks_cluster.vnet.id #aks_vnet_id 11 | } 12 | -------------------------------------------------------------------------------- /aks/isolated/aks/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = var.aks_cluster.resource_group.name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = local.aks_name 8 | sensitive = false 9 | } 10 | 11 | output "AKS_NODE_RESOURCE_GROUP" { 12 | value = local.aks_node_rg_name 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/isolated/aks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | azapi = { 4 | source = "Azure/azapi" 5 | version = "~> 1" 6 | } 7 | tls = { 8 | source = "hashicorp/tls" 9 | version = "4.0.4" 10 | } 11 | } 12 | } -------------------------------------------------------------------------------- /aks/isolated/aks/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | 4 | resource "tls_private_key" "rsa" { 5 | algorithm = "RSA" 6 | rsa_bits = 4096 7 | } -------------------------------------------------------------------------------- /aks/isolated/azure.tfvars: -------------------------------------------------------------------------------- 1 | deploy_jumpbox = true 2 | deploy_flux_extension = false 3 | node_count = 3 4 | node_sku = "Standard_D4s_v5" 5 | -------------------------------------------------------------------------------- /aks/isolated/bastion/main.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_bastion_host" "this" { 2 | name = var.bastion_host.name 3 | location = var.bastion_host.location 4 | resource_group_name = var.bastion_host.resource_group_name 5 | sku = "Developer" 6 | virtual_network_id = var.bastion_host.vnet.id 7 | } 8 | -------------------------------------------------------------------------------- /aks/isolated/bastion/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/aks/isolated/bastion/outputs.tf -------------------------------------------------------------------------------- /aks/isolated/bastion/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} -------------------------------------------------------------------------------- /aks/isolated/bastion/variables.tf: -------------------------------------------------------------------------------- 1 | variable "bastion_host" { 2 | type = object({ 3 | name = string 4 | location = string 5 | resource_group_name = string 6 | vnet = object({ 7 | id = string 8 | }) 9 | }) 10 | } -------------------------------------------------------------------------------- /aks/isolated/dns.tf: -------------------------------------------------------------------------------- 1 | 2 | resource "azurerm_private_dns_zone" "privatelink_azurecr_io" { 3 | name = "privatelink.azurecr.io" 4 | resource_group_name = azurerm_resource_group.this["network"].name 5 | } 6 | 7 | resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_azurecr_io" { 8 | name = "${azurerm_virtual_network.this.name}-acr-link" 9 | private_dns_zone_name = azurerm_private_dns_zone.privatelink_azurecr_io.name 10 | resource_group_name = azurerm_resource_group.this["network"].name 11 | virtual_network_id = azurerm_virtual_network.this.id 12 | } 13 | -------------------------------------------------------------------------------- /aks/isolated/jumpbox/output.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/aks/isolated/jumpbox/output.tf -------------------------------------------------------------------------------- /aks/isolated/jumpbox/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | -------------------------------------------------------------------------------- /aks/isolated/jumpbox/variables.tf: -------------------------------------------------------------------------------- 1 | variable "vm" { 2 | type = object({ 3 | name = string 4 | location = string 5 | zone = number 6 | resource_group_name = string 7 | sku = string 8 | admin = object({ 9 | username = string 10 | ssh_key_path = string 11 | }) 12 | vnet = object({ 13 | subnet_id = string 14 | }) 15 | }) 16 | } 17 | -------------------------------------------------------------------------------- /aks/isolated/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${local.resource_name}-logs" 3 | location = azurerm_resource_group.this["monitor"].location 4 | resource_group_name = azurerm_resource_group.this["monitor"].name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${local.resource_name}-appinsights" 11 | location = azurerm_resource_group.this["monitor"].location 12 | resource_group_name = azurerm_resource_group.this["monitor"].name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } 16 | -------------------------------------------------------------------------------- /aks/isolated/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this["aks"].name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = local.aks_name 8 | sensitive = false 9 | } 10 | 11 | output "ACR_ID" { 12 | value = azurerm_container_registry.this.id 13 | sensitive = false 14 | } 15 | 16 | output "ACR_NAME" { 17 | value = azurerm_container_registry.this.name 18 | sensitive = false 19 | } 20 | -------------------------------------------------------------------------------- /aks/isolated/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } -------------------------------------------------------------------------------- /aks/isolated/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | resource "random_integer" "vnet_cidr" { 11 | min = 10 12 | max = 250 13 | } 14 | 15 | resource "random_integer" "vm_zone" { 16 | min = 1 17 | max = 3 18 | } -------------------------------------------------------------------------------- /aks/isolated/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | data "azurerm_kubernetes_service_versions" "current" { 9 | location = local.location 10 | } -------------------------------------------------------------------------------- /aks/istio-san-certs/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | location = var.region 12 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 13 | aks_name = module.cluster.AKS_CLUSTER_NAME 14 | keyvault_name = "${local.resource_name}-vault" 15 | authorized_ip_ranges = ["${chomp(data.http.myip.response_body)}/32"] 16 | aks_service_mesh_identity = "${local.aks_name}-${var.service_mesh_type}-pod-identity" 17 | } 18 | -------------------------------------------------------------------------------- /aks/istio-san-certs/manifests/gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - base.yaml 5 | - secretsprovider.yaml 6 | - serviceaccount.yaml 7 | - istio-ingress-gateway.yaml 8 | patches: 9 | - path: volumeMount-ingress-gw-customization.yaml 10 | -------------------------------------------------------------------------------- /aks/istio-san-certs/manifests/gateway/kustomize.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cat > base.yaml -------------------------------------------------------------------------------- /aks/istio-san-certs/manifests/gateway/secretsprovider.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: secrets-store.csi.x-k8s.io/v1 2 | kind: SecretProviderClass 3 | metadata: 4 | name: istio-tls 5 | namespace: istio-ingress 6 | spec: 7 | provider: azure 8 | parameters: 9 | usePodIdentity: "false" 10 | useVMManagedIdentity: "false" 11 | keyvaultName: ${KEYVAULT_NAME} 12 | clientID: ${INGRESS_CLIENT_ID} 13 | cloudName: "" 14 | objects: | 15 | array: 16 | - | 17 | objectName: san-certificate 18 | objectType: secret 19 | objectVersion: "" # [OPTIONAL] object versions, default to latest if empty 20 | tenantId: 16b3c013-d300-468d-ac64-7eda0820b6d3 -------------------------------------------------------------------------------- /aks/istio-san-certs/manifests/gateway/serviceaccount.tmpl: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: istio-ingress-sa-identity 5 | namespace: istio-ingress 6 | annotations: 7 | azure.workload.identity/client-id: ${INGRESS_CLIENT_ID} 8 | azure.workload.identity/tenant-id: 16b3c013-d300-468d-ac64-7eda0820b6d3 9 | labels: 10 | azure.workload.identity/use: "true" -------------------------------------------------------------------------------- /aks/istio-san-certs/manifests/gateway/volumeMount-ingress-gw-customization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: istio-ingress 5 | namespace: istio-ingress 6 | spec: 7 | template: 8 | spec: 9 | serviceAccountName: istio-ingress-sa-identity 10 | volumes: 11 | - name: tls-mount 12 | csi: 13 | driver: secrets-store.csi.k8s.io 14 | readOnly: true 15 | volumeAttributes: 16 | secretProviderClass: "istio-tls" 17 | containers: 18 | - name: istio-proxy 19 | volumeMounts: 20 | - name: tls-mount 21 | mountPath: "/mnt/secrets-store" 22 | readOnly: true 23 | -------------------------------------------------------------------------------- /aks/istio-san-certs/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } 15 | 16 | output KEYVAULT_NAME { 17 | value = azurerm_key_vault.this.name 18 | sensitive = false 19 | } 20 | 21 | output INGRESS_CLIENT_ID { 22 | value = azurerm_user_assigned_identity.aks_service_mesh_identity.client_id 23 | sensitive = false 24 | } -------------------------------------------------------------------------------- /aks/istio-san-certs/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/istio-san-certs/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } 12 | 13 | data "azurerm_resource_group" "this" { 14 | depends_on = [module.cluster] 15 | name = module.cluster.AKS_RESOURCE_GROUP 16 | } 17 | 18 | data "azurerm_kubernetes_cluster" "this" { 19 | depends_on = [module.cluster] 20 | name = module.cluster.AKS_CLUSTER_NAME 21 | resource_group_name = module.cluster.AKS_RESOURCE_GROUP 22 | } 23 | -------------------------------------------------------------------------------- /aks/istio-san-certs/roles.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_assignment" "deployer_kv_access" { 2 | scope = azurerm_key_vault.this.id 3 | role_definition_name = "Key Vault Administrator" 4 | principal_id = data.azurerm_client_config.current.object_id 5 | } 6 | 7 | resource "azurerm_role_assignment" "istio_ingress_secret_access" { 8 | scope = azurerm_key_vault.this.id 9 | role_definition_name = "Key Vault Secrets User" 10 | principal_id = azurerm_user_assigned_identity.aks_service_mesh_identity.principal_id 11 | skip_service_principal_aad_check = true 12 | } -------------------------------------------------------------------------------- /aks/istio/cluster-config/bookstore/bookinfo-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: VirtualService 3 | metadata: 4 | name: bookinfo 5 | namespace: bookstore 6 | spec: 7 | hosts: 8 | - bookstore.bjdazure.tech 9 | gateways: 10 | - aks-istio-ingress/default-bjdazure-tech-gw 11 | http: 12 | - match: 13 | - uri: 14 | exact: /productpage 15 | - uri: 16 | prefix: /static 17 | - uri: 18 | exact: /login 19 | - uri: 20 | exact: /logout 21 | - uri: 22 | prefix: /api/v1/products 23 | route: 24 | - destination: 25 | host: productpage.bookstore.svc.cluster.local 26 | port: 27 | number: 9080 -------------------------------------------------------------------------------- /aks/istio/cluster-config/bookstore/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - namespace.yaml 5 | - bookinfo.yaml 6 | - bookinfo-gateway.yaml -------------------------------------------------------------------------------- /aks/istio/cluster-config/bookstore/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: bookstore 6 | labels: 7 | istio.io/rev: asm-1-24 8 | -------------------------------------------------------------------------------- /aks/istio/cluster-config/gateways/istio-ingress-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Gateway 3 | metadata: 4 | name: default-bjdazure-tech-gw 5 | namespace: aks-istio-ingress 6 | spec: 7 | selector: 8 | istio: aks-istio-ingressgateway-internal 9 | servers: 10 | - port: 11 | number: 80 12 | name: http 13 | protocol: HTTP 14 | hosts: 15 | - "*.bjdazure.tech" 16 | - port: 17 | number: 443 18 | name: https 19 | protocol: HTTPS 20 | tls: 21 | mode: SIMPLE 22 | credentialName: istio-ingress-tls 23 | hosts: 24 | - "*.bjdazure.tech" 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /aks/istio/cluster-config/gateways/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - default-ingress.yaml 5 | - istio-ingress-gateway.yaml -------------------------------------------------------------------------------- /aks/istio/cluster-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ./gateways 5 | - ./bookstore 6 | -------------------------------------------------------------------------------- /aks/istio/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | location = var.region 12 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 13 | authorized_ip_ranges = ["${chomp(data.http.myip.response_body)}/32"] 14 | grafana_name = "${local.resource_name}-grafana" 15 | prometheus_name = "${local.resource_name}-prometheus" 16 | app_path = "./aks/istio/cluster-config" 17 | flux_repository = "https://github.com/briandenicola/kubernetes" 18 | os_sku = "AzureLinux" 19 | environment_type = "dev" 20 | k8s_version = "1.31" 21 | istio_version = "asm-1-24" 22 | } 23 | -------------------------------------------------------------------------------- /aks/istio/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/istio/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/istio/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } 12 | 13 | data "azurerm_resource_group" "this" { 14 | depends_on = [module.cluster] 15 | name = module.cluster.AKS_RESOURCE_GROUP 16 | } 17 | 18 | data "azurerm_kubernetes_cluster" "this" { 19 | depends_on = [module.cluster] 20 | name = module.cluster.AKS_CLUSTER_NAME 21 | resource_group_name = module.cluster.AKS_RESOURCE_GROUP 22 | } 23 | -------------------------------------------------------------------------------- /aks/istio/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "vm_size" { 7 | description = "The SKU for the default node pool" 8 | default = "Standard_B4ms" 9 | } 10 | 11 | variable "node_count" { 12 | description = "The default number of nodes to scale the cluster to" 13 | default = 2 14 | } 15 | 16 | variable "nodepool_name" { 17 | description = "The name of the node pool" 18 | type = string 19 | default = "system" 20 | } 21 | 22 | variable "tags" { 23 | description = "The name of the node pool" 24 | type = string 25 | default = "Basic AKS Cluster" 26 | } 27 | -------------------------------------------------------------------------------- /aks/kata/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | ```bash 10 | task down 11 | ``` 12 | 13 | # Validate 14 | ``` 15 | kubectl get pods -A 16 | ``` 17 | 18 | # Notes 19 | # Backlog -------------------------------------------------------------------------------- /aks/kata/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | location = var.region 12 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 13 | authorized_ip_ranges = [ "${chomp(data.http.myip.response_body)}/32" ] 14 | } 15 | -------------------------------------------------------------------------------- /aks/kata/manifests/pods.yaml: -------------------------------------------------------------------------------- 1 | kind: Pod 2 | apiVersion: v1 3 | metadata: 4 | name: kata-isolation 5 | labels: 6 | app: kata-demo 7 | spec: 8 | runtimeClassName: kata-mshv-vm-isolation 9 | containers: 10 | - name: untrusted 11 | image: mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 12 | command: ["/bin/sh", "-ec", "while :; do echo '.'; sleep 5 ; done"] 13 | --- 14 | kind: Pod 15 | apiVersion: v1 16 | metadata: 17 | name: default-isolation 18 | labels: 19 | app: kata-demo 20 | spec: 21 | containers: 22 | - name: regular 23 | image: mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 24 | command: ["/bin/sh", "-ec", "while :; do echo '.'; sleep 5 ; done"] -------------------------------------------------------------------------------- /aks/kata/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/kata/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "4.0.4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/kata/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } 12 | 13 | data "azurerm_kubernetes_cluster" "this" { 14 | depends_on = [ 15 | module.cluster 16 | ] 17 | name = module.cluster.AKS_CLUSTER_NAME 18 | resource_group_name = module.cluster.AKS_RESOURCE_GROUP 19 | } -------------------------------------------------------------------------------- /aks/kata/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "vm_size" { 7 | description = "The SKU for the default node pool" 8 | default = "Standard_B4ms" 9 | } 10 | 11 | variable "node_count" { 12 | description = "The default number of nodes to scale the cluster to" 13 | default = 1 14 | } 15 | 16 | variable "nodepool_name" { 17 | description = "The name of the node pool" 18 | type = string 19 | default = "system" 20 | } 21 | 22 | variable "tags" { 23 | description = "The name of the node pool" 24 | type = string 25 | } 26 | -------------------------------------------------------------------------------- /aks/keyvault-csi-example/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | echo update ENV section of Taskfile.yaml with proper files 6 | task up 7 | ``` 8 | 9 | ## Clean up 10 | ```bash 11 | task down 12 | ``` 13 | 14 | # Validate 15 | ``` 16 | kubectl get pods -A 17 | ``` 18 | 19 | # Notes 20 | # Backlog -------------------------------------------------------------------------------- /aks/keyvault-csi-example/chart/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /aks/keyvault-csi-example/chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: KeyVaultCSI-with-Workload-Identities 3 | description: A demo application that utlizies Azure Workload Identities for KeyVault CSI Driver 4 | type: application 5 | version: 0.0.1 6 | appVersion: "1.0.0" 7 | -------------------------------------------------------------------------------- /aks/keyvault-csi-example/chart/values.yaml: -------------------------------------------------------------------------------- 1 | NAMESPACE: 'default' -------------------------------------------------------------------------------- /aks/keyvault-csi-example/infrastructure/outputs.tf: -------------------------------------------------------------------------------- 1 | output "APP_NAME" { 2 | value = local.resource_name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_RESOURCE_GROUP" { 7 | value = azurerm_kubernetes_cluster.this.resource_group_name 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_NAME" { 12 | value = azurerm_kubernetes_cluster.this.name 13 | sensitive = false 14 | } 15 | 16 | output "ARM_WORKLOAD_APP_ID" { 17 | value = azurerm_user_assigned_identity.app_identity.client_id 18 | sensitive = false 19 | } 20 | 21 | output "ARM_TENANT_ID" { 22 | value = azurerm_user_assigned_identity.app_identity.tenant_id 23 | sensitive = false 24 | } 25 | 26 | output "KEYVAULT_NAME" { 27 | value = azurerm_key_vault.this.name 28 | sensitive = false 29 | } -------------------------------------------------------------------------------- /aks/keyvault-csi-example/infrastructure/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "3.38.0" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "1.0.0" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features { 17 | resource_group { 18 | prevent_deletion_if_contains_resources = false 19 | } 20 | } 21 | } 22 | 23 | provider "azapi" { 24 | } 25 | -------------------------------------------------------------------------------- /aks/keyvault-csi-example/infrastructure/variables.tf: -------------------------------------------------------------------------------- 1 | variable "namespace" { 2 | description = "The namespace for the workload" 3 | type = string 4 | default = "default" 5 | } 6 | 7 | variable "region" { 8 | description = "Region to deploy resources to" 9 | default = "southcentralus" 10 | } -------------------------------------------------------------------------------- /aks/keyvault-csi-example/scripts/setup-env.sh: -------------------------------------------------------------------------------- 1 | SCRIPT_DIR=$(dirname "$(readlink -f "$0")") 2 | INFRA_PATH=$(realpath "${SCRIPT_DIR}/../infrastructure") 3 | 4 | export RG=$(terraform -chdir=${INFRA_PATH} output -raw AKS_RESOURCE_GROUP) 5 | export AKS=$(terraform -chdir=${INFRA_PATH} output -raw AKS_CLUSTER_NAME) 6 | export APP_NAME=$(terraform -chdir=${INFRA_PATH} output -raw APP_NAME) 7 | export ARM_WORKLOAD_APP_ID=$(terraform -chdir=${INFRA_PATH} output -raw ARM_WORKLOAD_APP_ID) 8 | export ARM_TENANT_ID=$(terraform -chdir=${INFRA_PATH} output -raw ARM_TENANT_ID) -------------------------------------------------------------------------------- /aks/keyvault-csi-traefik-demo/identityv2-creation.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export IDENTITY=$1 4 | export RGNAME=$2 5 | export AKSNAME=$3 6 | 7 | RESOURCEID=`az identity show --name $IDENTITY --resource-group $RGNAME --query id -o tsv` 8 | az aks pod-identity add --resource-group $RGNAME --cluster-name $AKSNAME --namespace default --name $IDENTITY --identity-resource-id $RESOURCEID -------------------------------------------------------------------------------- /aks/keyvault-csi-traefik-demo/pod.yaml: -------------------------------------------------------------------------------- 1 | kind: Pod 2 | apiVersion: v1 3 | metadata: 4 | name: busybox-secrets-store-inline-podid 5 | labels: 6 | aadpodidbinding: csi-identity 7 | spec: 8 | containers: 9 | - name: busybox 10 | image: k8s.gcr.io/e2e-test-images/busybox:1.29 11 | command: 12 | - "/bin/sleep" 13 | - "10000" 14 | volumeMounts: 15 | - name: secrets-store01-inline 16 | mountPath: "/mnt/secrets-store" 17 | readOnly: true 18 | volumes: 19 | - name: secrets-store01-inline 20 | csi: 21 | driver: secrets-store.csi.k8s.io 22 | readOnly: true 23 | volumeAttributes: 24 | secretProviderClass: azure-kvname-podid 25 | -------------------------------------------------------------------------------- /aks/keyvault-csi-traefik-demo/secrets-store.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 2 | kind: SecretProviderClass 3 | metadata: 4 | name: azure-kvname-podid 5 | spec: 6 | provider: azure 7 | parameters: 8 | usePodIdentity: "true" 9 | keyvaultName: "bjdkv-b25e5d" 10 | objects: | 11 | array: 12 | - | 13 | objectName: psql 14 | objectType: secret 15 | tenantId: "72f988bf-86f1-41af-91ab-2d7cd011db47" 16 | -------------------------------------------------------------------------------- /aks/keyvault-csi-traefik-demo/traefik-values.yaml: -------------------------------------------------------------------------------- 1 | deployment: 2 | podLabels: { 3 | aadpodidbinding: bjdtraefik-identity 4 | } 5 | 6 | ports: 7 | websecure: 8 | tls: 9 | enabled: "true" -------------------------------------------------------------------------------- /aks/managed-prometheus/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "app_identity" { 2 | name = local.app_identity_name 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | -------------------------------------------------------------------------------- /aks/managed-prometheus/main.tf: -------------------------------------------------------------------------------- 1 | 2 | 3 | locals { 4 | location = var.region 5 | tags = var.tags 6 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 7 | app_identity_name = "${local.resource_name}-identity" 8 | kubernetes_version = "1.31" 9 | authorized_ip_ranges = ["${jsondecode(data.http.myip.response_body).ip}/32"] 10 | sdlc_environment = "Production" 11 | } 12 | 13 | resource "azurerm_resource_group" "this" { 14 | name = "${local.resource_name}_rg" 15 | location = local.location 16 | 17 | tags = { 18 | Application = local.tags 19 | Components = "AKS; Managed Prometheus; Azure Monitor; Azure Grafana" 20 | DeployedOn = timestamp() 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /aks/managed-prometheus/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features { 17 | resource_group { 18 | prevent_deletion_if_contains_resources = false 19 | } 20 | } 21 | } 22 | 23 | provider "azapi" { 24 | } 25 | -------------------------------------------------------------------------------- /aks/managed-prometheus/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } -------------------------------------------------------------------------------- /aks/managed-prometheus/references.tf: -------------------------------------------------------------------------------- 1 | resource "tls_private_key" "rsa" { 2 | algorithm = "RSA" 3 | rsa_bits = 4096 4 | } 5 | 6 | data "azurerm_kubernetes_service_versions" "current" { 7 | location = azurerm_resource_group.this.location 8 | } 9 | 10 | data "azurerm_client_config" "current" {} 11 | data "azurerm_subscription" "current" {} 12 | 13 | data "http" "myip" { 14 | url = "https://api64.ipify.org?format=json" 15 | 16 | request_headers = { 17 | Accept = "application/json" 18 | } 19 | } -------------------------------------------------------------------------------- /aks/modules/aks.cni/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } 12 | -------------------------------------------------------------------------------- /aks/modules/aks.cni/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | azapi = { 4 | source = "Azure/azapi" 5 | version = "~> 1" 6 | } 7 | } 8 | } 9 | 10 | # provider "azapi" { 11 | # } 12 | -------------------------------------------------------------------------------- /aks/modules/aks.cni/roles.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_assignment" "aks_role_assignment_network" { 2 | scope = azurerm_virtual_network.this.id 3 | role_definition_name = "Network Contributor" 4 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 5 | skip_service_principal_aad_check = true 6 | } 7 | 8 | resource "azurerm_role_assignment" "aks_role_assignment_msi" { 9 | scope = azurerm_user_assigned_identity.aks_kubelet_identity.id 10 | role_definition_name = "Managed Identity Operator" 11 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 12 | skip_service_principal_aad_check = true 13 | } -------------------------------------------------------------------------------- /aks/modules/aks.v3/cluster-addons.tf: -------------------------------------------------------------------------------- 1 | resource "azapi_update_resource" "cluster_updates" { 2 | depends_on = [ 3 | azurerm_kubernetes_cluster.this 4 | ] 5 | 6 | type = "Microsoft.ContainerService/managedClusters@2024-03-02-preview" 7 | resource_id = azurerm_kubernetes_cluster.this.id 8 | 9 | body = jsonencode({ 10 | properties = { 11 | networkProfile = { 12 | advancedNetworking = { 13 | observability = { 14 | enabled = true 15 | } 16 | } 17 | } 18 | } 19 | }) 20 | } -------------------------------------------------------------------------------- /aks/modules/aks.v3/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } 12 | -------------------------------------------------------------------------------- /aks/modules/aks.v3/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = azurerm_kubernetes_cluster.this.resource_group_name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_NODE_RG_NAME" { 7 | value = local.aks_node_rg_name 8 | sensitive = true 9 | } 10 | 11 | output "AKS_CLUSTER_NAME" { 12 | value = azurerm_kubernetes_cluster.this.name 13 | sensitive = false 14 | } 15 | 16 | output "AKS_CLUSTER_ID" { 17 | value = azurerm_kubernetes_cluster.this.id 18 | sensitive = false 19 | } 20 | 21 | output "AKS_OIDC_ISSUER_URL" { 22 | value = azurerm_kubernetes_cluster.this.oidc_issuer_url 23 | sensitive = false 24 | } -------------------------------------------------------------------------------- /aks/modules/aks.v3/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | azapi = { 4 | source = "Azure/azapi" 5 | version = "~> 1" 6 | } 7 | } 8 | } 9 | 10 | # provider "azapi" { 11 | # } 12 | -------------------------------------------------------------------------------- /aks/modules/aks.v3/roles.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_assignment" "aks_role_assignemnt_network" { 2 | scope = azurerm_virtual_network.this.id 3 | role_definition_name = "Network Contributor" 4 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 5 | skip_service_principal_aad_check = true 6 | } 7 | 8 | resource "azurerm_role_assignment" "aks_role_assignemnt_msi" { 9 | scope = azurerm_user_assigned_identity.aks_kubelet_identity.id 10 | role_definition_name = "Managed Identity Operator" 11 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 12 | skip_service_principal_aad_check = true 13 | } -------------------------------------------------------------------------------- /aks/modules/aks.v4/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } 12 | -------------------------------------------------------------------------------- /aks/modules/aks.v4/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | azapi = { 4 | source = "Azure/azapi" 5 | version = "~> 2" 6 | } 7 | } 8 | } 9 | 10 | # provider "azapi" { 11 | # } 12 | -------------------------------------------------------------------------------- /aks/modules/aks.v4/roles.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_assignment" "aks_role_assignemnt_network" { 2 | scope = azurerm_virtual_network.this.id 3 | role_definition_name = "Network Contributor" 4 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 5 | skip_service_principal_aad_check = true 6 | } 7 | 8 | resource "azurerm_role_assignment" "aks_role_assignemnt_msi" { 9 | scope = azurerm_user_assigned_identity.aks_kubelet_identity.id 10 | role_definition_name = "Managed Identity Operator" 11 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 12 | skip_service_principal_aad_check = true 13 | } -------------------------------------------------------------------------------- /aks/modules/observability/logs.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${var.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${var.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } 16 | -------------------------------------------------------------------------------- /aks/modules/observability/providers.tf: -------------------------------------------------------------------------------- 1 | # terraform { 2 | # required_providers { 3 | # azapi = { 4 | # source = "Azure/azapi" 5 | # version = "~> 2" 6 | # } 7 | # } 8 | # } -------------------------------------------------------------------------------- /aks/multi-cluster/Taskfile.yaml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | includes: 4 | patch: 5 | taskfile: ./infrastructure/Taskfile.patches.yaml 6 | internal: false 7 | 8 | multiregion: 9 | taskfile: ./infrastructure/Taskfile.regional.yaml 10 | internal: false 11 | -------------------------------------------------------------------------------- /aks/multi-cluster/deploy/cluster-app-multi-cluster-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.fleet.azure.com/v1alpha1 2 | kind: MultiClusterService 3 | metadata: 4 | name: httpbin 5 | namespace: app 6 | spec: 7 | serviceImport: 8 | name: httpbin 9 | -------------------------------------------------------------------------------- /aks/multi-cluster/deploy/fleet-app-export-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.fleet.azure.com/v1alpha1 2 | kind: ServiceExport 3 | metadata: 4 | name: httpbin 5 | namespace: app 6 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/cluster/dns.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_private_dns_zone" "aks_private_zone" { 2 | name = "privatelink.${local.location}.azmk8s.io" 3 | resource_group_name = azurerm_resource_group.this.name 4 | } 5 | 6 | resource "azurerm_private_dns_zone_virtual_network_link" "aks_private_zone" { 7 | name = "${azurerm_virtual_network.this.name}-link" 8 | private_dns_zone_name = azurerm_private_dns_zone.aks_private_zone.name 9 | resource_group_name = azurerm_resource_group.this.name 10 | virtual_network_id = azurerm_virtual_network.this.id 11 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/cluster/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } 12 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/cluster/logging.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = "${var.resource_name}-logs" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = "${var.resource_name}-appinsights" 11 | location = azurerm_resource_group.this.location 12 | resource_group_name = azurerm_resource_group.this.name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/cluster/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = azurerm_kubernetes_cluster.this.resource_group_name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = azurerm_kubernetes_cluster.this.name 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = azurerm_kubernetes_cluster.this.id 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/clusters.tf: -------------------------------------------------------------------------------- 1 | module "cluster_resources" { 2 | for_each = toset(var.regions) 3 | source = "../cluster" 4 | region = each.value 5 | authorized_ip_ranges = local.authorized_ip_ranges 6 | resource_name = "${local.resource_name}-${each.value}" 7 | public_key_openssh = tls_private_key.rsa.public_key_openssh 8 | sdlc_environment = local.sdlc_environment 9 | kubernetes_version = local.kubernetes_version 10 | tags = var.tags 11 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/fleet.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_kubernetes_fleet_manager" "this" { 2 | location = azurerm_resource_group.this.location 3 | name = local.fleet_name 4 | resource_group_name = azurerm_resource_group.this.name 5 | } 6 | 7 | resource "azurerm_kubernetes_fleet_member" "this" { 8 | depends_on = [ 9 | azurerm_kubernetes_fleet_manager.this, 10 | module.cluster_resources 11 | ] 12 | for_each = toset(var.regions) 13 | kubernetes_fleet_id = azurerm_kubernetes_fleet_manager.this.id 14 | name = "${module.cluster_resources[each.key].AKS_CLUSTER_NAME}-member" 15 | kubernetes_cluster_id = module.cluster_resources[each.key].AKS_CLUSTER_ID 16 | group = each.key 17 | } 18 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "fleet_identity" { 2 | name = "${local.fleet_name}-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 12 | authorized_ip_ranges = [ "${chomp(data.http.myip.response_body)}/32" ] 13 | fleet_name = "${local.resource_name}-fleet" 14 | sdlc_environment = "Production" 15 | kubernetes_version = "1.31" 16 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_NAMES" { 2 | value = [ for aks in module.cluster_resources : aks.AKS_CLUSTER_NAME ] 3 | } 4 | 5 | output "AKS_CLUSTER_IDS" { 6 | value = [ for aks in module.cluster_resources : aks.AKS_CLUSTER_ID ] 7 | } 8 | 9 | output "AKS_RESOURCE_GROUPS" { 10 | value = [ for aks in module.cluster_resources : aks.AKS_RESOURCE_GROUP ] 11 | } 12 | 13 | output "FLEET_NAME" { 14 | value = local.fleet_name 15 | } 16 | 17 | output "FLEET_RESOURCE_GROUP" { 18 | value = azurerm_resource_group.this.name 19 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "azure/azapi" 10 | version = "~> 1" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features { 17 | resource_group { 18 | prevent_deletion_if_contains_resources = false 19 | } 20 | } 21 | } 22 | 23 | 24 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/regions.tfvars: -------------------------------------------------------------------------------- 1 | regions = ["canadacentral", "westus3"] 2 | hub_region = "canadacentral" -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/rg.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_resource_group" "this" { 2 | name = "${local.resource_name}_rg" 3 | location = var.hub_region 4 | 5 | tags = { 6 | Application = var.tags 7 | Components = "Azure Fleet Manager" 8 | DeployedOn = timestamp() 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/multiregion-demo/variables.tf: -------------------------------------------------------------------------------- 1 | variable regions { 2 | description = "The location for this application deployment" 3 | type = list(string) 4 | } 5 | 6 | variable "hub_region" { 7 | description = "Azure region to deploy Fleet Manager to" 8 | } 9 | 10 | variable "tags" { 11 | description = "The tags to apply to the resources" 12 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/patch-demo/clusters.tf: -------------------------------------------------------------------------------- 1 | module "cluster_resources" { 2 | for_each = toset(var.sdlc_environments) 3 | source = "../cluster" 4 | region = var.region 5 | authorized_ip_ranges = local.authorized_ip_ranges 6 | resource_name = "${local.resource_name}-${each.value}" 7 | public_key_openssh = tls_private_key.rsa.public_key_openssh 8 | sdlc_environment = each.value 9 | kubernetes_version = local.kubernetes_version 10 | automatic_channel_upgrade = var.automatic_channel_upgrade 11 | node_os_channel_upgrade = var.node_os_channel_upgrade 12 | tags = var.tags 13 | } 14 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/patch-demo/environments.tfvars: -------------------------------------------------------------------------------- 1 | sdlc_environments = ["development", "production"] 2 | automatic_channel_upgrade = "patch" 3 | node_os_channel_upgrade = "NodeImage" 4 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/patch-demo/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "fleet_identity" { 2 | name = "${local.fleet_name}-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/patch-demo/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 12 | authorized_ip_ranges = ["${chomp(data.http.myip.response_body)}/32"] 13 | fleet_name = "${local.resource_name}-fleet" 14 | kubernetes_version = "1.31" 15 | } 16 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/patch-demo/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_NAMES" { 2 | value = [ for aks in module.cluster_resources : aks.AKS_CLUSTER_NAME ] 3 | } 4 | 5 | output "AKS_CLUSTER_IDS" { 6 | value = [ for aks in module.cluster_resources : aks.AKS_CLUSTER_ID ] 7 | } 8 | 9 | output "FLEET_NAME" { 10 | value = local.fleet_name 11 | } 12 | 13 | output "FLEET_RESOURCE_GROUP" { 14 | value = azurerm_resource_group.this.name 15 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/patch-demo/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "azure/azapi" 10 | version = "~> 1" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features { 17 | resource_group { 18 | prevent_deletion_if_contains_resources = false 19 | } 20 | } 21 | } 22 | 23 | 24 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/patch-demo/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/patch-demo/rg.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_resource_group" "this" { 2 | name = "${local.resource_name}_rg" 3 | location = var.region 4 | 5 | tags = { 6 | Application = var.tags 7 | Components = "Azure Fleet Manager" 8 | DeployedOn = timestamp() 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /aks/multi-cluster/infrastructure/patch-demo/variables.tf: -------------------------------------------------------------------------------- 1 | variable sdlc_environments { 2 | description = "The sdlc environments for this application deployment" 3 | type = list(string) 4 | default = ["development","staging","production"] 5 | } 6 | 7 | variable "region" { 8 | description = "Azure region to deploy to" 9 | } 10 | 11 | variable automatic_channel_upgrade { 12 | description = "The value for the automatic channel upgrade" 13 | } 14 | 15 | variable node_os_channel_upgrade { 16 | description = "The value for the node OS channel upgrade" 17 | } 18 | 19 | variable "tags" { 20 | description = "The tags to apply to the resources" 21 | } -------------------------------------------------------------------------------- /aks/node-autoprovisioner/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | ```bash 10 | task down 11 | ``` 12 | # Validate 13 | ``` 14 | kubectl get pods -A 15 | ``` 16 | 17 | # Notes 18 | # Backlog -------------------------------------------------------------------------------- /aks/node-autoprovisioner/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } 12 | -------------------------------------------------------------------------------- /aks/node-autoprovisioner/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = local.rg_name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = local.aks_name 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = data.azurerm_kubernetes_cluster.this.id 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/node-autoprovisioner/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 3" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "4.0.4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/node-autoprovisioner/roles.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_assignment" "aks_role_assignemnt_network" { 2 | scope = azurerm_virtual_network.this.id 3 | role_definition_name = "Network Contributor" 4 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 5 | skip_service_principal_aad_check = true 6 | } 7 | 8 | resource "azurerm_role_assignment" "aks_role_assignemnt_msi" { 9 | scope = azurerm_user_assigned_identity.aks_kubelet_identity.id 10 | role_definition_name = "Managed Identity Operator" 11 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 12 | skip_service_principal_aad_check = true 13 | } -------------------------------------------------------------------------------- /aks/nsg-lockdown/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this["aks"].name 4 | location = azurerm_resource_group.this["aks"].location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this["aks"].name 10 | location = azurerm_resource_group.this["aks"].location 11 | } 12 | -------------------------------------------------------------------------------- /aks/nsg-lockdown/observability.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_log_analytics_workspace" "this" { 2 | name = local.log_analytics_workspace_name 3 | location = azurerm_resource_group.this["monitor"].location 4 | resource_group_name = azurerm_resource_group.this["monitor"].name 5 | sku = "PerGB2018" 6 | daily_quota_gb = 5 7 | } 8 | 9 | resource "azurerm_application_insights" "this" { 10 | name = local.app_insights_name 11 | location = azurerm_resource_group.this["monitor"].location 12 | resource_group_name = azurerm_resource_group.this["monitor"].name 13 | workspace_id = azurerm_log_analytics_workspace.this.id 14 | application_type = "web" 15 | } -------------------------------------------------------------------------------- /aks/nsg-lockdown/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/nsg-lockdown/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | resource "random_integer" "vnet_cidr" { 11 | min = 10 12 | max = 250 13 | } 14 | 15 | resource "random_integer" "services_cidr" { 16 | min = 64 17 | max = 99 18 | } 19 | 20 | resource "random_integer" "pod_cidr" { 21 | min = 100 22 | max = 127 23 | } 24 | 25 | resource "random_integer" "vm_zone" { 26 | min = 1 27 | max = 3 28 | } -------------------------------------------------------------------------------- /aks/nsg-lockdown/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | 4 | data "http" "myip" { 5 | url = "http://checkip.amazonaws.com/" 6 | } 7 | 8 | data "azurerm_kubernetes_service_versions" "current" { 9 | location = local.location 10 | } 11 | 12 | resource "tls_private_key" "rsa" { 13 | algorithm = "RSA" 14 | rsa_bits = 4096 15 | } -------------------------------------------------------------------------------- /aks/nsg-lockdown/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "vm_size" { 7 | description = "The value for the VM SKU" 8 | default = "Standard_D4ads_v5" 9 | } 10 | 11 | variable "vm_os" { 12 | description = "The value for the VM OS" 13 | default = "AzureLinux" 14 | } 15 | 16 | variable "tags" { 17 | description = "Tags to apply for this resource" 18 | } 19 | 20 | variable "node_count" { 21 | description = "The node count for the default node pool" 22 | default = 1 23 | } 24 | 25 | variable "zones" { 26 | description = "The zones to deploy the cluster to" 27 | type = list(string) 28 | default = ["1", "2", "3"] 29 | } -------------------------------------------------------------------------------- /aks/premium/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | ```bash 10 | task down 11 | ``` 12 | # Validate 13 | ``` 14 | kubectl get pods -A 15 | ``` 16 | 17 | # Backlog 18 | - [X] - Wait for support to come to the API -------------------------------------------------------------------------------- /aks/premium/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } 12 | -------------------------------------------------------------------------------- /aks/premium/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = data.azurerm_kubernetes_cluster.this.resource_group_name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = data.azurerm_kubernetes_cluster.this.name 8 | sensitive = false 9 | } -------------------------------------------------------------------------------- /aks/premium/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "3.66.0" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "1.8.0" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "4.0.4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/premium/roles.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_assignment" "aks_role_assignemnt_network" { 2 | scope = azurerm_virtual_network.this.id 3 | role_definition_name = "Network Contributor" 4 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 5 | skip_service_principal_aad_check = true 6 | } 7 | 8 | resource "azurerm_role_assignment" "aks_role_assignemnt_msi" { 9 | scope = azurerm_user_assigned_identity.aks_kubelet_identity.id 10 | role_definition_name = "Managed Identity Operator" 11 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 12 | skip_service_principal_aad_check = true 13 | } -------------------------------------------------------------------------------- /aks/premium/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "vm_size" { 7 | description = "The SKU for the default node pool" 8 | default = "Standard_B4ms" 9 | } 10 | 11 | variable "node_count" { 12 | description = "The default number of nodes to scale the cluster to" 13 | default = 1 14 | } -------------------------------------------------------------------------------- /aks/private/aks/cluster-updates.tf: -------------------------------------------------------------------------------- 1 | # resource "azapi_update_resource" "vnet_injection" { 2 | 3 | # type = "Microsoft.ContainerService/managedClusters@2025-03-02-preview" 4 | # resource_id = azurerm_kubernetes_cluster.this.id 5 | 6 | # body = { 7 | # properties = { 8 | # apiServerAccessProfile = { 9 | # enableVnetIntegration = true 10 | # subnetId = data.azurerm_subnet.api.id 11 | # } 12 | # } 13 | # } 14 | # } -------------------------------------------------------------------------------- /aks/private/aks/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } 12 | -------------------------------------------------------------------------------- /aks/private/aks/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = azurerm_kubernetes_cluster.this.resource_group_name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_NODE_RG_NAME" { 7 | value = local.aks_node_rg_name 8 | sensitive = true 9 | } 10 | 11 | output "AKS_CLUSTER_NAME" { 12 | value = azurerm_kubernetes_cluster.this.name 13 | sensitive = false 14 | } 15 | 16 | output "AKS_CLUSTER_ID" { 17 | value = azurerm_kubernetes_cluster.this.id 18 | sensitive = false 19 | } 20 | 21 | output "AKS_OIDC_ISSUER_URL" { 22 | value = azurerm_kubernetes_cluster.this.oidc_issuer_url 23 | sensitive = false 24 | } 25 | -------------------------------------------------------------------------------- /aks/private/aks/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azapi = { 5 | source = "Azure/azapi" 6 | version = "~> 2" 7 | } 8 | } 9 | } 10 | 11 | -------------------------------------------------------------------------------- /aks/private/aks/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_integer" "services_cidr" { 2 | min = 64 3 | max = 99 4 | } 5 | 6 | resource "random_integer" "pod_cidr" { 7 | min = 100 8 | max = 127 9 | } -------------------------------------------------------------------------------- /aks/private/azure.tfvars: -------------------------------------------------------------------------------- 1 | deploy_jumpbox = true 2 | node_count = 3 3 | node_sku = "Standard_D4s_v5" 4 | -------------------------------------------------------------------------------- /aks/private/bastion/main.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_bastion_host" "this" { 2 | name = var.bastion_host.name 3 | location = var.bastion_host.location 4 | resource_group_name = var.bastion_host.resource_group_name 5 | sku = "Developer" 6 | virtual_network_id = var.bastion_host.vnet.id 7 | } 8 | -------------------------------------------------------------------------------- /aks/private/bastion/outputs.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/aks/private/bastion/outputs.tf -------------------------------------------------------------------------------- /aks/private/bastion/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} -------------------------------------------------------------------------------- /aks/private/bastion/variables.tf: -------------------------------------------------------------------------------- 1 | variable "bastion_host" { 2 | type = object({ 3 | name = string 4 | location = string 5 | resource_group_name = string 6 | vnet = object({ 7 | id = string 8 | }) 9 | }) 10 | } -------------------------------------------------------------------------------- /aks/private/jumpbox/output.tf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/aks/private/jumpbox/output.tf -------------------------------------------------------------------------------- /aks/private/jumpbox/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | -------------------------------------------------------------------------------- /aks/private/jumpbox/variables.tf: -------------------------------------------------------------------------------- 1 | variable "vm" { 2 | type = object({ 3 | name = string 4 | location = string 5 | zone = number 6 | resource_group_name = string 7 | sku = string 8 | admin = object({ 9 | username = string 10 | ssh_key_path = string 11 | }) 12 | vnet = object({ 13 | subnet_id = string 14 | }) 15 | }) 16 | } 17 | -------------------------------------------------------------------------------- /aks/private/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.aks.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.aks.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } -------------------------------------------------------------------------------- /aks/private/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } -------------------------------------------------------------------------------- /aks/private/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | resource "random_integer" "vnet_cidr" { 11 | min = 10 12 | max = 250 13 | } 14 | 15 | resource "random_integer" "vm_zone" { 16 | min = 1 17 | max = 3 18 | } 19 | 20 | resource "tls_private_key" "rsa" { 21 | algorithm = "RSA" 22 | rsa_bits = 4096 23 | } -------------------------------------------------------------------------------- /aks/private/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | data "azurerm_kubernetes_service_versions" "current" { 9 | location = local.location 10 | } 11 | -------------------------------------------------------------------------------- /aks/proximity-groups/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | ```bash 10 | task down 11 | ``` 12 | 13 | # Validate 14 | ``` 15 | kubectl get pods -A 16 | ``` 17 | 18 | # Notes 19 | # Backlog -------------------------------------------------------------------------------- /aks/proximity-groups/cluster-post-config.tf: -------------------------------------------------------------------------------- 1 | # resource "azapi_update_resource" "this" { 2 | # depends_on = [ 3 | # azurerm_kubernetes_cluster.this 4 | # ] 5 | 6 | # type = "Microsoft.ContainerService/managedClusters@2023-01-02-preview" 7 | # resource_id = azurerm_kubernetes_cluster.this.id 8 | 9 | # body = jsonencode({ 10 | # properties = { 11 | # autoUpgradeProfile = { 12 | # nodeOSUpgradeChannel = "NodeImage" 13 | # } 14 | # } 15 | # }) 16 | # } -------------------------------------------------------------------------------- /aks/proximity-groups/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_identity" { 2 | name = "${local.aks_name}-cluster-identity" 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_user_assigned_identity" "aks_kubelet_identity" { 8 | name = "${local.aks_name}-kubelet-identity" 9 | resource_group_name = azurerm_resource_group.this.name 10 | location = azurerm_resource_group.this.location 11 | } 12 | -------------------------------------------------------------------------------- /aks/proximity-groups/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = azurerm_kubernetes_cluster.this.resource_group_name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = azurerm_kubernetes_cluster.this.name 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = azurerm_kubernetes_cluster.this.id 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/proximity-groups/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "3.66.0" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "1.0.0" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "4.0.4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/proximity-groups/proximity-groups.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_proximity_placement_group" "zone1" { 2 | name = "${local.aks_name}-nodepool1-zone1" 3 | location = azurerm_resource_group.this.location 4 | resource_group_name = azurerm_resource_group.this.name 5 | 6 | tags = { 7 | AZone = "Zone1" 8 | } 9 | } 10 | 11 | resource "azurerm_proximity_placement_group" "zone2" { 12 | name = "${local.aks_name}-nodepool2-zone2" 13 | location = azurerm_resource_group.this.location 14 | resource_group_name = azurerm_resource_group.this.name 15 | 16 | tags = { 17 | AZone = "Zone2" 18 | } 19 | } -------------------------------------------------------------------------------- /aks/proximity-groups/roles.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_role_assignment" "aks_role_assignemnt_network" { 2 | scope = azurerm_virtual_network.this.id 3 | role_definition_name = "Network Contributor" 4 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 5 | skip_service_principal_aad_check = true 6 | } 7 | 8 | resource "azurerm_role_assignment" "aks_role_assignemnt_msi" { 9 | scope = azurerm_user_assigned_identity.aks_kubelet_identity.id 10 | role_definition_name = "Managed Identity Operator" 11 | principal_id = azurerm_user_assigned_identity.aks_identity.principal_id 12 | skip_service_principal_aad_check = true 13 | } -------------------------------------------------------------------------------- /aks/proximity-groups/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Azure region to deploy to" 3 | default = "southcentralus" 4 | } 5 | 6 | variable "vm_size" { 7 | description = "The SKU for the default node pool" 8 | default = "Standard_B4ms" 9 | } 10 | 11 | variable "node_count" { 12 | description = "The default number of nodes to scale the cluster to" 13 | default = 1 14 | } -------------------------------------------------------------------------------- /aks/scripts/update_storageaccount_secret.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export k8s=$1 4 | export rg=$2 5 | export storageacct=$3 6 | 7 | az login 8 | 9 | nrg=$(az aks show --resource-group $rg --name $k8s --query nodeResourceGroup -o tsv) 10 | key=$(az storage account keys list -n $storageacct -g $nrg -o json --query "[0].value" | tr -d \" ) 11 | secret_name=$(kubectl get secret -o json | jq ".items[] | select(.metadata.name | contains(\"$storageacct\")) | .metadata.name" | tr -d \") 12 | 13 | kubectl delete secret $secret_name 14 | kubectl create secret generic $secret_name --from-literal=azurestorageaccountname=$storageacct --from-literal=azurestorageaccountkey=$key -------------------------------------------------------------------------------- /aks/spn-auth-example/client-pod.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: spn 6 | type: Opaque 7 | data: 8 | clientID: NjlmOG....... 9 | clientSecret: S09tN1F+.............. 10 | --- 11 | apiVersion: v1 12 | kind: Pod 13 | metadata: 14 | name: spn-example 15 | spec: 16 | containers: 17 | - image: bjd145/utils:3.6 18 | imagePullPolicy: Always 19 | name: spn 20 | env: 21 | - name: AAD_SERVICE_PRINCIPAL_CLIENT_ID 22 | valueFrom: 23 | secretKeyRef: 24 | name: spn 25 | key: clientID 26 | - name: AAD_SERVICE_PRINCIPAL_CLIENT_SECRET 27 | valueFrom: 28 | secretKeyRef: 29 | name: spn 30 | key: clientSecret 31 | restartPolicy: Always 32 | -------------------------------------------------------------------------------- /aks/spn-auth-example/helm/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /aks/spn-auth-example/helm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: util-example-demployment 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 1.0.1 6 | appVersion: "1.1.0" 7 | -------------------------------------------------------------------------------- /aks/spn-auth-example/helm/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: utils 6 | spec: 7 | containers: 8 | - image: {{ print .Values.acr_name "/utils:" .Values.build_version | nospace }} 9 | imagePullPolicy: Always 10 | name: utils 11 | restartPolicy: Always 12 | -------------------------------------------------------------------------------- /aks/spn-auth-example/helm/values.yaml: -------------------------------------------------------------------------------- 1 | acr_name: "bjd145" 2 | build_version: "3.6" 3 | 4 | -------------------------------------------------------------------------------- /aks/storageclass-removal/cluster-storageclass.tf: -------------------------------------------------------------------------------- 1 | resource "azapi_update_resource" "storageclass" { 2 | depends_on = [ 3 | azurerm_kubernetes_cluster.this 4 | ] 5 | 6 | type = "Microsoft.ContainerService/managedClusters@2022-08-01" 7 | resource_id = azurerm_kubernetes_cluster.this.id 8 | 9 | body = jsonencode({ 10 | properties = { 11 | storageProfile = { 12 | diskCSIDriver = { 13 | enabled = false 14 | }, 15 | fileCSIDriver = { 16 | enabled = false 17 | }, 18 | snapshotController = { 19 | enabled = false 20 | } 21 | } 22 | } 23 | }) 24 | } 25 | -------------------------------------------------------------------------------- /aks/storageclass-removal/kubernetes.tf: -------------------------------------------------------------------------------- 1 | resource "kubernetes_secret" "http-credentials" { 2 | depends_on = [ 3 | azurerm_kubernetes_cluster.this 4 | ] 5 | metadata { 6 | name = "http-credentials" 7 | namespace = "flux-system" 8 | } 9 | 10 | data = { 11 | username = "admin" 12 | password = var.flux_secret_value 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /aks/storageclass-removal/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = azurerm_kubernetes_cluster.this.resource_group_name 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = azurerm_kubernetes_cluster.this.name 8 | sensitive = false 9 | } -------------------------------------------------------------------------------- /aks/storageclass-removal/variables.tf: -------------------------------------------------------------------------------- 1 | variable "namespace" { 2 | description = "The namespace for the workload identity" 3 | type = string 4 | default = "default" 5 | } 6 | 7 | 8 | 9 | variable "service_mesh_type" { 10 | description = "Type of Service Mesh for cluster" 11 | default = "istio" 12 | } 13 | 14 | variable "flux_secret_value" { 15 | default = "Super secret value. Never check into github" 16 | description = "The secret value for http-credentials" 17 | } -------------------------------------------------------------------------------- /aks/vnet-injection/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | ```bash 10 | task down 11 | ``` 12 | # Validate 13 | ``` 14 | kubectl get pods -A 15 | ``` 16 | 17 | # Notes 18 | # Backlog -------------------------------------------------------------------------------- /aks/vnet-injection/main.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | locals { 11 | location = var.region 12 | resource_name = "${random_pet.this.id}-${random_id.this.dec}" 13 | authorized_ip_ranges = ["${chomp(data.http.myip.response_body)}/32"] 14 | environment_type = "dev" 15 | k8s_version = "1.32" 16 | } 17 | -------------------------------------------------------------------------------- /aks/vnet-injection/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/vnet-injection/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 2" 11 | } 12 | tls = { 13 | source = "hashicorp/tls" 14 | version = "~> 4" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aks/vnet-injection/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } -------------------------------------------------------------------------------- /aks/windows2022/README.md: -------------------------------------------------------------------------------- 1 | # Quicksteps 2 | ## Complete Environment 3 | ```bash 4 | az login --scope https://graph.microsoft.com/.default 5 | task up 6 | ``` 7 | 8 | ## Clean up 9 | ```bash 10 | task down 11 | ``` 12 | 13 | # Validate 14 | ``` 15 | kubectl get pods -A 16 | ``` 17 | 18 | # Notes 19 | # Backlog -------------------------------------------------------------------------------- /aks/windows2022/manifests/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ama-metrics-settings-configmap.yaml 5 | - windows-exporter-daemonset.yaml 6 | -------------------------------------------------------------------------------- /aks/windows2022/outputs.tf: -------------------------------------------------------------------------------- 1 | output "AKS_RESOURCE_GROUP" { 2 | value = module.aks_cluster.AKS_RESOURCE_GROUP 3 | sensitive = false 4 | } 5 | 6 | output "AKS_CLUSTER_NAME" { 7 | value = module.aks_cluster.AKS_CLUSTER_NAME 8 | sensitive = false 9 | } 10 | 11 | output "AKS_CLUSTER_ID" { 12 | value = module.aks_cluster.AKS_CLUSTER_ID 13 | sensitive = false 14 | } -------------------------------------------------------------------------------- /aks/windows2022/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | } 13 | } 14 | 15 | provider "azurerm" { 16 | features {} 17 | } 18 | 19 | provider "azapi" { 20 | } 21 | -------------------------------------------------------------------------------- /aks/windows2022/references.tf: -------------------------------------------------------------------------------- 1 | data "http" "myip" { 2 | url = "http://checkip.amazonaws.com/" 3 | } 4 | 5 | data "azurerm_client_config" "current" {} 6 | data "azurerm_subscription" "current" {} 7 | 8 | resource "tls_private_key" "rsa" { 9 | algorithm = "RSA" 10 | rsa_bits = 4096 11 | } 12 | 13 | data "azurerm_resource_group" "this" { 14 | depends_on = [module.aks_cluster] 15 | name = module.aks_cluster.AKS_RESOURCE_GROUP 16 | } 17 | 18 | data "azurerm_kubernetes_cluster" "this" { 19 | depends_on = [module.aks_cluster] 20 | name = module.aks_cluster.AKS_CLUSTER_NAME 21 | resource_group_name = module.aks_cluster.AKS_RESOURCE_GROUP 22 | } -------------------------------------------------------------------------------- /aro/basic/identities.tf: -------------------------------------------------------------------------------- 1 | resource "time_rotating" "ninety_days" { 2 | rotation_days = 90 3 | } 4 | 5 | resource "azuread_application" "this" { 6 | display_name = "${local.aro_name}-identity" 7 | owners = [data.azurerm_client_config.current.object_id] 8 | } 9 | 10 | resource "azuread_service_principal" "this" { 11 | client_id = azuread_application.this.client_id 12 | app_role_assignment_required = false 13 | owners = [data.azurerm_client_config.current.object_id] 14 | } 15 | 16 | resource "azuread_application_password" "this" { 17 | application_id = azuread_application.this.id 18 | } 19 | -------------------------------------------------------------------------------- /aro/basic/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "ARO_NAME" { 7 | value = local.aro_name 8 | sensitive = false 9 | } 10 | 11 | output "ARO_CONSOLE_URL" { 12 | value = azurerm_redhat_openshift_cluster.this.console_url 13 | sensitive = false 14 | } 15 | 16 | output "ARO_API_SERVER_IP" { 17 | value = azurerm_redhat_openshift_cluster.this.api_server_profile[0].ip_address 18 | sensitive = false 19 | } 20 | 21 | output "ARO_INGRESS_IP" { 22 | value = azurerm_redhat_openshift_cluster.this.ingress_profile[0].ip_address 23 | sensitive = false 24 | } -------------------------------------------------------------------------------- /aro/basic/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | azuread = { 13 | source = "hashicorp/azuread" 14 | version = "~> 2" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aro/basic/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | resource "random_integer" "vnet_cidr" { 11 | min = 10 12 | max = 250 13 | } 14 | 15 | resource "random_integer" "services_cidr" { 16 | min = 64 17 | max = 90 18 | } 19 | 20 | resource "random_integer" "pod_cidr" { 21 | min = 91 22 | max = 127 23 | } 24 | -------------------------------------------------------------------------------- /aro/basic/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | 4 | data "http" "myip" { 5 | url = "http://checkip.amazonaws.com/" 6 | } 7 | -------------------------------------------------------------------------------- /aro/basic/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Region to deploy resources to" 3 | } 4 | 5 | variable "aro_rp_aad_sp_object_id" { 6 | description = "Azure Red Hat OpenShift RP" 7 | type = string 8 | } 9 | 10 | variable "tags" { 11 | description = "Tags to apply to all resources" 12 | } 13 | 14 | variable "domain" { 15 | description = "Domain name" 16 | type = string 17 | } 18 | -------------------------------------------------------------------------------- /aro/private/identities.tf: -------------------------------------------------------------------------------- 1 | resource "time_rotating" "ninety_days" { 2 | rotation_days = 90 3 | } 4 | 5 | resource "azuread_application" "this" { 6 | display_name = "${local.aro_name}-identity" 7 | owners = [data.azurerm_client_config.current.object_id] 8 | } 9 | 10 | resource "azuread_service_principal" "this" { 11 | client_id = azuread_application.this.client_id 12 | app_role_assignment_required = false 13 | owners = [data.azurerm_client_config.current.object_id] 14 | } 15 | 16 | resource "azuread_application_password" "this" { 17 | application_id = azuread_application.this.id 18 | } 19 | -------------------------------------------------------------------------------- /aro/private/outputs.tf: -------------------------------------------------------------------------------- 1 | output "RESOURCE_GROUP" { 2 | value = azurerm_resource_group.this.name 3 | sensitive = false 4 | } 5 | 6 | output "ARO_NAME" { 7 | value = local.aro_name 8 | sensitive = false 9 | } 10 | 11 | output "ARO_CONSOLE_URL" { 12 | value = azurerm_redhat_openshift_cluster.this.console_url 13 | } -------------------------------------------------------------------------------- /aro/private/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "~> 4" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "~> 1" 11 | } 12 | azuread = { 13 | source = "hashicorp/azuread" 14 | version = "~> 2" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azapi" { 28 | } 29 | -------------------------------------------------------------------------------- /aro/private/random.tf: -------------------------------------------------------------------------------- 1 | resource "random_id" "this" { 2 | byte_length = 2 3 | } 4 | 5 | resource "random_pet" "this" { 6 | length = 1 7 | separator = "" 8 | } 9 | 10 | resource "random_integer" "vnet_cidr" { 11 | min = 10 12 | max = 250 13 | } 14 | 15 | resource "random_integer" "services_cidr" { 16 | min = 64 17 | max = 90 18 | } 19 | 20 | resource "random_integer" "pod_cidr" { 21 | min = 91 22 | max = 127 23 | } 24 | 25 | resource "random_password" "password" { 26 | length = 30 27 | special = true 28 | override_special = "!@#^&*()_+" 29 | min_lower = 1 30 | min_numeric = 2 31 | min_special = 1 32 | min_upper = 1 33 | } 34 | -------------------------------------------------------------------------------- /aro/private/references.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azurerm_subscription" "current" {} 3 | 4 | data "http" "myip" { 5 | url = "http://checkip.amazonaws.com/" 6 | } 7 | -------------------------------------------------------------------------------- /aro/private/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | description = "Region to deploy resources to" 3 | } 4 | 5 | variable "aro_rp_aad_sp_object_id" { 6 | description = "Azure Red Hat OpenShift RP" 7 | type = string 8 | } 9 | 10 | variable "tags" { 11 | description = "Tags to apply to all resources" 12 | } 13 | 14 | variable "domain" { 15 | description = "Domain name" 16 | type = string 17 | } 18 | -------------------------------------------------------------------------------- /aro/workload-identity-support.md: -------------------------------------------------------------------------------- 1 | # Reference 2 | 3 | - [ARO Support Workload Identity](https://access.redhat.com/solutions/7044926) -------------------------------------------------------------------------------- /demo-apps/httpbin/azure-pipeline-build.yaml: -------------------------------------------------------------------------------- 1 | pool: 2 | vmImage: 'Ubuntu 20.04' 3 | 4 | variables: 5 | dockerid: 'bjdcsa' 6 | imageName: 'bjdcsa.azurecr.io/httpbin:latest' 7 | 8 | steps: 9 | - task: Docker@2 10 | displayName: Login to ACR 11 | inputs: 12 | command: login 13 | containerRegistry: bjdcsa.azurecr.io 14 | - task: Docker@2 15 | displayName: Build and Push 16 | inputs: 17 | command: buildAndPush 18 | repository: httpdemo 19 | buildContext: example-python 20 | Dockerfile: example-python/dockerfile 21 | addPipelineData: false 22 | tags: | 23 | latest 24 | $(Build.BuildId) 25 | -------------------------------------------------------------------------------- /demo-apps/httpbin/chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: httpbin 3 | description: A Helm chart for Kubernetes to deploy the sample httpbin application 4 | type: application 5 | version: 1.0.0 6 | appVersion: "1.0.0" 7 | -------------------------------------------------------------------------------- /demo-apps/httpbin/chart/values.yaml: -------------------------------------------------------------------------------- 1 | replicaCount: 1 2 | 3 | image: 4 | repository: gelding36358acr.azurecr.io 5 | tag: 5adab37f2 6 | -------------------------------------------------------------------------------- /demo-apps/httpbin/dockerfile: -------------------------------------------------------------------------------- 1 | #FROM alpine:3.16.5 2 | #FROM alpine:3.18.5 3 | FROM alpine:3.18 4 | 5 | RUN apk add --update \ 6 | python3 \ 7 | python3-dev \ 8 | py3-pip \ 9 | py3-setuptools \ 10 | build-base \ 11 | py3-cffi 12 | 13 | RUN pip3 install -U pip 14 | RUN pip3 install gunicorn httpbin 15 | 16 | RUN echo '#!/bin/sh' > run.sh \ 17 | && echo 'gunicorn --bind=0.0.0.0:8080 httpbin:app' >> run.sh \ 18 | && chmod +x run.sh 19 | 20 | RUN rm -rf /var/cache/apk/* \ 21 | && apk del python3-dev 22 | 23 | EXPOSE 8080 24 | CMD ["./run.sh"] 25 | -------------------------------------------------------------------------------- /demo-apps/otel-prometheus/chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: otel-demo 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 1.0.0 6 | appVersion: "2.0.0" 7 | -------------------------------------------------------------------------------- /demo-apps/otel-prometheus/chart/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: {{ .Values.NAMESPACE }} -------------------------------------------------------------------------------- /demo-apps/otel-prometheus/chart/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: {{ .Values.WORKLOAD_ID.NAME }} 5 | namespace: {{ .Values.NAMESPACE }} 6 | annotations: 7 | azure.workload.identity/client-id: {{ .Values.WORKLOAD_ID.CLIENT_ID }} 8 | azure.workload.identity/tenant-id: {{ .Values.WORKLOAD_ID.TENANT_ID }} 9 | labels: 10 | azure.workload.identity/use: "true" -------------------------------------------------------------------------------- /demo-apps/otel-prometheus/chart/values.yaml: -------------------------------------------------------------------------------- 1 | NAMESPACE : "prometheus-demo" 2 | GIT_COMMIT_VERSION : "26a16616" 3 | SERVICE_PORT : 5000 4 | 5 | ACR: 6 | NAME : "bjd145" 7 | 8 | WORKLOAD_ID: 9 | NAME : "" 10 | CLIENT_ID : "" 11 | TENANT_ID : "" 12 | 13 | APP_INSIGHTS: 14 | CONNECTION_STRING : "" 15 | 16 | DEPLOY_ON: 17 | WINDOWS : false -------------------------------------------------------------------------------- /demo-apps/otel-prometheus/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM mcr.microsoft.com/dotnet/sdk:8.0-jammy AS build-env 2 | WORKDIR /src 3 | 4 | COPY . ./ 5 | RUN dotnet restore 6 | RUN dotnet publish -c Release -o publish/linux --no-restore 7 | 8 | FROM mcr.microsoft.com/dotnet/runtime-deps:8.0-jammy 9 | WORKDIR /app 10 | COPY --from=build-env /src/publish/linux/otel-prometheus . 11 | EXPOSE 5000 12 | ENTRYPOINT ["/app/otel-prometheus"] 13 | -------------------------------------------------------------------------------- /demo-apps/otel-prometheus/src/Dockerfile.Windows: -------------------------------------------------------------------------------- 1 | FROM mcr.microsoft.com/dotnet/sdk:8.0-nanoserver-ltsc2022 AS build-env 2 | WORKDIR /src 3 | 4 | USER Administrator 5 | 6 | COPY . ./ 7 | RUN dotnet restore 8 | RUN dotnet publish -c Release -r win-x64 --self-contained --nologo -o publish/windows 9 | 10 | FROM mcr.microsoft.com/dotnet/runtime:8.0-nanoserver-ltsc2022 11 | WORKDIR /app 12 | COPY --from=build-env /src/publish/windows . 13 | EXPOSE 5000 14 | ENTRYPOINT ["/app/otel-prometheus"] -------------------------------------------------------------------------------- /demo-apps/otel-prometheus/src/GlobalUsing.cs: -------------------------------------------------------------------------------- 1 | global using System.Diagnostics; 2 | global using System.Diagnostics.Metrics; 3 | 4 | global using Microsoft.AspNetCore.Mvc; 5 | global using Microsoft.Extensions.DependencyInjection; 6 | global using Azure.Monitor.OpenTelemetry.AspNetCore; 7 | 8 | global using OpenTelemetry; 9 | global using OpenTelemetry.Metrics; 10 | global using OpenTelemetry.Trace; 11 | global using OpenTelemetry.Logs; 12 | global using OpenTelemetry.Resources; 13 | 14 | global using OpenTelemetry.Exporter; 15 | global using OpenTelemetry.Exporter.Prometheus; -------------------------------------------------------------------------------- /demo-apps/otel-prometheus/src/WeatherForecast.cs: -------------------------------------------------------------------------------- 1 | public class WeatherForecast 2 | { 3 | public DateOnly Date { get; set; } 4 | 5 | public int TemperatureC { get; set; } 6 | 7 | public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); 8 | 9 | public string? Summary { get; set; } 10 | } 11 | -------------------------------------------------------------------------------- /demo-apps/otel-prometheus/src/appsettings.json: -------------------------------------------------------------------------------- 1 | { 2 | "Logging": { 3 | "LogLevel": { 4 | "Default": "Information", 5 | "Microsoft.AspNetCore": "Warning" 6 | } 7 | }, 8 | "AllowedHosts": "*" 9 | } 10 | -------------------------------------------------------------------------------- /demo-apps/todo/chart/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /demo-apps/todo/chart/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: Todo-with-Workload-Identities 3 | description: A demo todo application that utlizies Azure Workload Identities for authentication to Azure resources 4 | type: application 5 | version: 0.0.1 6 | appVersion: "1.0.0" 7 | -------------------------------------------------------------------------------- /demo-apps/todo/chart/values.yaml: -------------------------------------------------------------------------------- 1 | NAMESPACE: 'todo-app' -------------------------------------------------------------------------------- /demo-apps/todo/infrastructure/identities.tf: -------------------------------------------------------------------------------- 1 | resource "azurerm_user_assigned_identity" "aks_pod_identity" { 2 | name = local.workload-identity 3 | resource_group_name = azurerm_resource_group.this.name 4 | location = azurerm_resource_group.this.location 5 | } 6 | 7 | resource "azurerm_federated_identity_credential" "aks_pod_identity" { 8 | name = local.workload-identity 9 | resource_group_name = azurerm_resource_group.this.name 10 | audience = ["api://AzureADTokenExchange"] 11 | issuer = data.azurerm_kubernetes_cluster.this.oidc_issuer_url 12 | parent_id = azurerm_user_assigned_identity.aks_pod_identity.id 13 | subject = "system:serviceaccount:${var.namespace}:${local.workload-identity}" 14 | } -------------------------------------------------------------------------------- /demo-apps/todo/infrastructure/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "3.69.0" 7 | } 8 | azapi = { 9 | source = "Azure/azapi" 10 | version = "1.1.0" 11 | } 12 | azuread = { 13 | source = "hashicorp/azuread" 14 | version = "2.29.0" 15 | } 16 | } 17 | } 18 | 19 | provider "azurerm" { 20 | features { 21 | resource_group { 22 | prevent_deletion_if_contains_resources = false 23 | } 24 | } 25 | } 26 | 27 | provider "azuread" { 28 | } -------------------------------------------------------------------------------- /demo-apps/todo/infrastructure/references.tf: -------------------------------------------------------------------------------- 1 | data azurerm_kubernetes_cluster this { 2 | name = var.aks_name 3 | resource_group_name = var.aks_rg_name 4 | } 5 | 6 | data "azurerm_application_insights" "this" { 7 | name = var.ai_name 8 | resource_group_name = var.ai_rg_name 9 | } -------------------------------------------------------------------------------- /gke/basic/network.tf: -------------------------------------------------------------------------------- 1 | resource "google_compute_network" "vpc" { 2 | name = "${var.project_id}-vpc" 3 | auto_create_subnetworks = "false" 4 | } 5 | 6 | resource "google_compute_subnetwork" "subnet" { 7 | name = "${var.project_id}-subnet" 8 | region = var.region 9 | network = google_compute_network.vpc.name 10 | ip_cidr_range = "10.10.0.0/24" 11 | } -------------------------------------------------------------------------------- /gke/basic/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | google = { 4 | source = "hashicorp/google" 5 | version = "4.27.0" 6 | } 7 | } 8 | 9 | required_version = ">= 0.14" 10 | } 11 | 12 | 13 | provider "google" { 14 | project = var.project_id 15 | region = var.region 16 | zone = "us-central1-c" 17 | } -------------------------------------------------------------------------------- /gke/basic/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project_id" { 2 | type = string 3 | default = "default" 4 | } 5 | 6 | variable "region" { 7 | type = string 8 | default = "us-central1" 9 | } 10 | -------------------------------------------------------------------------------- /jobs/istio-sidecarcontainer-test-job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: pi-job-test 5 | labels: 6 | istio.io/rev: asm-1-21 7 | --- 8 | apiVersion: batch/v1 9 | kind: Job 10 | metadata: 11 | name: pi 12 | namespace: pi-job-test 13 | spec: 14 | template: 15 | spec: 16 | containers: 17 | - name: pi 18 | image: perl:5.34.0 19 | command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] 20 | restartPolicy: Never 21 | backoffLimit: 4 22 | 23 | -------------------------------------------------------------------------------- /namespace/cpu-limits.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: LimitRange 3 | metadata: 4 | name: cpu-limit-range 5 | spec: 6 | limits: 7 | - default: 8 | cpu: 1 9 | defaultRequest: 10 | cpu: 0.5 11 | type: Container 12 | 13 | -------------------------------------------------------------------------------- /namespace/memory-limits.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: LimitRange 3 | metadata: 4 | name: mem-min-max-demo-lr 5 | spec: 6 | limits: 7 | - default: 8 | memory: 512Mi 9 | max: 10 | memory: 1Gi 11 | min: 12 | memory: 500Mi 13 | type: Container 14 | 15 | -------------------------------------------------------------------------------- /namespace/namespace-taints-annotation.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: dapr-system 5 | annotations: 6 | scheduler.alpha.kubernetes.io/defaultTolerations: '[{"key": "reservedFor", "operator": "Equal", "effect": "NoSchedule", "value": "eShopOnDapr"}]' 7 | -------------------------------------------------------------------------------- /namespace/quotas.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ResourceQuota 3 | metadata: 4 | name: mem-cpu-demo 5 | spec: 6 | hard: 7 | pods: "2" 8 | requests.cpu: "1" 9 | requests.memory: 1Gi 10 | limits.cpu: "2" 11 | limits.memory: 2Gi 12 | 13 | -------------------------------------------------------------------------------- /network-policies/allow-traffic-labels.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: backend-policy 5 | namespace: development 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: webapp 10 | role: backend 11 | ingress: 12 | - from: 13 | - namespaceSelector: {} 14 | podSelector: 15 | matchLabels: 16 | app: webapp 17 | role: frontend -------------------------------------------------------------------------------- /network-policies/allow-traffic-namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: backend-policy 5 | namespace: development 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: webapp 10 | role: backend 11 | ingress: 12 | - from: 13 | - namespaceSelector: 14 | matchLabels: 15 | purpose: development 16 | podSelector: 17 | matchLabels: 18 | app: webapp 19 | role: frontend -------------------------------------------------------------------------------- /network-policies/deny-all-traffic.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: backend-policy 5 | namespace: development 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: webapp 10 | role: backend 11 | ingress: [] -------------------------------------------------------------------------------- /persistent-volumes/azfiles-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: bjd-azurefiles-pvc 5 | spec: 6 | accessModes: 7 | - ReadWriteMany 8 | storageClassName: bjd-azurefiles 9 | resources: 10 | requests: 11 | storage: 100Gi 12 | --- 13 | kind: Pod 14 | apiVersion: v1 15 | metadata: 16 | name: bjdutils-azfiles 17 | spec: 18 | containers: 19 | - name: bjdutils-azfiles 20 | image: bjd145/utils:2.5 21 | volumeMounts: 22 | - mountPath: "/mnt/files" 23 | name: volume 24 | volumes: 25 | - name: volume 26 | persistentVolumeClaim: 27 | claimName: bjd-azurefiles-pvc 28 | -------------------------------------------------------------------------------- /persistent-volumes/azfiles-storageclass.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: bjd-azurefiles 5 | provisioner: kubernetes.io/azure-file 6 | mountOptions: 7 | - dir_mode=0777 8 | - file_mode=0777 9 | - uid=0 10 | - gid=0 11 | - mfsymlinks 12 | - cache=strict 13 | parameters: 14 | skuName: Premium_LRS 15 | -------------------------------------------------------------------------------- /persistent-volumes/azfiles1tb-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: bjd-azurefiles1tb-pvc 5 | spec: 6 | accessModes: 7 | - ReadWriteMany 8 | storageClassName: bjd-azurefiles 9 | resources: 10 | requests: 11 | storage: 1000Gi 12 | --- 13 | kind: Pod 14 | apiVersion: v1 15 | metadata: 16 | name: bjdutils1tb-azfiles 17 | spec: 18 | containers: 19 | - name: bjdutils1tb-azfiles 20 | image: bjd145/utils:2.5 21 | volumeMounts: 22 | - mountPath: "/mnt/files" 23 | name: volume 24 | volumes: 25 | - name: volume 26 | persistentVolumeClaim: 27 | claimName: bjd-azurefiles1tb-pvc 28 | -------------------------------------------------------------------------------- /persistent-volumes/fio-test-cmd.txt: -------------------------------------------------------------------------------- 1 | fio --name=seqread --rw=read --direct=1 --ioengine=libaio --bs=8k --numjobs=8 --size=1G --runtime=600 --group_reporting -------------------------------------------------------------------------------- /persistent-volumes/storage-disks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: azure-managed-disk 5 | spec: 6 | accessModes: 7 | - ReadWriteOnce 8 | storageClassName: managed-premium 9 | resources: 10 | requests: 11 | storage: 5Gi 12 | --- 13 | kind: Pod 14 | apiVersion: v1 15 | metadata: 16 | name: nginx-disk 17 | spec: 18 | containers: 19 | - name: myfrontend 20 | image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine 21 | volumeMounts: 22 | - mountPath: "/mnt/azure" 23 | name: volume 24 | volumes: 25 | - name: volume 26 | persistentVolumeClaim: 27 | claimName: azure-managed-disk 28 | -------------------------------------------------------------------------------- /persistent-volumes/storage-files-dynamic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: azure-managed-files 5 | spec: 6 | accessModes: 7 | - ReadWriteMany 8 | storageClassName: azurefile-csi-premium 9 | resources: 10 | requests: 11 | storage: 50Gi 12 | --- 13 | kind: Pod 14 | apiVersion: v1 15 | metadata: 16 | name: nginx-files 17 | annotations: 18 | sidecar.istio.io/inject: "false" 19 | spec: 20 | containers: 21 | - name: myfrontend 22 | image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine 23 | volumeMounts: 24 | - mountPath: "/mnt/azure" 25 | name: volume 26 | volumes: 27 | - name: volume 28 | persistentVolumeClaim: 29 | claimName: azure-managed-files 30 | -------------------------------------------------------------------------------- /persistent-volumes/storage-files-static.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: azfiles-secret 5 | type: Opaque 6 | data: 7 | azurestorageaccountname: Ympkc2hhcmVzMDAyCg== 8 | azurestorageaccountkey: LzN3RUFJR1ZUVHJ...... 9 | --- 10 | kind: Pod 11 | apiVersion: v1 12 | metadata: 13 | name: nginx-files 14 | annotations: 15 | sidecar.istio.io/inject: "false" 16 | spec: 17 | containers: 18 | - name: myfrontend 19 | image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine 20 | volumeMounts: 21 | - mountPath: "/mnt/azure" 22 | name: volume 23 | volumes: 24 | - name: volume 25 | azureFile: 26 | secretName: azfiles-secret 27 | shareName: simple 28 | -------------------------------------------------------------------------------- /pods/busybox.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: busybox 5 | spec: 6 | containers: 7 | - image: busybox 8 | command: 9 | - sleep 10 | - "3600" 11 | imagePullPolicy: IfNotPresent 12 | name: busybox 13 | restartPolicy: Always 14 | -------------------------------------------------------------------------------- /pods/downwardapi.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: random-generator 5 | labels: 6 | app: random-generator 7 | spec: 8 | containers: 9 | - name: random-generator 10 | image: k8spatterns/random-generator:1.0 11 | volumeMounts: 12 | - name: pod-info 13 | mountPath: /pod-info 14 | volumes: 15 | - name: pod-info 16 | downwardAPI: 17 | items: 18 | - path: labels 19 | fieldRef: 20 | fieldPath: metadata.labels 21 | - path: annotations 22 | fieldRef: 23 | fieldPath: metadata.annotations -------------------------------------------------------------------------------- /roles/aad-groups.yaml: -------------------------------------------------------------------------------- 1 | kind: Role 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: dev-user-full-access 5 | namespace: dev 6 | rules: 7 | - apiGroups: ["", "extensions", "apps"] 8 | resources: ["*"] 9 | verbs: ["*"] 10 | - apiGroups: ["batch"] 11 | resources: 12 | - jobs 13 | - cronjobs 14 | verbs: ["*"] 15 | --- 16 | kind: RoleBinding 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: dev-user-access-binding 20 | namespace: dev 21 | roleRef: 22 | apiGroup: rbac.authorization.k8s.io 23 | kind: Role 24 | name: dev-user-full-access 25 | subjects: 26 | - kind: Group 27 | namespace: dev 28 | name: ce77ce31-ea7d-4787-aa40-e56b530996da #Custom Group named - AKSSecurityAdmins -------------------------------------------------------------------------------- /roles/aad-users.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: namespace-reader 5 | annotations: 6 | rbac.authorization.kubernetes.io/autoupdate: "true" 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["pods"] 10 | verbs: ["get", "watch", "list"] 11 | --- 12 | apiVersion: rbac.authorization.k8s.io/v1 13 | kind: RoleBinding 14 | metadata: 15 | name: namespace-reader-binding 16 | roleRef: 17 | apiGroup: rbac.authorization.k8s.io 18 | kind: Role 19 | name: namespace-reader 20 | subjects: 21 | - apiGroup: rbac.authorization.k8s.io 22 | kind: User 23 | name: john@bjdazure.tech 24 | -------------------------------------------------------------------------------- /roles/cluster-admin-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: cluster-admin 5 | annotations: 6 | rbac.authorization.kubernetes.io/autoupdate: "true" 7 | rules: 8 | - apiGroups: 9 | - '*' 10 | resources: 11 | - '*' 12 | verbs: 13 | - '*' 14 | - nonResourceURLs: 15 | - '*' 16 | verbs: 17 | - '*' -------------------------------------------------------------------------------- /roles/istio.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: example-istio-role 6 | rules: 7 | - apiGroups: 8 | - networking.istio.io 9 | resources: 10 | - virtualservices 11 | verbs: 12 | - create 13 | - delete 14 | - deletecollection 15 | - patch 16 | - update 17 | - get 18 | - list 19 | - watch 20 | --- 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | kind: ClusterRoleBinding 23 | metadata: 24 | name: example-istio-role-binding 25 | roleRef: 26 | kind: ClusterRole 27 | name: example-istio-role 28 | apiGroup: rbac.authorization.k8s.io 29 | subjects: 30 | - kind: User 31 | name: john@bjdazure.tech 32 | -------------------------------------------------------------------------------- /windows/dockerfile.iis.ssl: -------------------------------------------------------------------------------- 1 | FROM mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2022 2 | 3 | ARG PASS 4 | ARG CERT 5 | 6 | WORKDIR /app 7 | COPY $CERT . 8 | 9 | RUN powershell.exe -Command \ 10 | Import-Module WebAdministration; \ 11 | $site = 'Default Web Site'; \ 12 | $certStore = 'Cert:\LocalMachine\My'; \ 13 | $secure = ConvertTo-SecureString -String $ENV:PASS -AsPlainText -Force; \ 14 | $cert = Import-PfxCertificate -FilePath $ENV:CERT -CertStoreLocation $certStore -Password $secure; \ 15 | New-WebBinding -Name $site -IP * -Port 443 -Protocol https; \ 16 | $binding = Get-WebBinding -Name $site -Protocol https; \ 17 | $binding.AddSslCertificate( $cert.Thumbprint, 'My' ); \ 18 | Remove-Item $ENV:CERT -Force 19 | 20 | EXPOSE 443 -------------------------------------------------------------------------------- /windows/legacy/Register-Win2K22AksSupport.ps1: -------------------------------------------------------------------------------- 1 | param( 2 | [Parameter(Mandatory=$true)] 3 | [string] $FeatureName = "AKSWindows2022Preview", 4 | [Parameter(Mandatory=$true)] 5 | [string] $NameSpace = "Microsoft.ContainerService" 6 | ) 7 | 8 | az feature register --namespace $NameSpace --name $FeatureName 9 | 10 | function Get-FeatureState 11 | { 12 | param( 13 | [string] $FeatureName 14 | ) 15 | return (az feature list -o tsv --query "[?contains(name,'$FeatureName')].`{State:properties.state}") 16 | } 17 | 18 | while ( (Get-FeatureState -FeatureName "$NameSpace/$FeatureName") -eq "Registering" ) { 19 | Write-Host "." -NoNewline 20 | Start-Sleep -Seconds 60 21 | } 22 | 23 | az provider register --namespace Microsoft.ContainerService -------------------------------------------------------------------------------- /windows/legacy/assets/curl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/windows/legacy/assets/curl.png -------------------------------------------------------------------------------- /windows/legacy/assets/nodes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/windows/legacy/assets/nodes.png -------------------------------------------------------------------------------- /windows/legacy/assets/pods.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/windows/legacy/assets/pods.png -------------------------------------------------------------------------------- /windows/legacy/assets/services.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/windows/legacy/assets/services.png -------------------------------------------------------------------------------- /windows/legacy/assets/windows.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/briandenicola/kubernetes/58bd50cc72d8f7f5a6166c00ed29cda9076991a6/windows/legacy/assets/windows.png -------------------------------------------------------------------------------- /windows/windows-iis-win22.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: iis-windows2022 5 | labels: 6 | web_server: iis 7 | os: windows2022 8 | spec: 9 | containers: 10 | - image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2022 11 | name: iis 12 | ports: 13 | - containerPort: 80 14 | resources: 15 | requests: 16 | memory: "1024Mi" 17 | cpu: "500m" 18 | limits: 19 | memory: "2048Mi" 20 | cpu: "1024m" 21 | nodeSelector: 22 | kubernetes.io/os: windows 23 | tolerations: 24 | - key: role 25 | operator: Equal 26 | value: applications 27 | effect: NoSchedule --------------------------------------------------------------------------------