├── README.md ├── k3s ├── helm │ ├── HELMVERSION │ ├── .dockerignore │ ├── helmRepoAdd.sh │ ├── containerImageBuild.sh │ ├── rbac-tiller.yaml │ ├── downloadHelm.sh │ └── downloadKubectl.sh ├── install-k3s-master.sh ├── Dockerfile ├── install-k3s-node.sh ├── azpagent.yaml ├── installRaspbian.sh └── start.sh ├── .gitignore ├── iotedge ├── acrbuild │ ├── .dockerignore │ ├── go-webapp │ │ ├── main.go │ │ └── index.html │ └── Dockerfile ├── webserver │ ├── .dockerignore │ ├── script │ │ └── chmodQemu.sh │ ├── go-webapp │ │ ├── webapp │ │ ├── main.go │ │ └── index.html │ └── Dockerfile ├── vk-iot-edge.tgz └── templates │ ├── multiarch │ ├── tempsensor.yaml │ └── tempsensor-asa.yaml │ ├── amd64 │ ├── tempsensor-ml.yaml │ └── tempsensor-function.yaml │ └── arm32v7 │ ├── go-webapp-arm.yaml │ └── tempsensor-function-arm.yaml ├── containerImages └── linux │ └── go-webapp │ ├── .dockerignore │ ├── Dockerfile │ └── go-webapp │ ├── main.go │ └── index.html ├── gvisor ├── Dockerfile ├── runtime-class.yaml ├── nginx.yaml ├── install-gvisor.sh ├── run.sh ├── config.toml └── daemon-set.yaml ├── fluent-bit ├── namespace.yaml ├── azure-data-explorer │ ├── namespace.yaml │ ├── service-account.yaml │ ├── cluster-role.yaml │ ├── cluster-role-binding.yaml │ ├── deploy-fluent-bit-adx.sh │ ├── deploy-fluent-bit-kafka.sh │ ├── adx-output │ │ └── daemon-set.yaml │ └── kafka-output │ │ └── daemon-set.yaml ├── service-account.yaml ├── azure-data-explorer-kubernetes-events │ ├── namespace.yaml │ ├── service-account.yaml │ ├── pvc.yaml │ ├── cluster-role.yaml │ ├── cluster-role-binding.yaml │ ├── storage-class.yaml │ ├── deploy.sh │ └── deployment.yaml ├── cluster-role.yaml ├── cluster-role-binding.yaml ├── deploy-fluent-bit.sh └── daemon-set.yaml ├── envoy-ratelimit ├── namespace.yaml ├── peer-authentication.yaml ├── setup.sh ├── create-secret.sh ├── network-policy.yaml ├── container-azm-ms-agentconfig.yaml ├── envoyfilter-global.yaml └── config-map.yaml ├── ssh ├── startSshContainer.sh └── configureSshContainer.sh ├── helm ├── charts │ ├── function-figlet │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── hpa.yaml │ │ │ ├── deployment.yaml │ │ │ └── service.yaml │ │ ├── .helmignore │ │ └── values.yaml │ └── function-akscnicalc │ │ ├── Chart.yaml │ │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── hpa.yaml │ │ ├── deployment.yaml │ │ └── service.yaml │ │ ├── .helmignore │ │ └── values.yaml └── rbac-tiller.yaml ├── mssql ├── mssql-sapassword.yaml ├── mssql-diskstorage.yaml ├── mssql-filestorage.yaml └── mssql.yaml ├── acs-engine ├── README.md ├── kubernetes_custom_vnet_private_master.json └── kubernetes_custom_network_config_private_master.json ├── on-azure ├── README.md ├── deploy_AKS.sh └── deploy_AKS.ps1 ├── ACI-connector ├── README.md ├── secrets.yaml ├── credentials.json └── aciconnector.yaml ├── istio ├── istio-1.6-global-mtls-enabled.yaml ├── istio-1.21.yaml ├── istio-1.6.yaml ├── istio-1.7.yaml ├── istio-1.5.yaml └── istio-1.4.yaml ├── azure-npm ├── deny-all-inbound.yaml ├── allow-go-webapp.yaml ├── busybox.yaml ├── allow-src-ip.yaml └── azure-npm.yaml ├── gateway-api ├── pod-disruption-budget.yaml ├── reference-grant.yaml ├── http-route-application.yaml ├── horizontal-pod-autoscaler.yaml ├── http-route-redirect.yaml └── gateway.yaml ├── hxe-aci ├── README.md ├── configureAciHxeExternalAccess.sh ├── deploy_HXE_ACI.yaml ├── deploy_HXE_ACI_AKS.ps1 ├── deploy_HXE_ACI_ARM.ps1 └── deploy_HXE_ACI.ps1 ├── hxe-aks ├── README.md ├── deploy_HXE_AKS.yaml └── deploy_HXE_AKS.ps1 ├── omsagent ├── README.md ├── oms-rbac.yaml ├── deployOmsAgentOnAks.sh ├── deployOmsAgentOnAks.ps1 └── oms-daemonset.yaml ├── cilium ├── prometheus-metrics │ ├── aks │ │ ├── alloy-azure-config.yaml │ │ ├── grafana-alloy.yaml │ │ └── config-map.yaml │ └── k8s │ │ ├── grafana-alloy.yaml │ │ ├── alloy-azure-config.yaml │ │ └── config-map.yaml ├── egress-traffic-blocking │ ├── cidr-group.yaml │ └── cluster-wide-network-policy.yaml ├── metadata-information │ └── azure-specific-ip-addresses.yaml ├── hubble-exporter │ └── cilium-flowlog-config.yaml └── azure-imds │ ├── azure-imds-deny.yaml │ └── azure-imds-allow.yaml ├── kind ├── calico-config.yaml ├── setup.sh ├── single-node.yaml └── install-istio.yaml ├── calico └── egress-traffic-blocking │ ├── global-network-set.yaml │ ├── egress-allow-global-network-policy.yaml │ └── global-network-policy.yaml ├── ambassador ├── ambassador-svc.yaml ├── src-ip-ambassador.yaml ├── ambassador-rbac.yaml └── ambassador-rbac-soft.yaml ├── coredns └── aksCoreDnsConfigMap.yaml ├── kured ├── README.md ├── kured-ds.yaml └── kured-ds-rbac.yaml ├── cluster-autoscaler ├── ca-secret.yaml └── ca-generate-secret.sh ├── kata-containers └── untrusted-workload.yaml ├── hpa └── hpa-functions.yaml ├── devTestLabs ├── README.md └── secretProvisioning.ps1 ├── istio-tls-passthrough ├── istio-virtual-service-tls-passthrough.yaml ├── istio-gateway-default.yaml ├── istio-gateway-tls-passthrough.yaml ├── istio-operator-default.yaml └── istio-operator-tls-passthrough.yaml ├── azure-monitor └── container-azm-ms-agentconfig.yaml ├── acr ├── Remove-UntaggedManifests.ps1 └── Remove-UntaggedManifestsDockerBuildx.ps1 ├── templates └── aci-connector-test.yaml ├── windows └── hello-world.yaml ├── LICENSE ├── cpu-requests └── cpu-stress.yaml ├── istio-custom-redirect └── istio-307-redirect.yaml ├── conftest ├── constraint-template.yaml └── test.rego ├── aks-engine └── aksEngineAad.json ├── aks └── aksBaseImageUpdate.sh └── backup └── createManagedDiskSnapshot.ps1 /README.md: -------------------------------------------------------------------------------- 1 | # kubernetes -------------------------------------------------------------------------------- /k3s/helm/HELMVERSION: -------------------------------------------------------------------------------- 1 | v2.14.1 -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /iotedge/acrbuild/.dockerignore: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /containerImages/linux/go-webapp/.dockerignore: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /iotedge/webserver/.dockerignore: -------------------------------------------------------------------------------- 1 | script 2 | go-webapp/main.go 3 | -------------------------------------------------------------------------------- /iotedge/vk-iot-edge.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/neumanndaniel/kubernetes/HEAD/iotedge/vk-iot-edge.tgz -------------------------------------------------------------------------------- /iotedge/webserver/script/chmodQemu.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | chmod 777 /opt/vsts/work/1/s/go-webapp-arm/qemu-arm-static 3 | -------------------------------------------------------------------------------- /gvisor/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.15.0 2 | COPY install-gvisor.sh / 3 | COPY run.sh / 4 | RUN chmod u+x run.sh 5 | CMD ["./run.sh"] -------------------------------------------------------------------------------- /iotedge/webserver/go-webapp/webapp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/neumanndaniel/kubernetes/HEAD/iotedge/webserver/go-webapp/webapp -------------------------------------------------------------------------------- /fluent-bit/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: logging 5 | labels: 6 | app: fluent-bit -------------------------------------------------------------------------------- /k3s/helm/.dockerignore: -------------------------------------------------------------------------------- 1 | rbac-tiller.yaml 2 | HELMVERSION 3 | downloadHelm.sh 4 | containerImageBuild.sh 5 | downloadKubectl.sh 6 | helmRepoAdd.sh -------------------------------------------------------------------------------- /k3s/helm/helmRepoAdd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | helm repo add edgek8s https://edgek8s.blob.core.windows.net/helm/ 6 | helm repo update -------------------------------------------------------------------------------- /envoy-ratelimit/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: ratelimit 5 | labels: 6 | istio-injection: enabled 7 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: logging 5 | labels: 6 | app: fluent-bit 7 | -------------------------------------------------------------------------------- /ssh/startSshContainer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | kubectl run -it --rm --generator=run-pod/v1 aks-ssh --image=alpine --labels=app=aksssh 6 | -------------------------------------------------------------------------------- /helm/charts/function-figlet/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: function-figlet 2 | version: 0.0.2 3 | description: A Helm chart to deploy an Azure Function - HTTP trigger - Hello World -------------------------------------------------------------------------------- /fluent-bit/service-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: fluent-bit 5 | namespace: logging 6 | labels: 7 | app: fluent-bit -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer-kubernetes-events/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: logging 5 | labels: 6 | app: fluent-bit 7 | -------------------------------------------------------------------------------- /helm/charts/function-akscnicalc/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: function-akscnicalc 2 | version: 0.0.2 3 | description: A Helm chart to deploy an Azure Function - HTTP trigger - AKS CNI calc -------------------------------------------------------------------------------- /mssql/mssql-sapassword.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | SA_PASSWORD: REDACTED 4 | kind: Secret 5 | metadata: 6 | name: mssql 7 | namespace: default 8 | type: Opaque 9 | -------------------------------------------------------------------------------- /gvisor/runtime-class.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | kind: RuntimeClass 3 | metadata: 4 | name: gvisor 5 | handler: runsc 6 | scheduling: 7 | nodeSelector: 8 | gvisor: "enabled" 9 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer/service-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: fluent-bit 5 | namespace: logging 6 | labels: 7 | app: fluent-bit 8 | -------------------------------------------------------------------------------- /acs-engine/README.md: -------------------------------------------------------------------------------- 1 | # Azure Container Service Engine examples 2 | Deployment details: https://www.danielstechblog.io/using-acs-engine-to-build-private-kubernetes-clusters-with-bring-your-own-virtual-network-on-azure/ 3 | -------------------------------------------------------------------------------- /on-azure/README.md: -------------------------------------------------------------------------------- 1 | # Kubernetes on Azure – build, run and monitor your container applications 2 | Contains the demo code I am using for my session Kubernetes on Azure – build, run and monitor your container applications. -------------------------------------------------------------------------------- /ACI-connector/README.md: -------------------------------------------------------------------------------- 1 | # Deploying the Kubernetes ACI connector on Kubernetes on Docker for Windows 2 | Deployment details: https://www.danielstechblog.info/deploying-kubernetes-aci-connector-kubernetes-docker-windows/ 3 | -------------------------------------------------------------------------------- /istio/istio-1.6-global-mtls-enabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "security.istio.io/v1beta1" 2 | kind: "PeerAuthentication" 3 | metadata: 4 | name: "default" 5 | namespace: "istio-system" 6 | spec: 7 | mtls: 8 | mode: STRICT 9 | -------------------------------------------------------------------------------- /k3s/helm/containerImageBuild.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | BUILDNUMBER=$1 6 | 7 | VERSION=$(cat HELMVERSION) 8 | 9 | az acr build --registry acr --image "tiller:$VERSION" --image "tiller:$BUILDNUMBER" . 10 | -------------------------------------------------------------------------------- /azure-npm/deny-all-inbound.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: deny-all-inbound 5 | namespace: default 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | -------------------------------------------------------------------------------- /gateway-api/pod-disruption-budget.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | name: gw-api 5 | spec: 6 | minAvailable: 50% 7 | selector: 8 | matchLabels: 9 | istio.io/gateway-name: gw-api 10 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer-kubernetes-events/service-account.yaml: -------------------------------------------------------------------------------- 1 | kind: ServiceAccount 2 | apiVersion: v1 3 | metadata: 4 | name: fluent-bit-kubernetes-events 5 | namespace: logging 6 | labels: 7 | app: fluent-bit-kubernetes-events 8 | -------------------------------------------------------------------------------- /ACI-connector/secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | credentials.json: <> 4 | kind: Secret 5 | metadata: 6 | name: <> 7 | namespace: default 8 | type: Opaque 9 | -------------------------------------------------------------------------------- /hxe-aci/README.md: -------------------------------------------------------------------------------- 1 | # SAP HANA Express Edition – Deploy HANA Express database on ACI – Azure Container Instances 2 | Deployment details: https://www.danielstechblog.io/sap-hana-express-edition-deploy-hana-express-database-on-aci-azure-container-instances/ 3 | -------------------------------------------------------------------------------- /hxe-aks/README.md: -------------------------------------------------------------------------------- 1 | # SAP HANA Express Edition - Deploy HANA Express database on AKS - Managed Kubernetes on Azure 2 | Deployment details: https://www.danielstechblog.info/sap-hana-express-edition-deploy-hana-express-database-aks-managed-kubernetes-azure/ 3 | -------------------------------------------------------------------------------- /omsagent/README.md: -------------------------------------------------------------------------------- 1 | # Configuring and deploying the container monitoring solution for AKS – Managed Kubernetes on Azure 2 | Deployment details: https://www.danielstechblog.info/configuring-and-deploying-the-container-monitoring-solution-for-aks-managed-kubernetes-on-azure/ 3 | -------------------------------------------------------------------------------- /ssh/configureSshContainer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | kubectl exec aks-ssh -c aks-ssh -- apk update 6 | kubectl exec aks-ssh -c aks-ssh -- apk add openssh-client bash 7 | kubectl cp ~/.ssh/id_rsa aks-ssh:/id_rsa 8 | kubectl exec aks-ssh -c aks-ssh chmod 0600 id_rsa 9 | -------------------------------------------------------------------------------- /cilium/prometheus-metrics/aks/alloy-azure-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: alloy-azure-config 5 | namespace: grafana-alloy 6 | labels: 7 | app: grafana-alloy 8 | data: 9 | CLIENT_ID: 10 | ENDPOINT_URL: 11 | -------------------------------------------------------------------------------- /cilium/egress-traffic-blocking/cidr-group.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cilium.io/v2alpha1 2 | kind: CiliumCIDRGroup 3 | metadata: 4 | name: egress-traffic-blocking 5 | labels: 6 | policy: egress-traffic-blocking 7 | spec: 8 | externalCIDRs: 9 | - 217.160.0.92/32 10 | - 217.160.0.111/32 11 | - 217.160.223.1/32 12 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer-kubernetes-events/pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: fluent-bit-kubernetes-events 5 | spec: 6 | accessModes: 7 | - ReadWriteMany 8 | storageClassName: azurefile-csi-fluent-bit 9 | resources: 10 | requests: 11 | storage: 5Gi 12 | -------------------------------------------------------------------------------- /kind/calico-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.tigera.io/v1 2 | kind: Installation 3 | metadata: 4 | name: default 5 | spec: 6 | calicoNetwork: 7 | ipPools: 8 | - blockSize: 26 9 | cidr: 10.240.0.0/16 10 | encapsulation: None 11 | natOutgoing: Enabled 12 | nodeSelector: all() 13 | -------------------------------------------------------------------------------- /mssql/mssql-diskstorage.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: mssql-data 5 | annotations: 6 | volume.beta.kubernetes.io/storage-class: managed-premium 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 32Gi 13 | -------------------------------------------------------------------------------- /calico/egress-traffic-blocking/global-network-set.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: crd.projectcalico.org/v1 2 | kind: GlobalNetworkSet 3 | metadata: 4 | name: egress-traffic-blocking 5 | labels: 6 | policy: egress-traffic-blocking 7 | spec: 8 | nets: 9 | - 217.160.0.92/32 10 | - 217.160.0.111/32 11 | - 217.160.223.1/32 12 | -------------------------------------------------------------------------------- /ambassador/ambassador-svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | service: ambassador 6 | name: ambassador 7 | spec: 8 | type: LoadBalancer 9 | externalTrafficPolicy: Local 10 | ports: 11 | - port: 80 12 | targetPort: 8080 13 | selector: 14 | service: ambassador 15 | -------------------------------------------------------------------------------- /calico/egress-traffic-blocking/egress-allow-global-network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: crd.projectcalico.org/v1 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: egress-traffic-allow 5 | labels: 6 | policy: egress-traffic-allow 7 | spec: 8 | order: 1000 9 | types: 10 | - Egress 11 | egress: 12 | - action: Allow 13 | -------------------------------------------------------------------------------- /fluent-bit/cluster-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: fluent-bit-read 5 | rules: 6 | - apiGroups: [""] 7 | resources: 8 | - namespaces 9 | - pods 10 | - nodes 11 | - nodes/proxy 12 | verbs: 13 | - get 14 | - list 15 | - watch -------------------------------------------------------------------------------- /cilium/prometheus-metrics/k8s/grafana-alloy.yaml: -------------------------------------------------------------------------------- 1 | alloy: 2 | configMap: 3 | create: false 4 | name: alloy-config 5 | key: config.alloy 6 | envFrom: 7 | - secretRef: 8 | name: alloy-azure-config 9 | extraEnv: 10 | - name: CLUSTER 11 | value: k8s 12 | - name: REGEX_METRICS_FILTER 13 | value: ".+" 14 | -------------------------------------------------------------------------------- /fluent-bit/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: fluent-bit-read 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: fluent-bit-read 9 | subjects: 10 | - kind: ServiceAccount 11 | name: fluent-bit 12 | namespace: logging 13 | -------------------------------------------------------------------------------- /azure-npm/allow-go-webapp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-go-webapp 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: go-webapp 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - ports: 14 | - port: 8080 15 | from: [] 16 | -------------------------------------------------------------------------------- /cilium/prometheus-metrics/aks/grafana-alloy.yaml: -------------------------------------------------------------------------------- 1 | alloy: 2 | configMap: 3 | create: false 4 | name: alloy-config 5 | key: config.alloy 6 | envFrom: 7 | - secretRef: 8 | name: alloy-azure-config 9 | extraEnv: 10 | - name: CLUSTER 11 | value: aks-azst-1 12 | - name: REGEX_METRICS_FILTER 13 | value: ".+" 14 | -------------------------------------------------------------------------------- /cilium/prometheus-metrics/k8s/alloy-azure-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: alloy-azure-config 5 | namespace: grafana-alloy 6 | labels: 7 | app: grafana-alloy 8 | data: 9 | CLIENT_ID: 10 | CLIENT_SECRET: 11 | ENDPOINT_URL: 12 | TENANT_ID: 13 | -------------------------------------------------------------------------------- /gvisor/nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: nginx-gvisor 5 | spec: 6 | containers: 7 | - name: nginx 8 | image: nginx 9 | runtimeClassName: gvisor 10 | tolerations: 11 | - key: gvisor 12 | operator: Equal 13 | value: "enabled" 14 | effect: NoSchedule 15 | nodeSelector: 16 | gvisor: enabled -------------------------------------------------------------------------------- /coredns/aksCoreDnsConfigMap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: coredns-custom 5 | namespace: kube-system 6 | data: 7 | Corefile.override: | 8 | forward . 8.8.8.8 8.8.4.4 9 | azure.server: | 10 | internal.cloudapp.net:53 { 11 | errors 12 | cache 30 13 | proxy . 168.63.129.16 14 | } 15 | -------------------------------------------------------------------------------- /envoy-ratelimit/peer-authentication.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "security.istio.io/v1beta1" 2 | kind: "PeerAuthentication" 3 | metadata: 4 | name: "ratelimit" 5 | namespace: "ratelimit" 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: ratelimit 10 | portLevelMtls: 11 | 8081: 12 | mode: PERMISSIVE 13 | 9102: 14 | mode: PERMISSIVE 15 | -------------------------------------------------------------------------------- /helm/charts/function-figlet/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | The Azure Function - HTTP trigger - Hello World is getting deployed on your cluster. 2 | 3 | To verify that the Azure Function - HTTP trigger - Hello World has started, run: 4 | 5 | kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "function-figlet.name" . }}" -l "release={{ .Release.Name }}" 6 | -------------------------------------------------------------------------------- /azure-npm/busybox.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: busybox 5 | namespace: default 6 | labels: 7 | app: busybox 8 | spec: 9 | containers: 10 | - name: busybox 11 | image: busybox 12 | command: 13 | - sleep 14 | - "3600" 15 | imagePullPolicy: IfNotPresent 16 | restartPolicy: Always 17 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer/cluster-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: fluent-bit-read 5 | rules: 6 | - apiGroups: [""] 7 | resources: 8 | - namespaces 9 | - pods 10 | - nodes 11 | - nodes/proxy 12 | verbs: 13 | - get 14 | - list 15 | - watch 16 | -------------------------------------------------------------------------------- /helm/charts/function-akscnicalc/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | The Azure Function - HTTP trigger - AKS CNI calc is getting deployed on your cluster. 2 | 3 | To verify that the Azure Function - HTTP trigger - AKS CNI calc has started, run: 4 | 5 | kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "function-akscnicalc.name" . }}" -l "release={{ .Release.Name }}" 6 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer-kubernetes-events/cluster-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: fluent-bit-kubernetes-events-read 5 | rules: 6 | - apiGroups: [""] 7 | resources: 8 | - events 9 | - namespaces 10 | - pods 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: fluent-bit-read 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: fluent-bit-read 9 | subjects: 10 | - kind: ServiceAccount 11 | name: fluent-bit 12 | namespace: logging 13 | -------------------------------------------------------------------------------- /gateway-api/reference-grant.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: gateway.networking.k8s.io/v1beta1 2 | kind: ReferenceGrant 3 | metadata: 4 | name: go-webapp 5 | namespace: go-webapp 6 | spec: 7 | from: 8 | - group: gateway.networking.k8s.io 9 | kind: HTTPRoute 10 | namespace: istio-config 11 | to: 12 | - group: "" 13 | kind: Service 14 | name: go-webapp-gw-api 15 | -------------------------------------------------------------------------------- /kured/README.md: -------------------------------------------------------------------------------- 1 | # Keeping your AKS – Managed Kubernetes cluster on Azure up-to-date 2 | Deployment details: https://www.danielstechblog.info/keeping-your-aks-managed-kubernetes-cluster-on-azure-up-to-date/ 3 | *** 4 | # Keeping your ACS Engine Kubernetes cluster on Azure up-to-date 5 | Deployment details: https://www.danielstechblog.info/keeping-your-acs-engine-kubernetes-cluster-on-azure-up-to-date/ 6 | -------------------------------------------------------------------------------- /cluster-autoscaler/ca-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cluster-autoscaler-azure 5 | namespace: kube-system 6 | data: 7 | ClientID: 8 | ClientSecret: 9 | ResourceGroup: 10 | SubscriptionID: 11 | TenantID: 12 | VMType: YWtz 13 | ClusterName: 14 | NodeResourceGroup: 15 | -------------------------------------------------------------------------------- /cilium/egress-traffic-blocking/cluster-wide-network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cilium.io/v2 2 | kind: CiliumClusterwideNetworkPolicy 3 | metadata: 4 | name: egress-traffic-blocking 5 | labels: 6 | policy: egress-traffic-blocking 7 | spec: 8 | endpointSelector: {} 9 | enableDefaultDeny: 10 | egress: false 11 | egressDeny: 12 | - toCIDRSet: 13 | - cidrGroupRef: egress-traffic-blocking 14 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer-kubernetes-events/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: fluent-bit-kubernetes-events-read 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: view 9 | subjects: 10 | - kind: ServiceAccount 11 | name: fluent-bit-kubernetes-events 12 | namespace: logging 13 | -------------------------------------------------------------------------------- /hxe-aci/configureAciHxeExternalAccess.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | set -o pipefail 5 | 6 | globalpath=$(find /hana -name global.ini | awk -F global.ini '{ print $1 }') \ 7 | && cd $globalpath \ 8 | && chmod 777 global.ini \ 9 | && chmod 777 . \ 10 | && sed -i 's/^use_default_route=ip/use_default_route=no/g' ./global.ini \ 11 | && cd /usr/sap/HXE/HDB90 \ 12 | && HDB restart 13 | -------------------------------------------------------------------------------- /kata-containers/untrusted-workload.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: nginx-kata-untrusted 5 | spec: 6 | containers: 7 | - name: nginx-kata-untrusted 8 | image: nginx 9 | runtimeClassName: kata-mshv-vm-isolation 10 | tolerations: 11 | - key: kata 12 | operator: Equal 13 | value: "enabled" 14 | effect: NoSchedule 15 | nodeSelector: 16 | kata: enabled 17 | -------------------------------------------------------------------------------- /envoy-ratelimit/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | RESOURCE_GROUP=$1 4 | NAME=$2 5 | 6 | kubectl apply -f namespace.yaml 7 | ./create-secret.sh $RESOURCE_GROUP $NAME 8 | kubectl apply -f config-map.yaml 9 | kubectl apply -f network-policy.yaml 10 | kubectl apply -f peer-authentication.yaml 11 | kubectl apply -f deployment.yaml 12 | kubectl apply -f envoyfilter-global.yaml 13 | kubectl apply -f container-azm-ms-agentconfig.yaml -------------------------------------------------------------------------------- /azure-npm/allow-src-ip.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-src-ip 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: src-ip-internal 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - ports: 14 | - port: 8080 15 | from: 16 | - podSelector: 17 | matchLabels: 18 | app: busybox 19 | -------------------------------------------------------------------------------- /gateway-api/http-route-application.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: gateway.networking.k8s.io/v1beta1 2 | kind: HTTPRoute 3 | metadata: 4 | name: go-webapp 5 | namespace: istio-config 6 | spec: 7 | parentRefs: 8 | - name: gw-api 9 | namespace: istio-system 10 | hostnames: 11 | - "*.danielstechblog.de" 12 | rules: 13 | - backendRefs: 14 | - name: go-webapp-gw-api 15 | namespace: go-webapp 16 | port: 80 17 | -------------------------------------------------------------------------------- /helm/charts/function-figlet/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /helm/charts/function-akscnicalc/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /helm/rbac-tiller.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: tiller 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: tiller 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: tiller 18 | namespace: kube-system 19 | -------------------------------------------------------------------------------- /hpa/hpa-functions.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling/v2beta1 2 | kind: HorizontalPodAutoscaler 3 | metadata: 4 | name: helloworld-function-figlet 5 | namespace: default 6 | spec: 7 | scaleTargetRef: 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | name: helloworld-function-figlet 11 | minReplicas: 1 12 | maxReplicas: 20 13 | metrics: 14 | - type: Resource 15 | resource: 16 | name: cpu 17 | targetAverageUtilization: 10 -------------------------------------------------------------------------------- /gateway-api/horizontal-pod-autoscaler.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling/v2 2 | kind: HorizontalPodAutoscaler 3 | metadata: 4 | name: gw-api 5 | spec: 6 | scaleTargetRef: 7 | apiVersion: apps/v1 8 | kind: Deployment 9 | name: gw-api-istio 10 | minReplicas: 3 11 | maxReplicas: 6 12 | metrics: 13 | - type: Resource 14 | resource: 15 | name: cpu 16 | target: 17 | type: Utilization 18 | averageUtilization: 80 19 | -------------------------------------------------------------------------------- /iotedge/webserver/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM arm32v7/ubuntu:18.04 2 | 3 | LABEL maintainer="Daniel Neumann " 4 | RUN groupadd -r -g 127001 container && \ 5 | useradd -r -u 127001 -g container container 6 | 7 | COPY qemu-arm-static /usr/bin/qemu-arm-static 8 | 9 | WORKDIR /webapp 10 | ADD --chown=container:container /go-webapp . 11 | RUN chmod +x ./webapp 12 | 13 | USER container 14 | 15 | EXPOSE 8080 16 | 17 | ENTRYPOINT ./webapp 18 | -------------------------------------------------------------------------------- /iotedge/webserver/go-webapp/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "log" 7 | "net/http" 8 | "os" 9 | ) 10 | 11 | func handler(w http.ResponseWriter, r *http.Request) { 12 | content, err := ioutil.ReadFile("index.html") 13 | if err != nil { 14 | log.Fatal(err) 15 | } 16 | fmt.Fprintf(w, "%s", content) 17 | } 18 | 19 | func main() { 20 | http.HandleFunc("/", handler) 21 | http.ListenAndServe(":8080", nil) 22 | } 23 | -------------------------------------------------------------------------------- /mssql/mssql-filestorage.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: azure-files 5 | provisioner: kubernetes.io/azure-file 6 | parameters: 7 | storageAccount: azstaks1 8 | --- 9 | apiVersion: v1 10 | kind: PersistentVolumeClaim 11 | metadata: 12 | name: mssql-data 13 | spec: 14 | storageClassName: azure-files 15 | accessModes: 16 | - ReadWriteMany 17 | resources: 18 | requests: 19 | storage: 32Gi 20 | -------------------------------------------------------------------------------- /cilium/metadata-information/azure-specific-ip-addresses.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cilium.io/v2alpha1 2 | kind: CiliumCIDRGroup 3 | metadata: 4 | name: azure-imds 5 | labels: 6 | k8s-app: azure-imds 7 | spec: 8 | externalCIDRs: 9 | - 169.254.169.254/32 10 | --- 11 | apiVersion: cilium.io/v2alpha1 12 | kind: CiliumCIDRGroup 13 | metadata: 14 | name: azure-internal-dns 15 | labels: 16 | k8s-app: azure-internal-dns 17 | spec: 18 | externalCIDRs: 19 | - 168.63.129.16/32 20 | -------------------------------------------------------------------------------- /gvisor/install-gvisor.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ( 4 | set -e 5 | ARCH=$(uname -m) 6 | URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} 7 | wget ${URL}/runsc ${URL}/runsc.sha512 \ 8 | ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512 9 | sha512sum -c runsc.sha512 \ 10 | -c containerd-shim-runsc-v1.sha512 11 | rm -f *.sha512 12 | chmod a+rx runsc containerd-shim-runsc-v1 13 | mv runsc containerd-shim-runsc-v1 /usr/bin 14 | ) -------------------------------------------------------------------------------- /k3s/install-k3s-master.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | MASTER=$(hostname) 6 | 7 | curl -sfL https://get.k3s.io -o install.sh 8 | chmod +x install.sh 9 | ./install.sh server --kubelet-arg="address=0.0.0.0" 10 | systemctl status k3s 11 | 12 | sudo apt update 13 | sudo apt install jq vim git -y 14 | kubectl taint nodes $MASTER node-role.kubernetes.io/master=true:NoSchedule 15 | kubectl label node $MASTER kubernetes.io/role=master node-role.kubernetes.io/master= 16 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer-kubernetes-events/storage-class.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: azurefile-csi-fluent-bit 5 | provisioner: file.csi.azure.com 6 | reclaimPolicy: Delete 7 | volumeBindingMode: Immediate 8 | allowVolumeExpansion: true 9 | mountOptions: 10 | - mfsymlinks 11 | - actimeo=30 12 | - nosharesock 13 | - nobrl # nobrl is required for Fluent Bit to work correctly 14 | parameters: 15 | skuName: Standard_LRS 16 | -------------------------------------------------------------------------------- /cilium/hubble-exporter/cilium-flowlog-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cilium-flowlog-config 5 | namespace: kube-system 6 | data: 7 | flowlogs.yaml: | 8 | flowLogs: 9 | - name: egress-traffic-blocking 10 | excludeFilters: [] 11 | fieldMask: [] 12 | filePath: /dev/stdout 13 | includeFilters: 14 | - event_type: 15 | - type: 1 16 | sub_type: 181 17 | traffic_direction: 18 | - EGRESS 19 | -------------------------------------------------------------------------------- /k3s/helm/rbac-tiller.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | imagePullSecrets: 3 | - name: acr 4 | kind: ServiceAccount 5 | metadata: 6 | name: tiller 7 | namespace: kube-system 8 | --- 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: ClusterRoleBinding 11 | metadata: 12 | name: tiller 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: cluster-admin 17 | subjects: 18 | - kind: ServiceAccount 19 | name: tiller 20 | namespace: kube-system -------------------------------------------------------------------------------- /devTestLabs/README.md: -------------------------------------------------------------------------------- 1 | # Azure DevTest Labs – Connecting the dots with Azure Automation, Logic Apps and Event Grid to deploy Kubernetes in your Lab environment 2 | Contains the demo code I am using for my session Azure DevTest Labs – Connecting the dots with Azure Automation, Logic Apps and Event Grid to deploy Kubernetes in your Lab environment. 3 | 4 | Further information about the details can be found on my blog: https://www.danielstechblog.info/adding-value-devtest-labs-users-additional-azure-services/ 5 | -------------------------------------------------------------------------------- /calico/egress-traffic-blocking/global-network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: crd.projectcalico.org/v1 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: egress-traffic-blocking 5 | labels: 6 | policy: egress-traffic-blocking 7 | spec: 8 | order: 0 9 | types: 10 | - Egress 11 | egress: 12 | - action: Log 13 | destination: 14 | selector: policy == 'egress-traffic-blocking' 15 | - action: Deny 16 | destination: 17 | selector: policy == 'egress-traffic-blocking' 18 | -------------------------------------------------------------------------------- /gateway-api/http-route-redirect.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: gateway.networking.k8s.io/v1beta1 2 | kind: HTTPRoute 3 | metadata: 4 | name: http-to-https-redirect 5 | namespace: istio-system 6 | spec: 7 | parentRefs: 8 | - name: gw-api 9 | namespace: istio-system 10 | hostnames: 11 | - "*.danielstechblog.de" 12 | rules: 13 | - filters: 14 | - type: RequestRedirect 15 | requestRedirect: 16 | scheme: https 17 | statusCode: 301 18 | port: 443 19 | -------------------------------------------------------------------------------- /containerImages/linux/go-webapp/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.10.5-alpine3.8 AS build 2 | WORKDIR /webapp 3 | ADD /go-webapp . 4 | RUN apk update && \ 5 | apk add git && \ 6 | go get github.com/sirupsen/logrus && \ 7 | go build -o webapp . 8 | 9 | FROM alpine:3.8 10 | LABEL maintainer="Daniel Neumann " 11 | RUN addgroup -S -g 127001 container && \ 12 | adduser -SD -u 127001 -G container container 13 | USER container 14 | WORKDIR /webapp 15 | COPY --from=build /webapp . 16 | EXPOSE 8080 17 | ENTRYPOINT ./webapp 18 | -------------------------------------------------------------------------------- /istio-tls-passthrough/istio-virtual-service-tls-passthrough.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: VirtualService 3 | metadata: 4 | name: nginx 5 | namespace: istio-config 6 | spec: 7 | hosts: 8 | - nginx.tls.danielstechblog.de 9 | gateways: 10 | - azst-aks-gateway 11 | tls: 12 | - match: 13 | - port: 10443 14 | sniHosts: 15 | - nginx.tls.danielstechblog.de 16 | route: 17 | - destination: 18 | host: my-nginx.nginx.svc.cluster.local 19 | port: 20 | number: 443 21 | -------------------------------------------------------------------------------- /iotedge/acrbuild/go-webapp/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "net/http" 7 | "os" 8 | 9 | log "github.com/sirupsen/logrus" 10 | ) 11 | 12 | func handler(w http.ResponseWriter, r *http.Request) { 13 | content, err := ioutil.ReadFile("index.html") 14 | if err != nil { 15 | log.Fatal(err) 16 | } 17 | fmt.Fprintf(w, "%s", content) 18 | } 19 | 20 | func main() { 21 | http.HandleFunc("/", handler) 22 | log.SetOutput(os.Stdout) 23 | log.Info("Serving on port :8080") 24 | http.ListenAndServe(":8080", nil) 25 | } 26 | -------------------------------------------------------------------------------- /containerImages/linux/go-webapp/go-webapp/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "net/http" 7 | "os" 8 | 9 | log "github.com/sirupsen/logrus" 10 | ) 11 | 12 | func handler(w http.ResponseWriter, r *http.Request) { 13 | content, err := ioutil.ReadFile("index.html") 14 | if err != nil { 15 | log.Fatal(err) 16 | } 17 | fmt.Fprintf(w, "%s", content) 18 | } 19 | 20 | func main() { 21 | http.HandleFunc("/", handler) 22 | log.SetOutput(os.Stdout) 23 | log.Info("Serving on port :8080") 24 | http.ListenAndServe(":8080", nil) 25 | } 26 | -------------------------------------------------------------------------------- /azure-monitor/container-azm-ms-agentconfig.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: container-azm-ms-agentconfig 5 | namespace: kube-system 6 | data: 7 | schema-version: v1 8 | config-version: 1.0.0 9 | log-data-collection-settings: |- 10 | [log_collection_settings] 11 | [log_collection_settings.stdout] 12 | enabled = true 13 | exclude_namespaces = [] 14 | 15 | [log_collection_settings.stderr] 16 | enabled = true 17 | exclude_namespaces = [] 18 | 19 | [log_collection_settings.env_var] 20 | enabled = true 21 | -------------------------------------------------------------------------------- /envoy-ratelimit/create-secret.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | RESOURCE_GROUP=$1 4 | NAME=$2 5 | DATA=$(az redis show --resource-group $RESOURCE_GROUP --name $NAME) 6 | HOST_URL="$(echo $DATA | jq -r .hostName):$(echo $DATA | jq -r .sslPort)" 7 | 8 | PASSWORD=$(az redis list-keys --resource-group $RESOURCE_GROUP --name $NAME | jq -r .primaryKey | tr -d '\n' | base64) 9 | URL=$(echo -n $HOST_URL | base64) 10 | 11 | echo "apiVersion: v1 12 | data: 13 | password: $PASSWORD 14 | url: $URL 15 | kind: Secret 16 | metadata: 17 | name: redis 18 | namespace: ratelimit 19 | type: Opaque" | kubectl apply -f - || true -------------------------------------------------------------------------------- /kind/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | kind create cluster --config=single-node.yaml 6 | 7 | # Calico 8 | kubectl create -f https://docs.projectcalico.org/manifests/tigera-operator.yaml 9 | kubectl apply -f ./calico-config.yaml 10 | 11 | sleep 120 12 | 13 | # Metrics Server 14 | kubectl config set-context --current --namespace kube-system 15 | 16 | helm upgrade metrics-server --install \ 17 | --set apiService.create=true \ 18 | --set extraArgs.kubelet-insecure-tls=true \ 19 | --set extraArgs.kubelet-preferred-address-types=InternalIP \ 20 | bitnami/metrics-server --namespace kube-system 21 | -------------------------------------------------------------------------------- /iotedge/acrbuild/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM golang:1.10.5-alpine3.8 AS build 2 | ENV GOARCH="arm" 3 | ENV GOOS="linux" 4 | WORKDIR /webapp 5 | ADD /go-webapp . 6 | RUN apk update && \ 7 | apk add git && \ 8 | go get github.com/sirupsen/logrus && \ 9 | go build -o webapp . 10 | 11 | FROM arm32v6/alpine:3.8 12 | LABEL maintainer="Daniel Neumann " 13 | RUN addgroup -S -g 127001 container && \ 14 | adduser -SD -u 127001 -G container container 15 | USER container 16 | WORKDIR /webapp 17 | COPY --from=build /webapp . 18 | EXPOSE 8080 19 | ENTRYPOINT ./webapp 20 | -------------------------------------------------------------------------------- /k3s/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM arm32v7/ubuntu:16.04 2 | 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | RUN echo "APT::Get::Assume-Yes \"true\";" > /etc/apt/apt.conf.d/90assumeyes 5 | 6 | RUN apt-get update \ 7 | && apt-get install -y --no-install-recommends \ 8 | ca-certificates \ 9 | curl \ 10 | jq \ 11 | git \ 12 | iputils-ping \ 13 | libcurl3 \ 14 | libicu55 \ 15 | zip \ 16 | unzip \ 17 | && rm -rf /var/lib/apt/lists/* 18 | 19 | WORKDIR /azp 20 | 21 | COPY ./start.sh . 22 | RUN chmod +x start.sh 23 | 24 | CMD ["./start.sh"] 25 | -------------------------------------------------------------------------------- /k3s/install-k3s-node.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | set -o pipefail 5 | 6 | K3SMASTER=$1 7 | K3SMASTERIPADDRESS=$2 8 | NODE_TOKEN=$3 9 | NODE=$(hostname) 10 | 11 | echo "$K3SMASTERIPADDRESS $K3SMASTER" | sudo tee -a /etc/hosts 12 | curl -sfL https://get.k3s.io -o install.sh 13 | chmod +x install.sh 14 | ./install.sh agent --server https://$K3SMASTER:6443 --kubelet-arg="address=0.0.0.0" --token $NODE_TOKEN 15 | systemctl status k3s-agent 16 | 17 | sudo apt update 18 | sudo apt install jq vim -y 19 | 20 | kubectl label node $NODE kubernetes.io/role=agent node-role.kubernetes.io/agent= 21 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer/deploy-fluent-bit-adx.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TENANT_ID=$1 4 | CLIENT_ID=$2 5 | CLIENT_SECRET=$3 6 | 7 | kubectl apply -f namespace.yaml 8 | kubectl apply -f service-account.yaml 9 | kubectl apply -f cluster-role.yaml 10 | kubectl apply -f cluster-role-binding.yaml 11 | 12 | kubectl apply -f adx-output/config-map.yaml 13 | 14 | kubectl create secret generic azuredataexplorer -n logging \ 15 | --from-literal=tenant_id="${TENANT_ID}" \ 16 | --from-literal=client_id="${CLIENT_ID}" \ 17 | --from-literal=client_secret="${CLIENT_SECRET}" \ 18 | || true 19 | 20 | kubectl apply -f adx-output/daemon-set.yaml 21 | -------------------------------------------------------------------------------- /helm/charts/function-figlet/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "function-figlet.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | */}} 13 | {{- define "function-figlet.fullname" -}} 14 | {{- $name := default .Chart.Name .Values.nameOverride -}} 15 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /helm/charts/function-akscnicalc/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "function-akscnicalc.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | */}} 13 | {{- define "function-akscnicalc.fullname" -}} 14 | {{- $name := default .Chart.Name .Values.nameOverride -}} 15 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer-kubernetes-events/deploy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | TENANT_ID=$1 4 | CLIENT_ID=$2 5 | CLIENT_SECRET=$3 6 | 7 | kubectl apply -f namespace.yaml 8 | kubectl apply -f service-account.yaml 9 | kubectl apply -f cluster-role.yaml 10 | kubectl apply -f cluster-role-binding.yaml 11 | 12 | kubectl apply -f config-map.yaml 13 | kubectl apply -f storage-class.yaml 14 | kubectl apply -f pvc.yaml 15 | 16 | kubectl create secret generic azuredataexplorer -n logging \ 17 | --from-literal=tenant_id="${TENANT_ID}" \ 18 | --from-literal=client_id="${CLIENT_ID}" \ 19 | --from-literal=client_secret="${CLIENT_SECRET}" \ 20 | || true 21 | 22 | kubectl apply -f deployment.yaml 23 | -------------------------------------------------------------------------------- /k3s/helm/downloadHelm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Starting Docker image build pre-steps..." 6 | VERSION=$(cat HELMVERSION) 7 | 8 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Downloading helm version $VERSION for linux-arm platform..." 9 | curl -sfL https://get.helm.sh/helm-$VERSION-linux-arm.tar.gz -o helm.tar.gz 10 | 11 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Extracting tiller and helm executables..." 12 | tar -xf helm.tar.gz 13 | mv linux-arm/tiller tiller 14 | mv linux-arm/helm helm 15 | 16 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Deleting linux-arm folder..." 17 | rm -rf linux-arm 18 | 19 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Finished Docker image build pre-steps..." -------------------------------------------------------------------------------- /istio-tls-passthrough/istio-gateway-default.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Gateway 3 | metadata: 4 | name: azst-aks-gateway 5 | namespace: istio-config 6 | spec: 7 | selector: 8 | istio: ingressgateway # use Istio default gateway implementation 9 | servers: 10 | - hosts: 11 | - "*.danielstechblog.de" 12 | port: 13 | number: 80 14 | name: http 15 | protocol: HTTP 16 | tls: 17 | httpsRedirect: true 18 | - hosts: 19 | - "*.danielstechblog.de" 20 | port: 21 | number: 443 22 | name: https 23 | protocol: HTTPS 24 | tls: 25 | mode: SIMPLE 26 | credentialName: istio-ingress-cert 27 | -------------------------------------------------------------------------------- /ACI-connector/credentials.json: -------------------------------------------------------------------------------- 1 | { 2 | "clientId": "<>", 3 | "clientSecret": "<>", 4 | "subscriptionId": "<>", 5 | "tenantId": "<>", 6 | "activeDirectoryEndpointUrl": "https://login.microsoftonline.com/", 7 | "resourceManagerEndpointUrl": "https://management.azure.com/", 8 | "activeDirectoryGraphResourceId": "https://graph.windows.net/", 9 | "sqlManagementEndpointUrl": "database.windows.net", 10 | "galleryEndpointUrl": "https://gallery.azure.com/", 11 | "managementEndpointUrl": "https://management.core.windows.net/" 12 | } 13 | -------------------------------------------------------------------------------- /cilium/azure-imds/azure-imds-deny.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cilium.io/v2 2 | kind: CiliumClusterwideNetworkPolicy 3 | metadata: 4 | name: azure-imds-deny 5 | annotations: 6 | description: "Deny traffic to Azure IMDS" 7 | labels: 8 | app.kubernetes.io/part-of: cilium 9 | area: network-security 10 | spec: 11 | endpointSelector: 12 | matchExpressions: 13 | - key: k8s:io.kubernetes.pod.namespace 14 | operator: NotIn 15 | values: 16 | - kube-system 17 | - logging 18 | - grafana-alloy 19 | enableDefaultDeny: 20 | egress: false 21 | ingress: false 22 | egressDeny: 23 | - toCIDRSet: 24 | - cidrGroupRef: azure-imds 25 | log: 26 | value: "ccnp_egress_denied_azure_imds" 27 | -------------------------------------------------------------------------------- /fluent-bit/deploy-fluent-bit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | RESOURCE_GROUP=$1 4 | LOG_ANALYTICS_WORKSPACE=$2 5 | 6 | kubectl apply -f namespace.yaml 7 | kubectl apply -f service-account.yaml 8 | kubectl apply -f cluster-role.yaml 9 | kubectl apply -f cluster-role-binding.yaml 10 | 11 | kubectl apply -f config-map.yaml 12 | 13 | kubectl create secret generic loganalytics -n logging \ 14 | --from-literal=workspaceid="$(az monitor log-analytics workspace show -g ${RESOURCE_GROUP} -n ${LOG_ANALYTICS_WORKSPACE} | jq -r .customerId)" \ 15 | --from-literal=workspacekey="$(az monitor log-analytics workspace get-shared-keys -g ${RESOURCE_GROUP} -n ${LOG_ANALYTICS_WORKSPACE} | jq -r .primarySharedKey)" \ 16 | || true 17 | 18 | kubectl apply -f daemon-set.yaml 19 | -------------------------------------------------------------------------------- /gvisor/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | URL="https://raw.githubusercontent.com/neumanndaniel/kubernetes/master/gvisor/config.toml" 4 | 5 | wget ${URL} -O /k8s-node/config.toml 6 | cp /install-gvisor.sh /k8s-node 7 | 8 | /usr/bin/nsenter -m/proc/1/ns/mnt -- chmod u+x /tmp/gvisor/install-gvisor.sh 9 | /usr/bin/nsenter -m/proc/1/ns/mnt /tmp/gvisor/install-gvisor.sh 10 | /usr/bin/nsenter -m/proc/1/ns/mnt -- cp /etc/containerd/config.toml /etc/containerd/config.toml.org 11 | /usr/bin/nsenter -m/proc/1/ns/mnt -- cp /tmp/gvisor/config.toml /etc/containerd/config.toml 12 | /usr/bin/nsenter -m/proc/1/ns/mnt -- systemctl restart containerd 13 | 14 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Successfully installed gvisor and restarted containerd on node ${NODE_NAME}." 15 | 16 | sleep infinity -------------------------------------------------------------------------------- /omsagent/oms-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: omsagent 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRole 9 | metadata: 10 | name: omsagent-reader 11 | rules: 12 | - apiGroups: 13 | - "" 14 | resources: 15 | - pods 16 | - events 17 | - nodes 18 | - namespaces 19 | - services 20 | verbs: 21 | - list 22 | --- 23 | apiVersion: rbac.authorization.k8s.io/v1 24 | kind: ClusterRoleBinding 25 | metadata: 26 | name: omsagentclusterrolebinding 27 | roleRef: 28 | apiGroup: rbac.authorization.k8s.io 29 | kind: ClusterRole 30 | name: omsagent-reader 31 | subjects: 32 | - kind: ServiceAccount 33 | name: omsagent 34 | namespace: kube-system 35 | -------------------------------------------------------------------------------- /acr/Remove-UntaggedManifests.ps1: -------------------------------------------------------------------------------- 1 | $ACRS = Get-AzContainerRegistry 2 | foreach ($ACR in $ACRS) { 3 | $REPOS = Get-AzContainerRegistryRepository -RegistryName $ACR.Name 4 | foreach ($REPO in $REPOS) { 5 | Write-OutPut "########################" 6 | Write-Output "Processing repository: $REPO" 7 | $MANIFESTS = (Get-AzContainerRegistryManifest -RegistryName $ACR.Name -RepositoryName $REPO).ManifestsAttributes | Where-Object { $_.Tags -eq $null } | Sort-Object -Property LastUpdateTime -Descending 8 | foreach ($ITEM in $MANIFESTS) { 9 | $TAG = $ITEM.digest 10 | Write-OutPut "------------------------" 11 | Write-Output "Delete dangling image $REPO@$TAG" 12 | Remove-AzContainerRegistryManifest -RegistryName $ACR.Name -RepositoryName $REPO -Manifest $TAG 13 | } 14 | } 15 | } -------------------------------------------------------------------------------- /helm/charts/function-figlet/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling/v2beta1 2 | kind: HorizontalPodAutoscaler 3 | metadata: 4 | name: {{ template "function-figlet.fullname" . }} 5 | namespace: {{ .Values.general.namespace }} 6 | labels: 7 | app: {{ template "function-figlet.name" . }} 8 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | spec: 12 | scaleTargetRef: 13 | apiVersion: apps/v1 14 | kind: Deployment 15 | name: {{ template "function-figlet.fullname" . }} 16 | minReplicas: {{ .Values.hpa.minReplicas }} 17 | maxReplicas: {{ .Values.hpa.maxReplicas }} 18 | metrics: 19 | - type: Resource 20 | resource: 21 | name: cpu 22 | targetAverageUtilization: {{ .Values.hpa.metrics.cpu.targetAverageUtilization }} -------------------------------------------------------------------------------- /gvisor/config.toml: -------------------------------------------------------------------------------- 1 | version = 2 2 | subreaper = false 3 | oom_score = 0 4 | [plugins."io.containerd.grpc.v1.cri"] 5 | sandbox_image = "mcr.microsoft.com/oss/kubernetes/pause:3.6" 6 | [plugins."io.containerd.grpc.v1.cri".containerd] 7 | 8 | [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime] 9 | runtime_type = "io.containerd.runtime.v1.linux" 10 | runtime_engine = "/usr/bin/runc" 11 | [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] 12 | runtime_type = "io.containerd.runtime.v1.linux" 13 | runtime_engine = "/usr/bin/runc" 14 | [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc] 15 | runtime_type = "io.containerd.runsc.v1" 16 | 17 | [plugins."io.containerd.grpc.v1.cri".registry.headers] 18 | X-Meta-Source-Client = ["azure/aks"] 19 | [metrics] 20 | address = "0.0.0.0:10257" -------------------------------------------------------------------------------- /helm/charts/function-akscnicalc/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling/v2beta1 2 | kind: HorizontalPodAutoscaler 3 | metadata: 4 | name: {{ template "function-akscnicalc.fullname" . }} 5 | namespace: {{ .Values.general.namespace }} 6 | labels: 7 | app: {{ template "function-akscnicalc.name" . }} 8 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | spec: 12 | scaleTargetRef: 13 | apiVersion: apps/v1 14 | kind: Deployment 15 | name: {{ template "function-akscnicalc.fullname" . }} 16 | minReplicas: {{ .Values.hpa.minReplicas }} 17 | maxReplicas: {{ .Values.hpa.maxReplicas }} 18 | metrics: 19 | - type: Resource 20 | resource: 21 | name: cpu 22 | targetAverageUtilization: {{ .Values.hpa.metrics.cpu.targetAverageUtilization }} -------------------------------------------------------------------------------- /iotedge/acrbuild/go-webapp/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Azure IoT Edge 4 | 6 | 7 | 8 |
9 |
10 |

Hello Azure people!

11 |

12 | Now we are running on an Azure IoT Edge device with the power of Azure in the back! 13 |

14 |
15 |

16 |

17 | 18 |
19 |

20 |
21 |
22 | 23 | 24 | -------------------------------------------------------------------------------- /iotedge/webserver/go-webapp/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Azure IoT Edge 4 | 6 | 7 | 8 |
9 |
10 |

Hello Azure people!

11 |

12 | Now we are running on an Azure IoT Edge device with the power of Azure in the back! 13 |

14 |
15 |

16 |

17 | 18 |
19 |

20 |
21 |
22 | 23 | 24 | -------------------------------------------------------------------------------- /kind/single-node.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kind.x-k8s.io/v1alpha4 2 | kind: Cluster 3 | networking: 4 | apiServerAddress: "127.0.0.1" 5 | apiServerPort: 6443 6 | podSubnet: "10.240.0.0/16" 7 | serviceSubnet: "10.0.0.0/16" 8 | disableDefaultCNI: true 9 | kubeProxyMode: "iptables" 10 | nodes: 11 | - role: control-plane 12 | kubeadmConfigPatches: 13 | - | 14 | kind: InitConfiguration 15 | nodeRegistration: 16 | kubeletExtraArgs: 17 | node-labels: "ingress-ready=true" 18 | extraPortMappings: 19 | - containerPort: 30000 20 | hostPort: 80 21 | listenAddress: "127.0.0.1" 22 | protocol: TCP 23 | - containerPort: 30001 24 | hostPort: 443 25 | listenAddress: "127.0.0.1" 26 | protocol: TCP 27 | - containerPort: 30002 28 | hostPort: 15021 29 | listenAddress: "127.0.0.1" 30 | protocol: TCP 31 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer/deploy-fluent-bit-kafka.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | RESOURCE_GROUP=$1 4 | EVENT_HUB_NAMESPACE=$2 5 | EVENT_HUB=$3 6 | SHARED_ACCESS_POLICY_NAME=$4 7 | 8 | kubectl apply -f namespace.yaml 9 | kubectl apply -f service-account.yaml 10 | kubectl apply -f cluster-role.yaml 11 | kubectl apply -f cluster-role-binding.yaml 12 | 13 | kubectl apply -f kafka-output/config-map.yaml 14 | 15 | kubectl create secret generic azureeventhub -n logging \ 16 | --from-literal=namespace="${EVENT_HUB_NAMESPACE}" \ 17 | --from-literal=topic="${EVENT_HUB}" \ 18 | --from-literal=connection_string="$(az eventhubs eventhub authorization-rule keys list --resource-group ${RESOURCE_GROUP} --namespace-name ${EVENT_HUB_NAMESPACE} --eventhub-name ${EVENT_HUB} --authorization-rule-name ${SHARED_ACCESS_POLICY_NAME} | jq -r .primaryConnectionString)" \ 19 | || true 20 | 21 | kubectl apply -f kafka-output/daemon-set.yaml 22 | -------------------------------------------------------------------------------- /istio-tls-passthrough/istio-gateway-tls-passthrough.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Gateway 3 | metadata: 4 | name: azst-aks-gateway 5 | namespace: istio-config 6 | spec: 7 | selector: 8 | istio: ingressgateway # use Istio default gateway implementation 9 | servers: 10 | - hosts: 11 | - "*.danielstechblog.de" 12 | port: 13 | number: 80 14 | name: http 15 | protocol: HTTP 16 | tls: 17 | httpsRedirect: true 18 | - hosts: 19 | - "*.danielstechblog.de" 20 | port: 21 | number: 443 22 | name: https 23 | protocol: HTTPS 24 | tls: 25 | mode: SIMPLE 26 | credentialName: istio-ingress-cert 27 | - hosts: 28 | - "*.tls.danielstechblog.de" 29 | port: 30 | number: 10443 31 | name: tls-passthrough 32 | protocol: TLS 33 | tls: 34 | mode: PASSTHROUGH 35 | -------------------------------------------------------------------------------- /cilium/azure-imds/azure-imds-allow.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cilium.io/v2 2 | kind: CiliumClusterwideNetworkPolicy 3 | metadata: 4 | name: azure-imds-allow 5 | annotations: 6 | description: "Allow traffic to Azure IMDS" 7 | labels: 8 | app.kubernetes.io/part-of: cilium 9 | area: network-security 10 | spec: 11 | endpointSelector: 12 | matchExpressions: 13 | - key: k8s:io.kubernetes.pod.namespace 14 | operator: In 15 | values: 16 | - kube-system 17 | - logging 18 | - grafana-alloy 19 | enableDefaultDeny: 20 | egress: false 21 | ingress: false 22 | egress: 23 | - toCIDRSet: 24 | - cidrGroupRef: azure-imds 25 | toPorts: 26 | - ports: 27 | - port: "80" 28 | protocol: TCP 29 | rules: 30 | http: 31 | - method: "GET" 32 | path: "/metadata" 33 | log: 34 | value: "ccnp_egress_allowed_azure_imds" 35 | -------------------------------------------------------------------------------- /k3s/helm/downloadKubectl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Starting Release pre-steps..." 6 | 7 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Downloading latest kubectl version for linux-arm platform..." 8 | curl -sfLO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/arm/kubectl 9 | chmod +x kubectl 10 | mv kubectl /usr/local/bin/ 11 | 12 | VERSION=$(cat HELMVERSION) 13 | 14 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Downloading helm version $VERSION for linux-arm platform..." 15 | curl -sfL https://get.helm.sh/helm-$VERSION-linux-arm.tar.gz -o helm.tar.gz 16 | 17 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Extracting tiller and helm executables..." 18 | tar -xf helm.tar.gz 19 | mv linux-arm/helm /usr/local/bin/ 20 | 21 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Deleting linux-arm folder..." 22 | rm -rf linux-arm 23 | 24 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Finished Release pre-steps..." -------------------------------------------------------------------------------- /templates/aci-connector-test.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: aci-helloworld 5 | spec: 6 | replicas: 10 7 | strategy: 8 | rollingUpdate: 9 | maxSurge: 1 10 | maxUnavailable: 1 11 | minReadySeconds: 5 12 | selector: 13 | matchLabels: 14 | app: aci-helloworld 15 | template: 16 | metadata: 17 | labels: 18 | app: aci-helloworld 19 | spec: 20 | containers: 21 | - image: microsoft/aci-helloworld 22 | imagePullPolicy: Always 23 | name: aci-helloworld 24 | resources: 25 | requests: 26 | memory: 1.5G 27 | cpu: 1 28 | ports: 29 | - containerPort: 80 30 | name: http 31 | protocol: TCP 32 | - containerPort: 443 33 | name: https 34 | dnsPolicy: ClusterFirst 35 | nodeName: virtual-kubelet-aci-linux 36 | tolerations: 37 | - key: azure.com/aci 38 | effect: NoSchedule 39 | -------------------------------------------------------------------------------- /windows/hello-world.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: helloworld 5 | labels: 6 | app: helloworld 7 | spec: 8 | replicas: 1 9 | template: 10 | metadata: 11 | name: helloworld 12 | labels: 13 | app: helloworld 14 | spec: 15 | tolerations: 16 | - key: kubernetes.io/os 17 | operator: Equal 18 | value: windows 19 | effect: NoSchedule 20 | nodeSelector: 21 | "kubernetes.io/os": windows 22 | containers: 23 | - name: helloworld 24 | image: mcr.microsoft.com/dotnet/framework/samples:aspnetapp 25 | resources: 26 | limits: 27 | cpu: 1 28 | memory: 1Gi 29 | ports: 30 | - containerPort: 80 31 | selector: 32 | matchLabels: 33 | app: helloworld 34 | --- 35 | apiVersion: v1 36 | kind: Service 37 | metadata: 38 | name: helloworld 39 | labels: 40 | app: helloworld 41 | spec: 42 | type: LoadBalancer 43 | ports: 44 | - port: 80 45 | selector: 46 | app: helloworld -------------------------------------------------------------------------------- /helm/charts/function-figlet/values.yaml: -------------------------------------------------------------------------------- 1 | general: 2 | namespace: default 3 | image: 4 | repository: neumanndaniel/figlet 5 | tag: 1.0.0 6 | pullPolicy: Always 7 | container: 8 | name: function-figlet 9 | port: 80 10 | requests: 11 | cpu: 25m 12 | memory: 64Mi 13 | limits: 14 | cpu: 50m 15 | memory: 128Mi 16 | hpa: 17 | minReplicas: 1 18 | maxReplicas: 20 19 | metrics: 20 | cpu: 21 | targetAverageUtilization: 20 22 | service: 23 | noIngress: true 24 | type: LoadBalancer 25 | ports: 26 | port: 80 27 | targetPort: 80 28 | #Use only when running Ambassador (https://www.getambassador.io/) on your Kubernetes cluster and service.noIngress is set to false 29 | ambassador: 30 | enabled: false 31 | prefix: / 32 | hostEnabled: true 33 | host: helloworld.trafficmanager.net 34 | timeout: 20000 35 | #Use only when running Ambassador (https://www.getambassador.io/) and Linkerd (https://linkerd.io/) on your Kubernetes cluster and service.noIngress is set to false 36 | linkerd: 37 | enabled: false 38 | -------------------------------------------------------------------------------- /gateway-api/gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: gateway.networking.k8s.io/v1beta1 2 | kind: Gateway 3 | metadata: 4 | name: gw-api 5 | namespace: istio-system 6 | spec: 7 | gatewayClassName: istio 8 | listeners: 9 | - name: http 10 | hostname: "*.danielstechblog.de" 11 | port: 80 12 | protocol: HTTP 13 | allowedRoutes: 14 | namespaces: 15 | from: Same 16 | kinds: 17 | - group: gateway.networking.k8s.io 18 | kind: HTTPRoute 19 | - name: https 20 | hostname: "*.danielstechblog.de" 21 | port: 443 22 | protocol: HTTPS 23 | allowedRoutes: 24 | namespaces: 25 | from: Selector 26 | selector: 27 | matchLabels: 28 | ingress-configuration: "true" 29 | kinds: 30 | - group: gateway.networking.k8s.io 31 | kind: HTTPRoute 32 | tls: 33 | mode: Terminate 34 | certificateRefs: 35 | - kind: Secret 36 | group: "" 37 | name: istio-ingress-cert 38 | namespace: istio-system 39 | -------------------------------------------------------------------------------- /helm/charts/function-akscnicalc/values.yaml: -------------------------------------------------------------------------------- 1 | general: 2 | namespace: default 3 | image: 4 | repository: neumanndaniel/akscnicalc 5 | tag: 1.0.0 6 | pullPolicy: Always 7 | container: 8 | name: function-akscnicalc 9 | port: 80 10 | requests: 11 | cpu: 25m 12 | memory: 64Mi 13 | limits: 14 | cpu: 50m 15 | memory: 128Mi 16 | hpa: 17 | minReplicas: 1 18 | maxReplicas: 20 19 | metrics: 20 | cpu: 21 | targetAverageUtilization: 20 22 | service: 23 | noIngress: true 24 | type: LoadBalancer 25 | ports: 26 | port: 80 27 | targetPort: 80 28 | #Use only when running Ambassador (https://www.getambassador.io/) on your Kubernetes cluster and service.noIngress is set to false 29 | ambassador: 30 | enabled: false 31 | prefix: / 32 | hostEnabled: true 33 | host: akscnicalc.trafficmanager.net 34 | timeout: 20000 35 | #Use only when running Ambassador (https://www.getambassador.io/) and Linkerd (https://linkerd.io/) on your Kubernetes cluster and service.noIngress is set to false 36 | linkerd: 37 | enabled: false 38 | -------------------------------------------------------------------------------- /gvisor/daemon-set.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: gvisor 5 | namespace: kube-system 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: gvisor 10 | template: 11 | metadata: 12 | labels: 13 | app: gvisor 14 | spec: 15 | hostPID: true 16 | restartPolicy: Always 17 | containers: 18 | - image: docker.io/neumanndaniel/gvisor:latest 19 | imagePullPolicy: Always 20 | name: gvisor 21 | env: 22 | - name: NODE_NAME 23 | valueFrom: 24 | fieldRef: 25 | fieldPath: spec.nodeName 26 | securityContext: 27 | privileged: true 28 | readOnlyRootFilesystem: true 29 | volumeMounts: 30 | - name: k8s-node 31 | mountPath: /k8s-node 32 | volumes: 33 | - name: k8s-node 34 | hostPath: 35 | path: /tmp/gvisor 36 | tolerations: 37 | - key: gvisor 38 | operator: Equal 39 | value: "enabled" 40 | effect: NoSchedule 41 | nodeSelector: 42 | gvisor: enabled -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Daniel Neumann 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /mssql/mssql.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1beta1 2 | kind: Deployment 3 | metadata: 4 | name: mssql 5 | spec: 6 | replicas: 1 7 | template: 8 | metadata: 9 | labels: 10 | app: mssql 11 | spec: 12 | terminationGracePeriodSeconds: 10 13 | containers: 14 | - name: mssql 15 | image: microsoft/mssql-server-linux:latest 16 | ports: 17 | - containerPort: 1433 18 | env: 19 | - name: MSSQL_PID 20 | value: "Developer" 21 | - name: ACCEPT_EULA 22 | value: "Y" 23 | - name: SA_PASSWORD 24 | valueFrom: 25 | secretKeyRef: 26 | name: mssql 27 | key: SA_PASSWORD 28 | volumeMounts: 29 | - name: mssqldb 30 | mountPath: /var/opt/mssql 31 | volumes: 32 | - name: mssqldb 33 | persistentVolumeClaim: 34 | claimName: mssql-data 35 | --- 36 | apiVersion: v1 37 | kind: Service 38 | metadata: 39 | name: mssql 40 | spec: 41 | selector: 42 | app: mssql 43 | ports: 44 | - protocol: TCP 45 | port: 1433 46 | targetPort: 1433 47 | type: LoadBalancer 48 | -------------------------------------------------------------------------------- /ambassador/src-ip-ambassador.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: src-ip 5 | spec: 6 | replicas: 1 7 | strategy: 8 | rollingUpdate: 9 | maxSurge: 1 10 | maxUnavailable: 1 11 | minReadySeconds: 5 12 | selector: 13 | matchLabels: 14 | app: src-ip 15 | template: 16 | metadata: 17 | labels: 18 | app: src-ip 19 | spec: 20 | containers: 21 | - name: src-ip 22 | image: k8s.gcr.io/echoserver:1.10 23 | imagePullPolicy: Always 24 | ports: 25 | - containerPort: 8080 26 | resources: 27 | requests: 28 | cpu: 25m 29 | limits: 30 | cpu: 50m 31 | --- 32 | apiVersion: v1 33 | kind: Service 34 | metadata: 35 | name: src-ip 36 | labels: 37 | app: src-ip 38 | annotations: 39 | getambassador.io/config: | 40 | --- 41 | apiVersion: ambassador/v1 42 | kind: Mapping 43 | name: src-ip 44 | prefix: / 45 | host: src.trafficmanager.net 46 | service: src-ip 47 | spec: 48 | ports: 49 | - port: 80 50 | targetPort: 8080 51 | selector: 52 | app: src-ip 53 | -------------------------------------------------------------------------------- /cpu-requests/cpu-stress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: cpu-stress 5 | labels: 6 | app: cpu-stress 7 | version: v1 8 | spec: 9 | replicas: 4 10 | selector: 11 | matchLabels: 12 | app: cpu-stress 13 | template: 14 | metadata: 15 | labels: 16 | app: cpu-stress 17 | version: v1 18 | spec: 19 | affinity: 20 | nodeAffinity: 21 | requiredDuringSchedulingIgnoredDuringExecution: 22 | nodeSelectorTerms: 23 | - matchExpressions: 24 | - key: topology.kubernetes.io/zone 25 | operator: In 26 | values: 27 | - northeurope-3 28 | automountServiceAccountToken: false 29 | containers: 30 | - name: cpu-stress 31 | image: containerstack/cpustress 32 | imagePullPolicy: Always 33 | args: ["--timeout", "3600s", "--cpu", "2"] 34 | resources: 35 | requests: 36 | cpu: 0.5 37 | memory: 128Mi 38 | securityContext: 39 | runAsNonRoot: true 40 | runAsUser: 65534 41 | runAsGroup: 65534 42 | readOnlyRootFilesystem: true 43 | allowPrivilegeEscalation: false 44 | -------------------------------------------------------------------------------- /istio-custom-redirect/istio-307-redirect.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Gateway 3 | metadata: 4 | name: azst-aks-gateway-redirect 5 | namespace: istio-config 6 | spec: 7 | selector: 8 | istio: ingressgateway # use Istio default gateway implementation 9 | servers: 10 | - hosts: 11 | - "*.danielstechblog.de" 12 | port: 13 | number: 80 14 | name: http 15 | protocol: HTTP 16 | --- 17 | apiVersion: networking.istio.io/v1beta1 18 | kind: Gateway 19 | metadata: 20 | name: azst-aks-gateway 21 | namespace: istio-config 22 | spec: 23 | selector: 24 | istio: ingressgateway # use Istio default gateway implementation 25 | servers: 26 | - hosts: 27 | - "*.danielstechblog.de" 28 | port: 29 | number: 443 30 | name: https 31 | protocol: HTTPS 32 | tls: 33 | mode: SIMPLE 34 | credentialName: istio-ingress-cert 35 | --- 36 | apiVersion: networking.istio.io/v1beta1 37 | kind: VirtualService 38 | metadata: 39 | name: redirect 40 | namespace: istio-config 41 | spec: 42 | gateways: 43 | - azst-aks-gateway-redirect 44 | hosts: 45 | - "*.danielstechblog.de" 46 | http: 47 | - name: redirect 48 | redirect: 49 | redirectCode: 307 50 | scheme: https 51 | -------------------------------------------------------------------------------- /envoy-ratelimit/network-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: deny-all-inbound 5 | namespace: ratelimit 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | --- 11 | apiVersion: networking.k8s.io/v1 12 | kind: NetworkPolicy 13 | metadata: 14 | name: allow-istio-ingressgateway 15 | namespace: ratelimit 16 | spec: 17 | podSelector: 18 | matchLabels: 19 | app: ratelimit 20 | policyTypes: 21 | - Ingress 22 | ingress: 23 | - from: 24 | - namespaceSelector: {} 25 | podSelector: 26 | matchLabels: 27 | istio: ingressgateway 28 | ports: 29 | - port: 8081 30 | --- 31 | apiVersion: networking.k8s.io/v1 32 | kind: NetworkPolicy 33 | metadata: 34 | name: allow-oms-agent 35 | namespace: ratelimit 36 | spec: 37 | podSelector: 38 | matchLabels: 39 | app: ratelimit 40 | policyTypes: 41 | - Ingress 42 | ingress: 43 | - from: 44 | - namespaceSelector: {} 45 | podSelector: 46 | matchLabels: 47 | rsName: omsagent-rs 48 | - namespaceSelector: {} 49 | podSelector: 50 | matchLabels: 51 | component: oms-agent 52 | ports: 53 | - port: 9102 54 | -------------------------------------------------------------------------------- /kured/kured-ds.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: kured # Must match `--ds-name` 5 | namespace: kube-system # Must match `--ds-namespace` 6 | spec: 7 | updateStrategy: 8 | rollingUpdate: 9 | maxUnavailable: 1 10 | type: RollingUpdate 11 | selector: 12 | matchLabels: 13 | name: kured 14 | template: 15 | metadata: 16 | labels: 17 | name: kured 18 | spec: 19 | containers: 20 | - name: kured 21 | image: quay.io/weaveworks/kured:support-k8s-1.10-5731b98 22 | imagePullPolicy: IfNotPresent 23 | command: 24 | - /usr/bin/kured 25 | args: 26 | - --ds-name=kured 27 | - --ds-namespace=kube-system 28 | - --lock-annotation=weave.works/kured-node-lock 29 | - --period=1h 30 | - --reboot-sentinel=/var/run/reboot-required 31 | env: 32 | - name: KURED_NODE_ID 33 | valueFrom: 34 | fieldRef: 35 | fieldPath: spec.nodeName 36 | volumeMounts: 37 | - name: hostrun 38 | mountPath: /var/run 39 | restartPolicy: Always 40 | volumes: 41 | - name: hostrun 42 | hostPath: 43 | path: /var/run 44 | -------------------------------------------------------------------------------- /omsagent/deployOmsAgentOnAks.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | omsWorkspaceName=$1 6 | resourceGroupName=$2 7 | gitHubTemplateUri='https://raw.githubusercontent.com/neumanndaniel/armtemplates/master/output/logAnalyticsWorkspace.json' 8 | gitHubLogAnalyticsAgentUri='https://raw.githubusercontent.com/neumanndaniel/kubernetes/master/omsagent/oms-daemonset.yaml' 9 | 10 | #Get Log Analytics workspaceId and primary key, and deploy Log Analytics agent on the AKS cluster 11 | output=$(az group deployment create --resource-group $resourceGroupName --template-uri $gitHubTemplateUri --parameters workspaceName=$omsWorkspaceName --verbose) 12 | 13 | workspaceId=$(echo $output|jq -r .properties.outputs.workspaceId.value) 14 | primaryKey=$(echo $output|jq -r .properties.outputs.primaryKey.value) 15 | 16 | workspaceIdEncoded=$(echo -n $workspaceId|base64 --wrap=0) 17 | primaryKeyEncoded=$(echo -n $primaryKey|base64 --wrap=0) 18 | 19 | echo "apiVersion: v1 20 | data: 21 | KEY: $primaryKeyEncoded 22 | WSID: $workspaceIdEncoded 23 | kind: Secret 24 | metadata: 25 | name: omsagent-secret 26 | namespace: kube-system 27 | type: Opaque" > omsagent-secret.yaml 28 | 29 | kubectl apply -f ./omsagent-secret.yaml 30 | 31 | wget $gitHubLogAnalyticsAgentUri --output-document=oms-daemonset.yaml 32 | 33 | kubectl apply -f ./oms-daemonset.yaml 34 | -------------------------------------------------------------------------------- /hxe-aci/deploy_HXE_ACI.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: aci-hxe-instance 5 | labels: 6 | name: aci-hxe-instance 7 | spec: 8 | restartPolicy: OnFailure 9 | volumes: 10 | - name: hxe-config 11 | secret: 12 | defaultMode: 420 13 | secretName: masterpassword 14 | imagePullSecrets: 15 | - name: docker-secret 16 | containers: 17 | - name: aci-hxe-instance 18 | image: "registry-1.docker.io/store/saplabs/hanaexpress:2.00.045.00.20200121.1" 19 | resources: 20 | requests: 21 | memory: 14G 22 | cpu: 4 23 | limits: 24 | memory: 14G 25 | cpu: 4 26 | ports: 27 | - containerPort: 39013 28 | name: port1 29 | - containerPort: 39015 30 | name: port2 31 | - containerPort: 39017 32 | name: port3 33 | - containerPort: 39041 34 | name: port4 35 | - containerPort: 59013 36 | name: port5 37 | args: [ "/bin/bash", "-c", "/run_hana --agree-to-sap-license --dont-check-system --passwords-url file:///hana/hxeconfig/masterPassword.json" ] 38 | volumeMounts: 39 | - name: hxe-config 40 | mountPath: /hana/hxeconfig 41 | dnsPolicy: ClusterFirst 42 | nodeName: virtual-kubelet-hxe-linux 43 | tolerations: 44 | - key: azure.com/aci 45 | effect: NoSchedule 46 | -------------------------------------------------------------------------------- /helm/charts/function-figlet/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ template "function-figlet.fullname" . }} 5 | namespace: {{ .Values.general.namespace }} 6 | labels: 7 | app: {{ template "function-figlet.name" . }} 8 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | spec: 12 | replicas: 1 13 | strategy: 14 | rollingUpdate: 15 | maxSurge: 1 16 | maxUnavailable: 1 17 | minReadySeconds: 5 18 | selector: 19 | matchLabels: 20 | app: {{ template "function-figlet.name" . }} 21 | release: {{ .Release.Name }} 22 | template: 23 | metadata: 24 | labels: 25 | app: {{ template "function-figlet.name" . }} 26 | release: {{ .Release.Name }} 27 | spec: 28 | containers: 29 | - name: {{ .Values.container.name }} 30 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 31 | imagePullPolicy: {{ .Values.image.pullPolicy }} 32 | ports: 33 | - containerPort: {{ .Values.container.port }} 34 | resources: 35 | requests: 36 | cpu: {{ .Values.container.requests.cpu }} 37 | memory: {{ .Values.container.requests.memory }} 38 | limits: 39 | cpu: {{ .Values.container.limits.cpu }} 40 | memory: {{ .Values.container.limits.memory }} -------------------------------------------------------------------------------- /helm/charts/function-akscnicalc/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ template "function-akscnicalc.fullname" . }} 5 | namespace: {{ .Values.general.namespace }} 6 | labels: 7 | app: {{ template "function-akscnicalc.name" . }} 8 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | spec: 12 | replicas: 1 13 | strategy: 14 | rollingUpdate: 15 | maxSurge: 1 16 | maxUnavailable: 1 17 | minReadySeconds: 5 18 | selector: 19 | matchLabels: 20 | app: {{ template "function-akscnicalc.name" . }} 21 | release: {{ .Release.Name }} 22 | template: 23 | metadata: 24 | labels: 25 | app: {{ template "function-akscnicalc.name" . }} 26 | release: {{ .Release.Name }} 27 | spec: 28 | containers: 29 | - name: {{ .Values.container.name }} 30 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 31 | imagePullPolicy: {{ .Values.image.pullPolicy }} 32 | ports: 33 | - containerPort: {{ .Values.container.port }} 34 | resources: 35 | requests: 36 | cpu: {{ .Values.container.requests.cpu }} 37 | memory: {{ .Values.container.requests.memory }} 38 | limits: 39 | cpu: {{ .Values.container.limits.cpu }} 40 | memory: {{ .Values.container.limits.memory }} -------------------------------------------------------------------------------- /k3s/azpagent.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: azp-agent 5 | spec: 6 | replicas: 1 7 | strategy: 8 | rollingUpdate: 9 | maxSurge: 1 10 | maxUnavailable: 1 11 | minReadySeconds: 5 12 | selector: 13 | matchLabels: 14 | app: azp-agent 15 | template: 16 | metadata: 17 | labels: 18 | app: azp-agent 19 | spec: 20 | imagePullSecrets: 21 | - name: REDACTED 22 | containers: 23 | - name: azp-agent 24 | image: REDACTED.azurecr.io/azp:0.0.1 25 | imagePullPolicy: IfNotPresent 26 | env: 27 | - name: AZP_URL 28 | valueFrom: 29 | secretKeyRef: 30 | name: azp 31 | key: AZP_URL 32 | - name: AZP_TOKEN 33 | valueFrom: 34 | secretKeyRef: 35 | name: azp 36 | key: AZP_TOKEN 37 | - name: AZP_POOL 38 | value: k3s 39 | volumeMounts: 40 | - mountPath: /var/run/docker.sock 41 | name: docker-volume 42 | volumes: 43 | - name: docker-volume 44 | hostPath: 45 | path: /var/run/docker.sock' 46 | tolerations: 47 | - key: node-role.kubernetes.io/master 48 | operator: Equal 49 | value: "true" 50 | effect: NoSchedule 51 | nodeSelector: 52 | kubernetes.io/role: master 53 | -------------------------------------------------------------------------------- /containerImages/linux/go-webapp/go-webapp/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Azure Kubernetes Service 4 | 6 | 7 | 8 |
9 |
10 |

Hello Azure people!

11 |

12 | Now we are running on Azure Kubernetes Service! 13 |

14 |
15 |

16 | Checkout:
17 | -> AKS documentation: https://docs.microsoft.com/en-us/azure/aks/
18 | -> AKS Azure PowerShell reference: https://docs.microsoft.com/en-us/powershell/module/azurerm.aks/?view=azurermps-5.7.0#aks
19 | -> AKS Azure CLI reference: https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest
20 | -> AKS Azure Resource Manager template reference: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters
21 |

22 |
23 |
24 | 25 | -------------------------------------------------------------------------------- /conftest/constraint-template.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: templates.gatekeeper.sh/v1beta1 2 | kind: ConstraintTemplate 3 | metadata: 4 | name: k8sdisableautomountserviceaccounttoken 5 | spec: 6 | crd: 7 | spec: 8 | names: 9 | kind: K8sDisableAutomountServiceAccountToken 10 | targets: 11 | - target: admission.k8s.gatekeeper.sh 12 | rego: | 13 | package k8sdisableautomountserviceaccounttoken 14 | 15 | missing(obj) = true { 16 | not obj.automountServiceAccountToken == true 17 | not obj.automountServiceAccountToken == false 18 | obj.serviceAccount == "default" 19 | } 20 | 21 | check(obj) = true { 22 | obj.automountServiceAccountToken 23 | obj.serviceAccount == "default" 24 | } 25 | 26 | violation[{"msg": msg}] { 27 | p := input_pod[_] 28 | missing(p.spec) 29 | msg := sprintf("automountServiceAccountToken field is missing for pod %v while using Service Account %v", [p.metadata.name, p.spec.serviceAccount]) 30 | } 31 | 32 | violation[{"msg": msg, "details": {}}] { 33 | p := input_pod[_] 34 | check(p.spec) 35 | msg := sprintf("Service Account token automount is not allowed for pod %v while using Service Account %v, spec.automountServiceAccountToken: %v", [p.metadata.name, p.spec.serviceAccount, p.spec.automountServiceAccountToken]) 36 | } 37 | 38 | input_pod[p] { 39 | p := input.review.object 40 | } 41 | -------------------------------------------------------------------------------- /istio/istio-1.21.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | namespace: istio-system 5 | name: istiocontrolplane 6 | spec: 7 | components: 8 | base: 9 | enabled: true 10 | cni: 11 | enabled: false 12 | ingressGateways: 13 | - enabled: true 14 | name: istio-ingressgateway 15 | k8s: 16 | hpaSpec: 17 | minReplicas: 3 18 | maxReplicas: 6 19 | overlays: 20 | - apiVersion: v1 21 | kind: Service 22 | name: istio-ingressgateway 23 | patches: 24 | - path: spec.ports 25 | value: 26 | - name: status-port 27 | port: 15021 28 | targetPort: 15021 29 | protocol: TCP 30 | - name: http2 31 | port: 80 32 | targetPort: 8080 33 | protocol: TCP 34 | - name: https 35 | port: 443 36 | targetPort: 8443 37 | protocol: TCP 38 | pilot: 39 | enabled: true 40 | k8s: 41 | hpaSpec: 42 | minReplicas: 3 43 | maxReplicas: 6 44 | meshConfig: 45 | accessLogFile: "/dev/stdout" 46 | accessLogEncoding: "JSON" 47 | values: 48 | global: 49 | istiod: 50 | enableAnalysis: true 51 | pilot: 52 | env: 53 | PILOT_ENABLE_STATUS: true 54 | ENABLE_NATIVE_SIDECARS: true 55 | sidecarInjectorWebhook: 56 | rewriteAppHTTPProbe: true 57 | -------------------------------------------------------------------------------- /envoy-ratelimit/container-azm-ms-agentconfig.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: container-azm-ms-agentconfig 5 | namespace: kube-system 6 | data: 7 | schema-version: v1 8 | config-version: 1.0.0 9 | log-data-collection-settings: |- 10 | [log_collection_settings] 11 | [log_collection_settings.stdout] 12 | enabled = true 13 | exclude_namespaces = ["kube-system"] 14 | [log_collection_settings.stderr] 15 | enabled = true 16 | exclude_namespaces = ["kube-system"] 17 | [log_collection_settings.env_var] 18 | enabled = true 19 | [log_collection_settings.enrich_container_logs] 20 | enabled = false 21 | [log_collection_settings.collect_all_kube_events] 22 | enabled = false 23 | 24 | prometheus-data-collection-settings: |- 25 | [prometheus_data_collection_settings.cluster] 26 | interval = "1m" 27 | fieldpass = [ 28 | "ratelimit_service_config_load_success", 29 | "ratelimit_service_config_load_error", 30 | "ratelimit_service_rate_limit_near_limit", 31 | "ratelimit_service_rate_limit_over_limit", 32 | "ratelimit_service_rate_limit_total_hits", 33 | "ratelimit_service_rate_limit_within_limit", 34 | "ratelimit_service_should_rate_limit_error", 35 | "ratelimit_service_total_requests", 36 | "ratelimit_service_response_time_seconds" 37 | ] 38 | monitor_kubernetes_pods = true 39 | monitor_kubernetes_pods_namespaces = ["ratelimit"] 40 | -------------------------------------------------------------------------------- /cluster-autoscaler/ca-generate-secret.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | set -o pipefail 5 | 6 | ID=$(az account show --query id) 7 | SUBSCRIPTION_ID=$(echo -n $ID | tr -d '"') 8 | 9 | TENANT=$(az account show --query tenantId) 10 | TENANT_ID=$(echo -n $TENANT | tr -d '"' | base64 --wrap=0) 11 | 12 | read -p "What is your AKS cluster name? " AKS_CLUSTER_NAME 13 | read -p "What is the AKS cluster resource group name? " AKS_RESOURCE_GROUP 14 | 15 | CLUSTER_NAME=$(echo -n $AKS_CLUSTER_NAME | base64 --wrap=0) 16 | RESOURCE_GROUP=$(echo -n $AKS_RESOURCE_GROUP | base64 --wrap=0) 17 | 18 | PERMISSIONS=$(az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$SUBSCRIPTION_ID") 19 | CLIENT_ID=$(echo $PERMISSIONS | jq .appId | tr -d '"','\n' | base64 --wrap=0) 20 | CLIENT_SECRET=$(echo $PERMISSIONS | jq .password | tr -d '"','\n' | base64 --wrap=0) 21 | 22 | SUBSCRIPTION_ID=$(echo -n $ID | tr -d '"' | base64 --wrap=0) 23 | 24 | NODE_RESOURCE_GROUP=$(az aks show --name $AKS_CLUSTER_NAME --resource-group $AKS_RESOURCE_GROUP -o tsv --query 'nodeResourceGroup' | tr -d '\n' | base64 --wrap=0) 25 | 26 | echo "--- 27 | apiVersion: v1 28 | kind: Secret 29 | metadata: 30 | name: cluster-autoscaler-azure 31 | namespace: kube-system 32 | data: 33 | ClientID: $CLIENT_ID 34 | ClientSecret: $CLIENT_SECRET 35 | ResourceGroup: $RESOURCE_GROUP 36 | SubscriptionID: $SUBSCRIPTION_ID 37 | TenantID: $TENANT_ID 38 | VMType: YWtz 39 | ClusterName: $CLUSTER_NAME 40 | NodeResourceGroup: $NODE_RESOURCE_GROUP 41 | ---" 42 | -------------------------------------------------------------------------------- /conftest/test.rego: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | missingServiceAccount(obj, field) { 4 | not obj[field] 5 | } 6 | 7 | missingServiceAccount(obj, field) { 8 | obj[field] == "" 9 | } 10 | 11 | missing(obj) { 12 | not obj.automountServiceAccountToken == true 13 | not obj.automountServiceAccountToken == false 14 | missingServiceAccount(obj, "serviceAccount") 15 | } 16 | 17 | missing(obj) { 18 | not obj.automountServiceAccountToken == true 19 | not obj.automountServiceAccountToken == false 20 | obj.serviceAccount == "default" 21 | } 22 | 23 | check(obj) { 24 | obj.automountServiceAccountToken 25 | missingServiceAccount(obj, "serviceAccount") 26 | } 27 | 28 | check(obj) { 29 | obj.automountServiceAccountToken 30 | obj.serviceAccount == "default" 31 | } 32 | 33 | violation[{"msg": msg}] { 34 | p := input_pod[_] 35 | missing(p.spec) 36 | msg := sprintf("automountServiceAccountToken field is missing for %v %v while using Service Account default", [input.kind, input.metadata.name]) 37 | } 38 | 39 | violation[{"msg": msg, "details": {}}] { 40 | p := input_pod[_] 41 | check(p.spec) 42 | msg := sprintf("Service Account token automount is not allowed for %v %v while using Service Account default, spec.automountServiceAccountToken: %v", [input.kind, input.metadata.name, p.spec.automountServiceAccountToken]) 43 | } 44 | 45 | input_pod[p] { 46 | input.kind == "Deployment" 47 | p := input.spec.template 48 | } 49 | 50 | input_pod[p] { 51 | input.kind == "CronJob" 52 | p := input.spec.jobTemplate.spec.template 53 | } 54 | 55 | input_pod[p] { 56 | input.kind == "Pod" 57 | p := input 58 | } 59 | -------------------------------------------------------------------------------- /helm/charts/function-figlet/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "function-figlet.fullname" . }} 5 | namespace: {{ .Values.general.namespace }} 6 | labels: 7 | app: {{ template "function-figlet.name" . }} 8 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | annotations: {{ if .Values.ambassador.enabled }} 12 | getambassador.io/config: | 13 | --- 14 | apiVersion: ambassador/v1 15 | kind: Mapping 16 | name: {{ template "function-figlet.fullname" . }} 17 | prefix: {{ .Values.ambassador.prefix }} 18 | {{ if .Values.ambassador.hostEnabled }} 19 | host: {{ .Values.ambassador.host }} 20 | {{end}} 21 | service: {{ template "function-figlet.fullname" . }}{{ if .Values.linkerd.enabled }}.{{ .Values.general.namespace }}.svc.cluster.local{{end}} 22 | timeout_ms: {{ .Values.ambassador.timeout }} 23 | {{ if .Values.linkerd.enabled }} 24 | add_request_headers: 25 | l5d-dst-override: {{ template "function-figlet.fullname" . }}.{{ .Values.general.namespace }}.svc.cluster.local:{{ .Values.service.ports.port }} 26 | {{end}} 27 | {{end}} 28 | spec: 29 | type: {{ if .Values.service.noIngress }} {{ .Values.service.type }} {{end}} 30 | ports: 31 | - port: {{ .Values.service.ports.port }} 32 | targetPort: {{ .Values.service.ports.targetPort }} 33 | selector: 34 | app: {{ template "function-figlet.name" . }} 35 | release: {{ .Release.Name }} 36 | -------------------------------------------------------------------------------- /acr/Remove-UntaggedManifestsDockerBuildx.ps1: -------------------------------------------------------------------------------- 1 | $ACRS = Get-AzContainerRegistry 2 | foreach ($ACR in $ACRS) { 3 | $ACR_CREDS = Get-AzContainerRegistryCredential -ResourceGroupName $ACR.ResourceGroupName -Name $ACR.Name 4 | [PSCredential]$CREDENTIAL = New-Object System.Management.Automation.PSCredential ($ACR_CREDS.Username, (ConvertTo-SecureString $ACR_CREDS.Password -AsPlainText -Force)) 5 | $HEADERS = @{ 'accept' = 'application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.v2+json' } 6 | $ACR_URL = $ACR.LoginServer 7 | $REPOS = Get-AzContainerRegistryRepository -RegistryName $ACR.Name 8 | foreach ($REPO in $REPOS) { 9 | $EXCLUDE_LIST = @() 10 | Write-OutPut "########################" 11 | Write-Output "Processing repository: $REPO" 12 | $MANIFESTS = (Get-AzContainerRegistryManifest -RegistryName $ACR.Name -RepositoryName $REPO).ManifestsAttributes | Sort-Object -Property LastUpdateTime -Descending 13 | foreach ($ITEM in $MANIFESTS) { 14 | $TAG = $ITEM.digest 15 | $ITEM_DETAILS = Invoke-RestMethod -Uri https://$ACR_URL/v2/$REPO/manifests/$TAG -Authentication Basic -Method Get -Credential $CREDENTIAL -Headers $HEADERS 16 | if ($ITEM_DETAILS.manifests -ne $null) { 17 | $EXCLUDE_LIST += $ITEM_DETAILS.manifests.digest 18 | } 19 | if ($ITEM.Tags -eq $null -and $ITEM.digest -notin $EXCLUDE_LIST) { 20 | Write-OutPut "------------------------" 21 | Write-Output "Delete dangling image $REPO@$TAG" 22 | Remove-AzContainerRegistryManifest -RegistryName $ACR.Name -RepositoryName $REPO -Manifest $TAG 23 | } 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /helm/charts/function-akscnicalc/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ template "function-akscnicalc.fullname" . }} 5 | namespace: {{ .Values.general.namespace }} 6 | labels: 7 | app: {{ template "function-akscnicalc.name" . }} 8 | chart: {{ .Chart.Name }}-{{ .Chart.Version }} 9 | release: {{ .Release.Name }} 10 | heritage: {{ .Release.Service }} 11 | annotations: {{ if .Values.ambassador.enabled }} 12 | getambassador.io/config: | 13 | --- 14 | apiVersion: ambassador/v1 15 | kind: Mapping 16 | name: {{ template "function-akscnicalc.fullname" . }} 17 | prefix: {{ .Values.ambassador.prefix }} 18 | {{ if .Values.ambassador.hostEnabled }} 19 | host: {{ .Values.ambassador.host }} 20 | {{end}} 21 | service: {{ template "function-akscnicalc.fullname" . }}{{ if .Values.linkerd.enabled }}.{{ .Values.general.namespace }}.svc.cluster.local{{end}} 22 | timeout_ms: {{ .Values.ambassador.timeout }} 23 | {{ if .Values.linkerd.enabled }} 24 | add_request_headers: 25 | l5d-dst-override: {{ template "function-akscnicalc.fullname" . }}.{{ .Values.general.namespace }}.svc.cluster.local:{{ .Values.service.ports.port }} 26 | {{end}} 27 | {{end}} 28 | spec: 29 | type: {{ if .Values.service.noIngress }} {{ .Values.service.type }} {{end}} 30 | ports: 31 | - port: {{ .Values.service.ports.port }} 32 | targetPort: {{ .Values.service.ports.targetPort }} 33 | selector: 34 | app: {{ template "function-akscnicalc.name" . }} 35 | release: {{ .Release.Name }} 36 | -------------------------------------------------------------------------------- /istio/istio-1.6.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | tag: 1.6.8-distroless 5 | addonComponents: 6 | grafana: 7 | enabled: true 8 | tracing: 9 | enabled: true 10 | kiali: 11 | enabled: true 12 | prometheus: 13 | enabled: true 14 | components: 15 | base: 16 | enabled: true 17 | cni: 18 | enabled: true 19 | tag: 1.6.8 20 | ingressGateways: 21 | - enabled: true 22 | k8s: 23 | hpaSpec: 24 | minReplicas: 2 25 | overlays: 26 | - apiVersion: v1 27 | kind: Service 28 | name: istio-ingressgateway 29 | patches: 30 | - path: spec.ports 31 | value: 32 | - name: status-port 33 | port: 15021 34 | targetPort: 15021 35 | - name: http2 36 | port: 80 37 | targetPort: 80 38 | - name: https 39 | port: 443 40 | targetPort: 443 41 | pilot: 42 | enabled: true 43 | k8s: 44 | hpaSpec: 45 | minReplicas: 2 46 | meshConfig: 47 | accessLogFile: "/dev/stdout" 48 | accessLogEncoding: "JSON" 49 | values: 50 | global: 51 | controlPlaneSecurityEnabled: true 52 | cni: 53 | excludeNamespaces: 54 | - istio-system 55 | - kube-system 56 | - kube-node-lease 57 | - kube-public 58 | gateways: 59 | istio-ingressgateway: 60 | sds: 61 | enabled: true 62 | pilot: 63 | traceSampling: 10.0 64 | sidecarInjectorWebhook: 65 | rewriteAppHTTPProbe: true 66 | -------------------------------------------------------------------------------- /omsagent/deployOmsAgentOnAks.ps1: -------------------------------------------------------------------------------- 1 | #Parameters for AKS OMS deployment 2 | Param( 3 | [Parameter(Mandatory=$true,Position=1)] 4 | [string]$omsWorkspaceName, 5 | [Parameter(Mandatory=$true,Position=2)] 6 | [string]$resourceGroupName 7 | ) 8 | 9 | #Variables for AKS OMS deployment 10 | $gitHubTemplateUri='https://raw.githubusercontent.com/neumanndaniel/armtemplates/master/output/logAnalyticsWorkspace.json' 11 | $gitHubLogAnalyticsAgentUri='https://raw.githubusercontent.com/neumanndaniel/kubernetes/master/omsagent/oms-daemonset.yaml' 12 | 13 | #Get Log Analytics workspaceId and primary key, and deploy Log Analytics agent on the AKS cluster 14 | $output=az group deployment create --resource-group $resourceGroupName --template-uri $gitHubTemplateUri --parameters workspaceName=$omsWorkspaceName --verbose|ConvertFrom-Json 15 | 16 | $workspaceId=$output.properties.outputs.workspaceId.value 17 | $primaryKey=$output.properties.outputs.primaryKey.value 18 | 19 | $workspaceIdEncoded=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($workspaceId)) 20 | $primaryKeyEncoded=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($primaryKey)) 21 | 22 | $yamlDefinition='apiVersion: v1 23 | data: 24 | KEY: '+$primaryKeyEncoded+' 25 | WSID: '+$workspaceIdEncoded+' 26 | kind: Secret 27 | metadata: 28 | name: omsagent-secret 29 | namespace: kube-system 30 | type: Opaque' 31 | 32 | Write-Output $yamlDefinition > omsagent-secret.yaml 33 | 34 | kubectl apply -f ./omsagent-secret.yaml 35 | 36 | Invoke-WebRequest $gitHubLogAnalyticsAgentUri -OutFile ./oms-daemonset.yaml 37 | 38 | kubectl apply -f ./oms-daemonset.yaml 39 | -------------------------------------------------------------------------------- /istio-tls-passthrough/istio-operator-default.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | namespace: istio-system 5 | name: istiocontrolplane 6 | spec: 7 | components: 8 | base: 9 | enabled: true 10 | cni: 11 | enabled: true 12 | ingressGateways: 13 | - enabled: true 14 | name: istio-ingressgateway 15 | k8s: 16 | hpaSpec: 17 | minReplicas: 2 18 | overlays: 19 | - apiVersion: v1 20 | kind: Service 21 | name: istio-ingressgateway 22 | patches: 23 | - path: spec.ports 24 | value: 25 | - name: status-port 26 | port: 15021 27 | targetPort: 15021 28 | protocol: TCP 29 | - name: http2 30 | port: 80 31 | targetPort: 8080 32 | protocol: TCP 33 | - name: https 34 | port: 443 35 | targetPort: 8443 36 | protocol: TCP 37 | pilot: 38 | enabled: true 39 | k8s: 40 | hpaSpec: 41 | minReplicas: 2 42 | meshConfig: 43 | accessLogFile: "/dev/stdout" 44 | accessLogEncoding: "JSON" 45 | values: 46 | global: 47 | istiod: 48 | enableAnalysis: true 49 | cni: 50 | excludeNamespaces: 51 | - istio-system 52 | - kube-system 53 | pilot: 54 | env: 55 | PILOT_ENABLE_STATUS: true 56 | sidecarInjectorWebhook: 57 | rewriteAppHTTPProbe: true 58 | -------------------------------------------------------------------------------- /k3s/installRaspbian.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | set -o pipefail 5 | 6 | RPHOSTNAME=$1 7 | RPMOUNTPATH=$2 8 | PUBLICSSHKEY=$3 9 | RPTIMEZONE=$4 10 | 11 | IMAGE=$(ls raspbian.img) 12 | if [[ -z "$IMAGE" ]]; then 13 | wget https://downloads.raspberrypi.org/raspbian_lite_latest -O raspbian.zip 14 | unzip raspbian.zip 15 | mv *.img raspbian.img 16 | rm -f raspbian.zip 17 | fi 18 | 19 | sudo dd bs=1M if=raspbian.img of=/dev/sda status=progress 20 | 21 | sudo mkdir $RPMOUNTPATH 22 | sudo mount /dev/sda2 $RPMOUNTPATH 23 | cat wpa_supplicant.conf | sudo tee -a $RPMOUNTPATH/etc/wpa_supplicant/wpa_supplicant.conf > /dev/null 24 | echo $RPHOSTNAME | sudo tee $RPMOUNTPATH/etc/hostname > /dev/null 25 | echo "127.0.1.1 $RPHOSTNAME" | sudo tee -a $RPMOUNTPATH/etc/hosts 26 | 27 | sudo rm $RPMOUNTPATH/etc/localtime 28 | sudo cp $RPMOUNTPATH/usr/share/zoneinfo/$RPTIMEZONE $RPMOUNTPATH/etc/localtime 29 | 30 | sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' $RPMOUNTPATH/etc/ssh/sshd_config 31 | sudo sed -i 's/^UsePAM yes/UsePAM no/g' $RPMOUNTPATH/etc/ssh/sshd_config 32 | sudo mkdir $RPMOUNTPATH/home/pi/.ssh 33 | echo -n $PUBLICSSHKEY >> authorized_keys 34 | sudo mv authorized_keys $RPMOUNTPATH/home/pi/.ssh/ 35 | chmod 644 $RPMOUNTPATH/home/pi/.ssh/authorized_keys 36 | 37 | sudo umount $RPMOUNTPATH 38 | sudo mount /dev/sda1 $RPMOUNTPATH 39 | sudo touch $RPMOUNTPATH/ssh 40 | 41 | echo -n ' cgroup_enable=cpuset cgroup_enable=memory' | sudo tee -a $RPMOUNTPATH/cmdline.txt 42 | sudo sh -c "tr -d '\n' < $RPMOUNTPATH/cmdline.txt > $RPMOUNTPATH/cmdline2.txt" 43 | sudo mv $RPMOUNTPATH/cmdline2.txt $RPMOUNTPATH/cmdline.txt 44 | 45 | sudo umount $RPMOUNTPATH 46 | -------------------------------------------------------------------------------- /istio/istio-1.7.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | namespace: istio-system 5 | name: istiocontrolplane 6 | spec: 7 | tag: 1.7.0-distroless 8 | addonComponents: 9 | grafana: 10 | enabled: true 11 | tracing: 12 | enabled: true 13 | kiali: 14 | enabled: true 15 | prometheus: 16 | enabled: true 17 | components: 18 | base: 19 | enabled: true 20 | cni: 21 | enabled: true 22 | ingressGateways: 23 | - enabled: true 24 | name: istio-ingressgateway 25 | k8s: 26 | hpaSpec: 27 | minReplicas: 2 28 | overlays: 29 | - apiVersion: v1 30 | kind: Service 31 | name: istio-ingressgateway 32 | patches: 33 | - path: spec.ports 34 | value: 35 | - name: status-port 36 | port: 15021 37 | targetPort: 15021 38 | - name: http2 39 | port: 80 40 | targetPort: 8080 41 | - name: https 42 | port: 443 43 | targetPort: 8443 44 | pilot: 45 | enabled: true 46 | k8s: 47 | hpaSpec: 48 | minReplicas: 2 49 | meshConfig: 50 | accessLogFile: "/dev/stdout" 51 | accessLogEncoding: "JSON" 52 | values: 53 | global: 54 | controlPlaneSecurityEnabled: true 55 | istiod: 56 | enableAnalysis: true 57 | cni: 58 | excludeNamespaces: 59 | - istio-system 60 | - kube-system 61 | gateways: 62 | istio-ingressgateway: 63 | sds: 64 | enabled: true 65 | pilot: 66 | traceSampling: 10.0 67 | env: 68 | PILOT_ENABLE_STATUS: true 69 | sidecarInjectorWebhook: 70 | rewriteAppHTTPProbe: true 71 | -------------------------------------------------------------------------------- /kured/kured-ds-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: kured 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: kured 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: kured 18 | namespace: kube-system 19 | --- 20 | apiVersion: apps/v1 21 | kind: DaemonSet 22 | metadata: 23 | name: kured # Must match `--ds-name` 24 | namespace: kube-system # Must match `--ds-namespace` 25 | spec: 26 | updateStrategy: 27 | rollingUpdate: 28 | maxUnavailable: 1 29 | type: RollingUpdate 30 | selector: 31 | matchLabels: 32 | name: kured 33 | template: 34 | metadata: 35 | labels: 36 | name: kured 37 | spec: 38 | serviceAccountName: kured 39 | containers: 40 | - name: kured 41 | image: quay.io/weaveworks/kured:support-k8s-1.10-5731b98 42 | imagePullPolicy: IfNotPresent 43 | command: 44 | - /usr/bin/kured 45 | args: 46 | - --ds-name=kured 47 | - --ds-namespace=kube-system 48 | - --lock-annotation=weave.works/kured-node-lock 49 | - --period=1h 50 | - --reboot-sentinel=/var/run/reboot-required 51 | env: 52 | - name: KURED_NODE_ID 53 | valueFrom: 54 | fieldRef: 55 | fieldPath: spec.nodeName 56 | volumeMounts: 57 | - name: hostrun 58 | mountPath: /var/run 59 | restartPolicy: Always 60 | volumes: 61 | - name: hostrun 62 | hostPath: 63 | path: /var/run 64 | -------------------------------------------------------------------------------- /istio-tls-passthrough/istio-operator-tls-passthrough.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | namespace: istio-system 5 | name: istiocontrolplane 6 | spec: 7 | components: 8 | base: 9 | enabled: true 10 | cni: 11 | enabled: true 12 | ingressGateways: 13 | - enabled: true 14 | name: istio-ingressgateway 15 | k8s: 16 | hpaSpec: 17 | minReplicas: 2 18 | overlays: 19 | - apiVersion: v1 20 | kind: Service 21 | name: istio-ingressgateway 22 | patches: 23 | - path: spec.ports 24 | value: 25 | - name: status-port 26 | port: 15021 27 | targetPort: 15021 28 | protocol: TCP 29 | - name: http2 30 | port: 80 31 | targetPort: 8080 32 | protocol: TCP 33 | - name: https 34 | port: 443 35 | targetPort: 8443 36 | protocol: TCP 37 | - name: tls-passthrough 38 | port: 10443 39 | targetPort: 8443 40 | protocol: TCP 41 | pilot: 42 | enabled: true 43 | k8s: 44 | hpaSpec: 45 | minReplicas: 2 46 | meshConfig: 47 | accessLogFile: "/dev/stdout" 48 | accessLogEncoding: "JSON" 49 | values: 50 | global: 51 | istiod: 52 | enableAnalysis: true 53 | cni: 54 | excludeNamespaces: 55 | - istio-system 56 | - kube-system 57 | pilot: 58 | env: 59 | PILOT_ENABLE_STATUS: true 60 | sidecarInjectorWebhook: 61 | rewriteAppHTTPProbe: true 62 | -------------------------------------------------------------------------------- /istio/istio-1.5.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | spec: 4 | addonComponents: 5 | grafana: 6 | enabled: true 7 | tracing: 8 | enabled: true 9 | kiali: 10 | enabled: true 11 | prometheus: 12 | enabled: true 13 | components: 14 | cni: 15 | enabled: true 16 | ingressGateways: 17 | - enabled: true 18 | k8s: 19 | hpaSpec: 20 | minReplicas: 2 21 | overlays: 22 | - apiVersion: v1 23 | kind: Service 24 | name: istio-ingressgateway 25 | patches: 26 | - path: spec.ports 27 | value: 28 | - name: status-port 29 | port: 15020 30 | targetPort: 15020 31 | - name: http2 32 | port: 80 33 | targetPort: 80 34 | - name: https 35 | port: 443 36 | targetPort: 443 37 | pilot: 38 | enabled: true 39 | k8s: 40 | hpaSpec: 41 | minReplicas: 2 42 | # overlays: 43 | # - apiVersion: policy/v1beta1 44 | # kind: PodDisruptionBudget 45 | # name: istiod 46 | # patches: 47 | # - path: spec.selector.matchLabels 48 | # value: 49 | # app: istiod 50 | # istio: pilot 51 | values: 52 | global: 53 | mtls: 54 | enabled: true 55 | controlPlaneSecurityEnabled: true 56 | proxy: 57 | accessLogFile: "/dev/stdout" 58 | accessLogEncoding: "JSON" 59 | cni: 60 | excludeNamespaces: 61 | - istio-system 62 | - kube-system 63 | - kube-node-lease 64 | - kube-public 65 | gateways: 66 | istio-ingressgateway: 67 | sds: 68 | enabled: true 69 | sidecarInjectorWebhook: 70 | rewriteAppHTTPProbe: true 71 | -------------------------------------------------------------------------------- /hxe-aci/deploy_HXE_ACI_AKS.ps1: -------------------------------------------------------------------------------- 1 | #Variables for HXE ACI deployment 2 | $registryLoginServer='registry-1.docker.io' 3 | $gitHubAciHxeAksUri='https://raw.githubusercontent.com/neumanndaniel/kubernetes/master/hxe-aci/deploy_HXE_ACI.yaml' 4 | 5 | #Prepare deployment files and create master password secret 6 | $credential=Get-Credential -UserName hxeMasterPassword 7 | $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credential.Password) 8 | $masterPassword=[System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($BSTR) 9 | 10 | $jsonDefinition='{'+'"'+'master_password'+'"'+' : '+'"'+$masterPassword+'"'+'}' 11 | $jsonEncoded=Write-Output $jsonDefinition|base64 12 | 13 | $yamlDefinition='apiVersion: v1 14 | data: 15 | masterPassword.json: '+$jsonEncoded+' 16 | kind: Secret 17 | metadata: 18 | name: masterpassword 19 | namespace: default 20 | type: Opaque' 21 | 22 | Write-Output $yamlDefinition > secrets.yaml 23 | 24 | $masterPassword=$null 25 | $BSTR=$null 26 | $credential=$null 27 | 28 | kubectl apply -f ./secrets.yaml 29 | 30 | #Enter Docker account details and create docker registry secret 31 | $credential=Get-Credential -Title 'Enter Docker account username and password' 32 | $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credential.Password) 33 | $dockerPassword=[System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($BSTR) 34 | $dockerEmail=Read-Host 'Enter e-mail address of your Docker account' 35 | $dockerUsername=$credential.UserName 36 | 37 | kubectl create secret docker-registry docker-secret --docker-server=$registryLoginServer --docker-username=$dockerUsername --docker-password=$dockerPassword --docker-email=$dockerEmail 38 | 39 | $dockerPassword=$null 40 | $dockerUsername=$null 41 | $dockerEmail=$null 42 | $BSTR=$null 43 | $credential=$null 44 | 45 | #HANA Express Edition deployment 46 | wget $gitHubAciHxeAksUri 47 | 48 | kubectl apply -f ./deploy_HXE_ACI.yaml 49 | -------------------------------------------------------------------------------- /iotedge/templates/multiarch/tempsensor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: tempsensor 5 | spec: 6 | replicas: 2 7 | strategy: 8 | rollingUpdate: 9 | maxSurge: 0 10 | maxUnavailable: 100% 11 | selector: 12 | matchLabels: 13 | app: tempsensor 14 | minReadySeconds: 5 15 | template: 16 | metadata: 17 | name: tempsensor 18 | labels: 19 | app: tempsensor 20 | annotations: 21 | isEdgeDeployment: "true" 22 | targetCondition: "tags.location.building='mobile' AND tags.environment='test'" 23 | priority: "15" 24 | loggingOptions: "" 25 | spec: 26 | containers: 27 | - name: tempsensor 28 | image: mcr.microsoft.com/azureiotedge-simulated-temperature-sensor:1.0 29 | nodeSelector: 30 | type: virtual-kubelet 31 | tolerations: 32 | - key: virtual-kubelet.io/provider 33 | operator: Equal 34 | value: iotedge 35 | effect: NoSchedule 36 | --- 37 | apiVersion: v1 38 | kind: ConfigMap 39 | metadata: 40 | name: edgeagent 41 | data: 42 | desiredProperties: | 43 | { 44 | "systemModules": { 45 | "edgeHub": { 46 | "env": { 47 | "OptimizeForPerformance": { 48 | "value": "false" 49 | } 50 | } 51 | } 52 | } 53 | } 54 | --- 55 | apiVersion: v1 56 | kind: ConfigMap 57 | metadata: 58 | name: edgehub 59 | data: 60 | desiredProperties: | 61 | { 62 | "routes": { 63 | "route": "FROM /* INTO $upstream", 64 | }, 65 | "storeAndForwardConfiguration": { 66 | "timeToLiveSecs": 7200 67 | } 68 | } 69 | --- 70 | apiVersion: v1 71 | kind: ConfigMap 72 | metadata: 73 | name: tempsensor 74 | data: 75 | status: running 76 | restartPolicy: always 77 | version: "1.0" 78 | createOptions: | 79 | {} 80 | -------------------------------------------------------------------------------- /hxe-aks/deploy_HXE_AKS.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: persistent-vol-hxe 5 | labels: 6 | type: local 7 | spec: 8 | storageClassName: manual 9 | capacity: 10 | storage: 150Gi 11 | accessModes: 12 | - ReadWriteOnce 13 | hostPath: 14 | path: /data/hxe_pv 15 | --- 16 | apiVersion: v1 17 | kind: PersistentVolumeClaim 18 | metadata: 19 | name: hxe-pvc 20 | spec: 21 | storageClassName: manual 22 | accessModes: 23 | - ReadWriteOnce 24 | resources: 25 | requests: 26 | storage: 50Gi 27 | --- 28 | apiVersion: v1 29 | kind: Pod 30 | metadata: 31 | name: hxe-pod 32 | labels: 33 | name: hxe-pod 34 | spec: 35 | initContainers: 36 | - name: install 37 | image: busybox 38 | command: [ 'sh', '-c', 'chown 12000:79 /hana/mounts' ] 39 | volumeMounts: 40 | - name: hxe-data 41 | mountPath: /hana/mounts 42 | restartPolicy: OnFailure 43 | volumes: 44 | - name: hxe-data 45 | persistentVolumeClaim: 46 | claimName: hxe-pvc 47 | - name: hxe-config 48 | secret: 49 | defaultMode: 420 50 | secretName: masterpassword 51 | imagePullSecrets: 52 | - name: docker-secret 53 | containers: 54 | - name: hxe-container 55 | image: "store/saplabs/hanaexpress:2.00.022.00.20171211.1" 56 | ports: 57 | - containerPort: 39013 58 | name: port1 59 | - containerPort: 39015 60 | name: port2 61 | - containerPort: 39017 62 | name: port3 63 | - containerPort: 8090 64 | name: port4 65 | - containerPort: 39041 66 | name: port5 67 | - containerPort: 59013 68 | name: port6 69 | args: [ "--agree-to-sap-license", "--dont-check-system", "--passwords-url", "file:///hana/hxeconfig/password.json" ] 70 | volumeMounts: 71 | - name: hxe-data 72 | mountPath: /hana/mounts 73 | - name: hxe-config 74 | mountPath: /hana/hxeconfig 75 | -------------------------------------------------------------------------------- /kind/install-istio.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioOperator 3 | metadata: 4 | namespace: istio-system 5 | name: istiocontrolplane 6 | spec: 7 | components: 8 | base: 9 | enabled: true 10 | cni: 11 | enabled: true 12 | ingressGateways: 13 | - enabled: true 14 | name: istio-ingressgateway 15 | k8s: 16 | hpaSpec: 17 | maxReplicas: 1 18 | nodeSelector: 19 | ingress-ready: "true" 20 | service: 21 | type: NodePort 22 | overlays: 23 | - apiVersion: v1 24 | kind: Service 25 | name: istio-ingressgateway 26 | patches: 27 | - path: spec.ports 28 | value: 29 | - name: status-port 30 | port: 15021 31 | targetPort: 15021 32 | nodePort: 30002 33 | protocol: TCP 34 | - name: http2 35 | port: 80 36 | targetPort: 8080 37 | nodePort: 30000 38 | protocol: TCP 39 | - name: https 40 | port: 443 41 | targetPort: 8443 42 | nodePort: 30001 43 | protocol: TCP 44 | - apiVersion: policy/v1beta1 45 | kind: PodDisruptionBudget 46 | name: istio-ingressgateway 47 | patches: 48 | - path: spec.minAvailable 49 | value: 0 50 | pilot: 51 | enabled: true 52 | k8s: 53 | hpaSpec: 54 | maxReplicas: 1 55 | overlays: 56 | - apiVersion: policy/v1beta1 57 | kind: PodDisruptionBudget 58 | name: istiod 59 | patches: 60 | - path: spec.minAvailable 61 | value: 0 62 | meshConfig: 63 | accessLogFile: "/dev/stdout" 64 | accessLogEncoding: "JSON" 65 | values: 66 | global: 67 | cni: 68 | excludeNamespaces: 69 | - istio-system 70 | - kube-system 71 | sidecarInjectorWebhook: 72 | rewriteAppHTTPProbe: true 73 | -------------------------------------------------------------------------------- /istio/istio-1.4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: install.istio.io/v1alpha1 2 | kind: IstioControlPlane 3 | spec: 4 | gateways: 5 | components: 6 | ingressGateway: 7 | enabled: true 8 | k8s: 9 | hpaSpec: 10 | minReplicas: 2 11 | overlays: 12 | - apiVersion: v1 13 | kind: Service 14 | name: istio-ingressgateway 15 | patches: 16 | - path: spec.ports 17 | value: 18 | - name: status-port 19 | port: 15020 20 | targetPort: 15020 21 | - name: http2 22 | port: 80 23 | targetPort: 80 24 | - name: https 25 | port: 443 26 | targetPort: 443 27 | trafficManagement: 28 | components: 29 | pilot: 30 | enabled: true 31 | k8s: 32 | hpaSpec: 33 | minReplicas: 2 34 | policy: 35 | components: 36 | policy: 37 | enabled: true 38 | k8s: 39 | hpaSpec: 40 | minReplicas: 2 41 | telemetry: 42 | components: 43 | telemetry: 44 | enabled: true 45 | k8s: 46 | hpaSpec: 47 | minReplicas: 2 48 | configManagement: 49 | components: 50 | galley: 51 | enabled: true 52 | k8s: 53 | replicaCount: 2 54 | autoInjection: 55 | components: 56 | injector: 57 | enabled: true 58 | k8s: 59 | replicaCount: 2 60 | podDisruptionBudget: 61 | selector: 62 | matchLabels: 63 | app: sidecarInjectorWebhook 64 | security: 65 | components: 66 | citadel: 67 | enabled: true 68 | k8s: 69 | replicaCount: 2 70 | values: 71 | global: 72 | mtls: 73 | enabled: true 74 | controlPlaneSecurityEnabled: true 75 | proxy: 76 | accessLogFile: "/dev/stdout" 77 | accessLogEncoding: "JSON" 78 | gateways: 79 | istio-ingressgateway: 80 | sds: 81 | enabled: true 82 | sidecarInjectorWebhook: 83 | rewriteAppHTTPProbe: true 84 | grafana: 85 | enabled: true 86 | tracing: 87 | enabled: true 88 | kiali: 89 | enabled: true 90 | prometheus: 91 | enabled: true 92 | -------------------------------------------------------------------------------- /acs-engine/kubernetes_custom_vnet_private_master.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "vlabs", 3 | "properties": { 4 | "orchestratorProfile": { 5 | "orchestratorType": "Kubernetes", 6 | "orchestratorRelease": "1.10", 7 | "kubernetesConfig": { 8 | "useManagedIdentity": true, 9 | "networkPolicy": "azure", 10 | "containerRuntime": "docker", 11 | "enableRbac": true, 12 | "maxPods":30, 13 | "useInstanceMetadata": true, 14 | "addons": [ 15 | { 16 | "name": "tiller", 17 | "enabled": true 18 | }, 19 | { 20 | "name": "kubernetes-dashboard", 21 | "enabled": true 22 | } 23 | ], 24 | "privateCluster": { 25 | "enabled": true, 26 | "jumpboxProfile": { 27 | "name": "azst-acse1-jb", 28 | "vmSize": "Standard_A2_v2", 29 | "osDiskSizeGB": 32, 30 | "storageProfile": "ManagedDisks", 31 | "username": "azureuser", 32 | "publicKey": "REDACTED" 33 | } 34 | } 35 | } 36 | }, 37 | "masterProfile": { 38 | "count": 1, 39 | "dnsPrefix": "azst-acse1", 40 | "vmSize": "Standard_A2_v2", 41 | "osDiskSizeGB": 32, 42 | "distro": "ubuntu", 43 | "vnetSubnetId": "/subscriptions/REDACTED/resourceGroups/acs-engine/providers/Microsoft.Network/virtualNetworks/acs-engine/subnets/k8s", 44 | "firstConsecutiveStaticIP": "172.16.15.239", 45 | "vnetCIDR": "172.16.0.0/16" 46 | }, 47 | "agentPoolProfiles": [ 48 | { 49 | "name": "agentpool", 50 | "count": 3, 51 | "vmSize": "Standard_A2_v2", 52 | "osDiskSizeGB": 32, 53 | "distro": "ubuntu", 54 | "storageProfile": "ManagedDisks", 55 | "availabilityProfile": "AvailabilitySet", 56 | "vnetSubnetId": "/subscriptions/REDACTED/resourceGroups/acs-engine/providers/Microsoft.Network/virtualNetworks/acs-engine/subnets/k8s" 57 | } 58 | ], 59 | "linuxProfile": { 60 | "adminUsername": "azureuser", 61 | "ssh": { 62 | "publicKeys": [ 63 | { 64 | "keyData": "REDACTED" 65 | } 66 | ] 67 | } 68 | } 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /omsagent/oms-daemonset.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: omsagent 5 | namespace: kube-system 6 | spec: 7 | updateStrategy: 8 | rollingUpdate: 9 | maxUnavailable: 1 10 | type: RollingUpdate 11 | selector: 12 | matchLabels: 13 | app: omsagent 14 | template: 15 | metadata: 16 | labels: 17 | app: omsagent 18 | agentVersion: 1.6.0-163 19 | dockerProviderVersion: 1.0.0-34 20 | spec: 21 | serviceAccount: omsagent 22 | containers: 23 | - name: omsagent 24 | image: "microsoft/oms" 25 | imagePullPolicy: Always 26 | securityContext: 27 | privileged: true 28 | ports: 29 | - containerPort: 25225 30 | protocol: TCP 31 | - containerPort: 25224 32 | protocol: UDP 33 | resources: 34 | limits: 35 | cpu: 150m 36 | memory: 750Mi 37 | requests: 38 | cpu: 50m 39 | memory: 200Mi 40 | volumeMounts: 41 | - mountPath: /var/run/docker.sock 42 | name: docker-sock 43 | - mountPath: /var/log 44 | name: host-log 45 | - mountPath: /etc/omsagent-secret 46 | name: omsagent-secret 47 | readOnly: true 48 | - mountPath: /var/lib/docker/containers 49 | name: containerlog-path 50 | livenessProbe: 51 | exec: 52 | command: 53 | - /bin/bash 54 | - -c 55 | - ps -ef | grep omsagent | grep -v "grep" 56 | initialDelaySeconds: 60 57 | periodSeconds: 60 58 | nodeSelector: 59 | beta.kubernetes.io/os: linux 60 | # Tolerate a NoSchedule taint on master that ACS Engine sets. 61 | tolerations: 62 | - key: "node-role.kubernetes.io/master" 63 | operator: "Equal" 64 | value: "true" 65 | effect: "NoSchedule" 66 | volumes: 67 | - name: docker-sock 68 | hostPath: 69 | path: /var/run/docker.sock 70 | - name: host-log 71 | hostPath: 72 | path: /var/log 73 | - name: omsagent-secret 74 | secret: 75 | secretName: omsagent-secret 76 | - name: containerlog-path 77 | hostPath: 78 | path: /var/lib/docker/containers 79 | -------------------------------------------------------------------------------- /ACI-connector/aciconnector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: <> 6 | name: <> 7 | namespace: default 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: <> 13 | strategy: 14 | rollingUpdate: 15 | maxSurge: 1 16 | maxUnavailable: 1 17 | type: RollingUpdate 18 | template: 19 | metadata: 20 | labels: 21 | app: <> 22 | spec: 23 | containers: 24 | - args: 25 | - --provider 26 | - azure 27 | - --namespace 28 | - default 29 | - --nodename 30 | - <> 31 | - --os 32 | - Linux 33 | - --taint 34 | - azure.com/aci 35 | command: 36 | - virtual-kubelet 37 | env: 38 | - name: KUBELET_PORT 39 | value: "10250" 40 | - name: AZURE_AUTH_LOCATION 41 | value: /etc/virtual-kubelet/credentials.json 42 | - name: ACI_RESOURCE_GROUP 43 | value: <> 44 | - name: ACI_REGION 45 | value: <> 46 | - name: APISERVER_CERT_LOCATION 47 | value: /etc/virtual-kubelet/cert.pem 48 | - name: APISERVER_KEY_LOCATION 49 | value: /etc/virtual-kubelet/key.pem 50 | - name: VKUBELET_POD_IP 51 | valueFrom: 52 | fieldRef: 53 | apiVersion: v1 54 | fieldPath: status.podIP 55 | image: microsoft/virtual-kubelet:latest 56 | imagePullPolicy: Always 57 | name: <> 58 | resources: {} 59 | terminationMessagePath: /dev/termination-log 60 | terminationMessagePolicy: File 61 | volumeMounts: 62 | - mountPath: /etc/virtual-kubelet 63 | name: credentials 64 | dnsPolicy: ClusterFirst 65 | restartPolicy: Always 66 | schedulerName: default-scheduler 67 | securityContext: {} 68 | terminationGracePeriodSeconds: 30 69 | volumes: 70 | - name: credentials 71 | secret: 72 | defaultMode: 420 73 | secretName: <> 74 | -------------------------------------------------------------------------------- /iotedge/templates/amd64/tempsensor-ml.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: tempsensor-ml 5 | spec: 6 | replicas: 2 7 | strategy: 8 | rollingUpdate: 9 | maxSurge: 1 10 | maxUnavailable: 1 11 | selector: 12 | matchLabels: 13 | app: tempsensor-ml 14 | minReadySeconds: 5 15 | template: 16 | metadata: 17 | name: tempsensor-ml 18 | labels: 19 | app: tempsensor-ml 20 | annotations: 21 | isEdgeDeployment: "true" 22 | targetCondition: "tags.location.building='azure' AND tags.environment='prod'" 23 | priority: "15" 24 | loggingOptions: "" 25 | spec: 26 | containers: 27 | - name: tempsensor 28 | image: mcr.microsoft.com/azureiotedge-simulated-temperature-sensor:1.0 29 | - name: machinelearning 30 | image: REDACTED.azurecr.io/machinelearningmodule:1 31 | nodeSelector: 32 | type: virtual-kubelet 33 | tolerations: 34 | - key: azure.com/iotedge 35 | effect: NoSchedule 36 | --- 37 | apiVersion: v1 38 | kind: ConfigMap 39 | metadata: 40 | name: edgeagent 41 | data: 42 | desiredProperties: | 43 | { 44 | "runtime": { 45 | "settings": { 46 | "registryCredentials": { 47 | "docker": { 48 | "address": "REDACTED", 49 | "password": "REDACTED", 50 | "username": "REDACTED" 51 | } 52 | } 53 | } 54 | } 55 | } 56 | --- 57 | apiVersion: v1 58 | kind: ConfigMap 59 | metadata: 60 | name: edgehub 61 | data: 62 | desiredProperties: | 63 | { 64 | "routes": { 65 | "sensorToMachineLearning":"FROM /messages/modules/tempsensor/outputs/temperatureOutput INTO BrokeredEndpoint(\"/modules/machinelearning/inputs/amlInput\")", 66 | "machineLearningToIoTHub": "FROM /messages/modules/machinelearning/outputs/amlOutput INTO $upstream" 67 | }, 68 | "storeAndForwardConfiguration": { 69 | "timeToLiveSecs": 7200 70 | } 71 | } 72 | --- 73 | apiVersion: v1 74 | kind: ConfigMap 75 | metadata: 76 | name: tempsensor 77 | data: 78 | status: running 79 | restartPolicy: always 80 | version: "1.0" 81 | createOptions: | 82 | {} 83 | --- 84 | apiVersion: v1 85 | kind: ConfigMap 86 | metadata: 87 | name: machinelearning 88 | data: 89 | status: running 90 | restartPolicy: always 91 | version: "1.0" 92 | createOptions: | 93 | {} 94 | -------------------------------------------------------------------------------- /iotedge/templates/arm32v7/go-webapp-arm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: go-webapp-arm 5 | spec: 6 | replicas: 2 7 | strategy: 8 | rollingUpdate: 9 | maxSurge: 0 10 | maxUnavailable: 100% 11 | selector: 12 | matchLabels: 13 | app: go-webapp-arm 14 | template: 15 | metadata: 16 | name: go-webapp-arm 17 | labels: 18 | app: go-webapp-arm 19 | annotations: 20 | isEdgeDeployment: "true" 21 | targetCondition: "tags.location.building='mobile' AND tags.environment='test'" 22 | priority: "15" 23 | loggingOptions: "" 24 | spec: 25 | containers: 26 | - name: go-webapp-arm 27 | image: REDACTED.azurecr.io/go-webapp-arm:latest 28 | nodeSelector: 29 | type: virtual-kubelet 30 | tolerations: 31 | - key: virtual-kubelet.io/provider 32 | operator: Equal 33 | value: iotedge 34 | effect: NoSchedule 35 | --- 36 | apiVersion: v1 37 | kind: ConfigMap 38 | metadata: 39 | name: edgeagent 40 | data: 41 | desiredProperties: | 42 | { 43 | "runtime": { 44 | "settings": { 45 | "registryCredentials": { 46 | "docker": { 47 | "address": "REDACTED", 48 | "password": "REDACTED", 49 | "username": "REDACTED" 50 | } 51 | } 52 | } 53 | }, 54 | "systemModules": { 55 | "edgeHub": { 56 | "env": { 57 | "OptimizeForPerformance": { 58 | "value": "false" 59 | } 60 | } 61 | } 62 | } 63 | } 64 | --- 65 | apiVersion: v1 66 | kind: ConfigMap 67 | metadata: 68 | name: edgehub 69 | data: 70 | desiredProperties: | 71 | { 72 | "routes": { 73 | "route": "FROM /* INTO $upstream", 74 | }, 75 | "storeAndForwardConfiguration": { 76 | "timeToLiveSecs": 7200 77 | } 78 | } 79 | --- 80 | apiVersion: v1 81 | kind: ConfigMap 82 | metadata: 83 | name: go-webapp-arm 84 | data: 85 | status: running 86 | restartPolicy: always 87 | version: "1.0" 88 | createOptions: | 89 | { 90 | "HostConfig": { 91 | "PortBindings": { 92 | "8080/tcp": [ 93 | { 94 | "HostPort": "80" 95 | } 96 | ] 97 | } 98 | } 99 | } 100 | -------------------------------------------------------------------------------- /acs-engine/kubernetes_custom_network_config_private_master.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "vlabs", 3 | "properties": { 4 | "orchestratorProfile": { 5 | "orchestratorType": "Kubernetes", 6 | "orchestratorRelease": "1.10", 7 | "kubernetesConfig": { 8 | "useManagedIdentity": true, 9 | "kubeletConfig": { 10 | "--non-masquerade-cidr": "172.16.0.0/20" 11 | }, 12 | "clusterSubnet": "172.16.0.0/20", 13 | "dnsServiceIP": "172.16.16.10", 14 | "serviceCidr": "172.16.16.0/20", 15 | "networkPolicy": "azure", 16 | "containerRuntime": "docker", 17 | "enableRbac": true, 18 | "maxPods":30, 19 | "useInstanceMetadata": true, 20 | "addons": [ 21 | { 22 | "name": "tiller", 23 | "enabled": true 24 | }, 25 | { 26 | "name": "kubernetes-dashboard", 27 | "enabled": true 28 | } 29 | ], 30 | "privateCluster": { 31 | "enabled": true, 32 | "jumpboxProfile": { 33 | "name": "azst-acse1-jb", 34 | "vmSize": "Standard_A2_v2", 35 | "osDiskSizeGB": 32, 36 | "storageProfile": "ManagedDisks", 37 | "username": "azureuser", 38 | "publicKey": "REDACTED" 39 | } 40 | } 41 | } 42 | }, 43 | "masterProfile": { 44 | "count": 1, 45 | "dnsPrefix": "azst-acse1", 46 | "vmSize": "Standard_A2_v2", 47 | "osDiskSizeGB": 32, 48 | "distro": "ubuntu", 49 | "vnetSubnetId": "/subscriptions/REDACTED/resourceGroups/acs-engine/providers/Microsoft.Network/virtualNetworks/acs-engine/subnets/k8s", 50 | "firstConsecutiveStaticIP": "172.16.15.239", 51 | "vnetCIDR": "172.16.0.0/16" 52 | }, 53 | "agentPoolProfiles": [ 54 | { 55 | "name": "agentpool", 56 | "count": 3, 57 | "vmSize": "Standard_A2_v2", 58 | "osDiskSizeGB": 32, 59 | "distro": "ubuntu", 60 | "storageProfile": "ManagedDisks", 61 | "availabilityProfile": "AvailabilitySet", 62 | "vnetSubnetId": "/subscriptions/REDACTED/resourceGroups/acs-engine/providers/Microsoft.Network/virtualNetworks/acs-engine/subnets/k8s" 63 | } 64 | ], 65 | "linuxProfile": { 66 | "adminUsername": "azureuser", 67 | "ssh": { 68 | "publicKeys": [ 69 | { 70 | "keyData": "REDACTED" 71 | } 72 | ] 73 | } 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /envoy-ratelimit/envoyfilter-global.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: EnvoyFilter 3 | metadata: 4 | name: filter-ratelimit 5 | namespace: istio-system 6 | spec: 7 | workloadSelector: 8 | labels: 9 | istio: ingressgateway 10 | configPatches: 11 | - applyTo: HTTP_FILTER 12 | match: 13 | context: GATEWAY 14 | listener: 15 | filterChain: 16 | filter: 17 | name: "envoy.filters.network.http_connection_manager" 18 | subFilter: 19 | name: "envoy.filters.http.router" 20 | patch: 21 | operation: INSERT_BEFORE 22 | value: 23 | name: envoy.filters.http.ratelimit 24 | typed_config: 25 | "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit 26 | domain: ratelimit 27 | failure_mode_deny: false 28 | timeout: 25ms 29 | rate_limit_service: 30 | grpc_service: 31 | envoy_grpc: 32 | cluster_name: rate_limit_cluster 33 | transport_api_version: V3 34 | - applyTo: CLUSTER 35 | match: 36 | cluster: 37 | service: ratelimit.ratelimit.svc.cluster.local 38 | patch: 39 | operation: ADD 40 | value: 41 | name: rate_limit_cluster 42 | type: STRICT_DNS 43 | connect_timeout: 25ms 44 | lb_policy: ROUND_ROBIN 45 | http2_protocol_options: {} 46 | load_assignment: 47 | cluster_name: rate_limit_cluster 48 | endpoints: 49 | - lb_endpoints: 50 | - endpoint: 51 | address: 52 | socket_address: 53 | address: ratelimit.ratelimit.svc.cluster.local 54 | port_value: 8081 55 | --- 56 | apiVersion: networking.istio.io/v1alpha3 57 | kind: EnvoyFilter 58 | metadata: 59 | name: filter-ratelimit-svc 60 | namespace: istio-system 61 | spec: 62 | workloadSelector: 63 | labels: 64 | istio: ingressgateway 65 | configPatches: 66 | - applyTo: VIRTUAL_HOST 67 | match: 68 | context: GATEWAY 69 | routeConfiguration: 70 | vhost: 71 | name: "*.danielstechblog.de:80" 72 | route: 73 | action: ANY 74 | patch: 75 | operation: MERGE 76 | value: 77 | rate_limits: 78 | - actions: 79 | - request_headers: 80 | header_name: ":authority" 81 | descriptor_key: "HOST" 82 | - actions: 83 | - remote_address: {} 84 | - actions: 85 | - request_headers: 86 | header_name: ":path" 87 | descriptor_key: "PATH" -------------------------------------------------------------------------------- /azure-npm/azure-npm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: azure-npm 5 | namespace: kube-system 6 | labels: 7 | addonmanager.kubernetes.io/mode: EnsureExists 8 | --- 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: ClusterRole 11 | metadata: 12 | name: azure-npm 13 | namespace: kube-system 14 | labels: 15 | addonmanager.kubernetes.io/mode: EnsureExists 16 | rules: 17 | - apiGroups: 18 | - "" 19 | resources: 20 | - pods 21 | - nodes 22 | - namespaces 23 | verbs: 24 | - get 25 | - list 26 | - watch 27 | - apiGroups: 28 | - networking.k8s.io 29 | resources: 30 | - networkpolicies 31 | verbs: 32 | - get 33 | - list 34 | - watch 35 | --- 36 | apiVersion: rbac.authorization.k8s.io/v1 37 | kind: ClusterRoleBinding 38 | metadata: 39 | name: azure-npm-binding 40 | namespace: kube-system 41 | labels: 42 | addonmanager.kubernetes.io/mode: EnsureExists 43 | subjects: 44 | - kind: ServiceAccount 45 | name: azure-npm 46 | namespace: kube-system 47 | roleRef: 48 | kind: ClusterRole 49 | name: azure-npm 50 | apiGroup: rbac.authorization.k8s.io 51 | --- 52 | apiVersion: apps/v1 53 | kind: DaemonSet 54 | metadata: 55 | name: azure-npm 56 | namespace: kube-system 57 | labels: 58 | app: azure-npm 59 | addonmanager.kubernetes.io/mode: EnsureExists 60 | spec: 61 | selector: 62 | matchLabels: 63 | k8s-app: azure-npm 64 | template: 65 | metadata: 66 | labels: 67 | k8s-app: azure-npm 68 | annotations: 69 | scheduler.alpha.kubernetes.io/critical-pod: '' 70 | spec: 71 | tolerations: 72 | - key: CriticalAddonsOnly 73 | operator: Exists 74 | nodeSelector: 75 | beta.kubernetes.io/os: linux 76 | containers: 77 | - name: azure-npm 78 | image: containernetworking/azure-npm:v1.0.13 79 | securityContext: 80 | privileged: true 81 | env: 82 | - name: HOSTNAME 83 | valueFrom: 84 | fieldRef: 85 | apiVersion: v1 86 | fieldPath: spec.nodeName 87 | volumeMounts: 88 | - name: xtables-lock 89 | mountPath: /run/xtables.lock 90 | - name: log 91 | mountPath: /var/log 92 | hostNetwork: true 93 | volumes: 94 | - name: log 95 | hostPath: 96 | path: /var/log 97 | type: Directory 98 | - name: xtables-lock 99 | hostPath: 100 | path: /run/xtables.lock 101 | type: File 102 | serviceAccountName: azure-npm 103 | -------------------------------------------------------------------------------- /k3s/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | if [ -z "$AZP_URL" ]; then 5 | echo 1>&2 "error: missing AZP_URL environment variable" 6 | exit 1 7 | fi 8 | 9 | if [ -z "$AZP_TOKEN_FILE" ]; then 10 | if [ -z "$AZP_TOKEN" ]; then 11 | echo 1>&2 "error: missing AZP_TOKEN environment variable" 12 | exit 1 13 | fi 14 | 15 | AZP_TOKEN_FILE=/azp/.token 16 | echo -n $AZP_TOKEN > "$AZP_TOKEN_FILE" 17 | fi 18 | 19 | unset AZP_TOKEN 20 | 21 | if [ -n "$AZP_WORK" ]; then 22 | mkdir -p "$AZP_WORK" 23 | fi 24 | 25 | rm -rf /azp/agent 26 | mkdir /azp/agent 27 | cd /azp/agent 28 | 29 | export AGENT_ALLOW_RUNASROOT="1" 30 | 31 | cleanup() { 32 | if [ -e config.sh ]; then 33 | print_header "Cleanup. Removing Azure Pipelines agent..." 34 | 35 | ./config.sh remove --unattended \ 36 | --auth PAT \ 37 | --token $(cat "$AZP_TOKEN_FILE") 38 | fi 39 | } 40 | 41 | print_header() { 42 | lightcyan='\033[1;36m' 43 | nocolor='\033[0m' 44 | echo -e "${lightcyan}$1${nocolor}" 45 | } 46 | 47 | # Let the agent ignore the token env variables 48 | export VSO_AGENT_IGNORE=AZP_TOKEN,AZP_TOKEN_FILE 49 | 50 | print_header "1. Determining matching Azure Pipelines agent..." 51 | 52 | AZP_AGENT_RESPONSE=$(curl -LsS \ 53 | -u user:$(cat "$AZP_TOKEN_FILE") \ 54 | -H 'Accept:application/json;api-version=3.0-preview' \ 55 | "$AZP_URL/_apis/distributedtask/packages/agent?platform=linux-arm") 56 | 57 | if echo "$AZP_AGENT_RESPONSE" | jq . >/dev/null 2>&1; then 58 | AZP_AGENTPACKAGE_URL=$(echo "$AZP_AGENT_RESPONSE" \ 59 | | jq -r '.value | map([.version.major,.version.minor,.version.patch,.downloadUrl]) | sort | .[length-1] | .[3]') 60 | fi 61 | 62 | if [ -z "$AZP_AGENTPACKAGE_URL" -o "$AZP_AGENTPACKAGE_URL" == "null" ]; then 63 | echo 1>&2 "error: could not determine a matching Azure Pipelines agent - check that account '$AZP_URL' is correct and the token is valid for that account" 64 | exit 1 65 | fi 66 | 67 | print_header "2. Downloading and installing Azure Pipelines agent..." 68 | 69 | curl -LsS $AZP_AGENTPACKAGE_URL | tar -xz & wait $! 70 | 71 | source ./env.sh 72 | 73 | trap 'cleanup; exit 130' INT 74 | trap 'cleanup; exit 143' TERM 75 | 76 | print_header "3. Configuring Azure Pipelines agent..." 77 | 78 | ./config.sh --unattended \ 79 | --agent "${AZP_AGENT_NAME:-$(hostname)}" \ 80 | --url "$AZP_URL" \ 81 | --auth PAT \ 82 | --token $(cat "$AZP_TOKEN_FILE") \ 83 | --pool "${AZP_POOL:-Default}" \ 84 | --work "${AZP_WORK:-_work}" \ 85 | --replace \ 86 | --acceptTeeEula & wait $! 87 | 88 | print_header "4. Running Azure Pipelines agent..." 89 | 90 | # `exec` the node runtime so it's aware of TERM and INT signals 91 | # AgentService.js understands how to handle agent self-update and restart 92 | exec ./externals/node10/bin/node ./bin/AgentService.js interactive 93 | -------------------------------------------------------------------------------- /iotedge/templates/amd64/tempsensor-function.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: tempsensor-function 5 | spec: 6 | replicas: 2 7 | strategy: 8 | rollingUpdate: 9 | maxSurge: 0 10 | maxUnavailable: 100% 11 | selector: 12 | matchLabels: 13 | app: tempsensor-function 14 | minReadySeconds: 5 15 | template: 16 | metadata: 17 | name: tempsensor-function 18 | labels: 19 | app: tempsensor-function 20 | annotations: 21 | isEdgeDeployment: "true" 22 | targetCondition: "tags.location.building='azure' AND tags.environment='prod'" 23 | priority: "15" 24 | loggingOptions: "" 25 | spec: 26 | containers: 27 | - name: tempsensor 28 | image: mcr.microsoft.com/azureiotedge-simulated-temperature-sensor:1.0 29 | - name: function 30 | image: REDACTED.azurecr.io/filterfunction:0.0.1-amd64 31 | nodeSelector: 32 | type: virtual-kubelet 33 | tolerations: 34 | - key: virtual-kubelet.io/provider 35 | operator: Equal 36 | value: iotedge 37 | effect: NoSchedule 38 | --- 39 | apiVersion: v1 40 | kind: ConfigMap 41 | metadata: 42 | name: edgeagent 43 | data: 44 | desiredProperties: | 45 | { 46 | "runtime": { 47 | "settings": { 48 | "registryCredentials": { 49 | "docker": { 50 | "address": "REDACTED", 51 | "password": "REDACTED", 52 | "username": "REDACTED" 53 | } 54 | } 55 | } 56 | } 57 | } 58 | --- 59 | apiVersion: v1 60 | kind: ConfigMap 61 | metadata: 62 | name: edgehub 63 | data: 64 | desiredProperties: | 65 | { 66 | "routes": { 67 | "sensorToFilter":"FROM /messages/modules/tempsensor/outputs/temperatureOutput INTO BrokeredEndpoint(\"/modules/function/inputs/input1\")", 68 | "filterToIoTHub":"FROM /messages/modules/function/outputs/* INTO $upstream" 69 | }, 70 | "storeAndForwardConfiguration": { 71 | "timeToLiveSecs": 7200 72 | } 73 | } 74 | --- 75 | apiVersion: v1 76 | kind: ConfigMap 77 | metadata: 78 | name: tempsensor 79 | data: 80 | status: running 81 | restartPolicy: always 82 | version: "1.0" 83 | createOptions: | 84 | {} 85 | --- 86 | apiVersion: v1 87 | kind: ConfigMap 88 | metadata: 89 | name: function 90 | data: 91 | status: running 92 | restartPolicy: always 93 | version: "1.0" 94 | createOptions: | 95 | { 96 | "HostConfig": { 97 | "PortBindings": { 98 | "80/tcp": [ 99 | { 100 | "HostPort": "80" 101 | } 102 | ] 103 | } 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /fluent-bit/daemon-set.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: fluent-bit 5 | namespace: logging 6 | labels: 7 | app: fluent-bit 8 | version: v2.1.9 9 | kubernetes.io/cluster-service: "true" 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: fluent-bit 14 | template: 15 | metadata: 16 | labels: 17 | app: fluent-bit 18 | version: v2.1.9 19 | kubernetes.io/cluster-service: "true" 20 | spec: 21 | terminationGracePeriodSeconds: 75 22 | containers: 23 | - name: fluent-bit 24 | image: fluent/fluent-bit:2.1.9 25 | imagePullPolicy: IfNotPresent 26 | ports: 27 | - containerPort: 2020 28 | livenessProbe: 29 | httpGet: 30 | path: /api/v1/health 31 | port: 2020 32 | failureThreshold: 3 33 | initialDelaySeconds: 60 34 | periodSeconds: 10 35 | successThreshold: 1 36 | timeoutSeconds: 1 37 | env: 38 | - name: FLUENT_AZURE_WORKSPACE_ID 39 | valueFrom: 40 | secretKeyRef: 41 | name: loganalytics 42 | key: workspaceid 43 | - name: FLUENT_AZURE_WORKSPACE_KEY 44 | valueFrom: 45 | secretKeyRef: 46 | name: loganalytics 47 | key: workspacekey 48 | - name: CLUSTER 49 | value: fluent-bit 50 | - name: REGION 51 | value: northeurope 52 | - name: ENVIRONMENT 53 | value: prod 54 | - name: NODE_IP 55 | valueFrom: 56 | fieldRef: 57 | apiVersion: v1 58 | fieldPath: status.hostIP 59 | resources: 60 | limits: 61 | cpu: 500m 62 | memory: 750Mi 63 | requests: 64 | cpu: 75m 65 | memory: 325Mi 66 | volumeMounts: 67 | - name: varlog 68 | mountPath: /var/log 69 | - name: varlibdockercontainers 70 | mountPath: /var/lib/docker/containers 71 | readOnly: true 72 | - name: fluent-bit-config 73 | mountPath: /fluent-bit/etc/ 74 | securityContext: 75 | readOnlyRootFilesystem: true 76 | allowPrivilegeEscalation: false 77 | volumes: 78 | - name: varlog 79 | hostPath: 80 | path: /var/log 81 | - name: varlibdockercontainers 82 | hostPath: 83 | path: /var/lib/docker/containers 84 | - name: fluent-bit-config 85 | configMap: 86 | name: fluent-bit-config 87 | serviceAccountName: fluent-bit 88 | priorityClassName: system-node-critical 89 | tolerations: 90 | - key: node-role.kubernetes.io/master 91 | operator: Exists 92 | effect: NoSchedule 93 | - operator: "Exists" 94 | effect: "NoExecute" 95 | - operator: "Exists" 96 | effect: "NoSchedule" 97 | -------------------------------------------------------------------------------- /hxe-aks/deploy_HXE_AKS.ps1: -------------------------------------------------------------------------------- 1 | #Variables for HXE AKS deployment 2 | $resourceGroupName='aks-hxe-rg' 3 | $aksClusterName='aks-hxe-cluster' 4 | 5 | $inputKey=Read-Host '(1) West Europe 6 | (2) East US 7 | (3) Central US 8 | (4) Canada Central 9 | (5) Canada East 10 | Enter Azure region for AKS deployment' 11 | switch ($inputKey.ToUpper()) { 12 | 1 { 13 | $azureRegion='westeurope' 14 | } 15 | 2 { 16 | $azureRegion='eastus' 17 | } 18 | 3 { 19 | $azureRegion='centralus' 20 | } 21 | 4 { 22 | $azureRegion='canadacentral' 23 | } 24 | 5 { 25 | $azureRegion='canadaeast' 26 | } 27 | } 28 | 29 | #Create resource group 30 | az group create --name $resourceGroupName --location $azureRegion --output table 31 | 32 | #Create AKS cluster 33 | az aks create --resource-group $resourceGroupName --name $aksClusterName --node-count 3 --node-vm-size Standard_A4m_v2 --generate-ssh-keys --output table 34 | 35 | #Getting AKS cluster credentials 36 | az aks get-credentials --resource-group $resourceGroupName --name $aksClusterName 37 | 38 | #Prepare deployment files and create master password secret 39 | $credential=Get-Credential -UserName hxeMasterPassword 40 | $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credential.Password) 41 | $masterPassword=[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) 42 | 43 | $jsonDefinition='{'+'"'+'master_password'+'"'+' : '+'"'+$masterPassword+'"'+'}' 44 | $jsonEncoded=Write-Output $jsonDefinition|base64 45 | 46 | $yamlDefinition='apiVersion: v1 47 | data: 48 | password.json: '+$jsonEncoded+' 49 | kind: Secret 50 | metadata: 51 | name: masterpassword 52 | namespace: default 53 | type: Opaque' 54 | 55 | Write-Output $yamlDefinition > secrets.yaml 56 | 57 | $masterPassword=$null 58 | $BSTR=$null 59 | $credential=$null 60 | 61 | kubectl apply -f ./secrets.yaml 62 | 63 | #Enter Docker account details and create docker registry secret 64 | $credential=Get-Credential -Title 'Enter Docker account username and password' 65 | $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credential.Password) 66 | $dockerPassword=[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR) 67 | $dockerEmail=Read-Host 'Enter e-mail address of your Docker account' 68 | $dockerUsername=$credential.UserName 69 | 70 | kubectl create secret docker-registry docker-secret --docker-server=https://index.docker.io/v1/ --docker-username=$dockerUsername --docker-password=$dockerPassword --docker-email=$dockerEmail 71 | 72 | $dockerPassword=$null 73 | $dockerUsername=$null 74 | $dockerEmail=$null 75 | $BSTR=$null 76 | $credential=$null 77 | 78 | #HANA Express Edition deployment 79 | Invoke-WebRequest https://raw.githubusercontent.com/neumanndaniel/kubernetes/master/hxe-aks/deploy_HXE_AKS.yaml -OutFile ./deploy_HXE_AKS.yaml 80 | 81 | kubectl apply -f ./deploy_HXE_AKS.yaml 82 | -------------------------------------------------------------------------------- /iotedge/templates/multiarch/tempsensor-asa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: tempsensor-asa 5 | spec: 6 | replicas: 2 7 | strategy: 8 | rollingUpdate: 9 | maxSurge: 0 10 | maxUnavailable: 100% 11 | selector: 12 | matchLabels: 13 | app: tempsensor-asa 14 | template: 15 | metadata: 16 | name: tempsensor-asa 17 | labels: 18 | app: tempsensor-asa 19 | annotations: 20 | isEdgeDeployment: "true" 21 | targetCondition: "tags.location.building='mobile' AND tags.environment='test'" 22 | priority: "15" 23 | loggingOptions: "" 24 | spec: 25 | containers: 26 | - name: tempsensor 27 | image: mcr.microsoft.com/azureiotedge-simulated-temperature-sensor:1.0 28 | - name: streamanalytics 29 | image: mcr.microsoft.com/azure-stream-analytics/azureiotedge:1.0.0 30 | terminationGracePeriodSeconds: 0 31 | nodeSelector: 32 | type: virtual-kubelet 33 | tolerations: 34 | - key: virtual-kubelet.io/provider 35 | operator: Equal 36 | value: iotedge 37 | effect: NoSchedule 38 | --- 39 | apiVersion: v1 40 | kind: ConfigMap 41 | metadata: 42 | name: edgeagent 43 | data: 44 | desiredProperties: | 45 | { 46 | "systemModules": { 47 | "edgeHub": { 48 | "env": { 49 | "OptimizeForPerformance": { 50 | "value": "false" 51 | } 52 | } 53 | } 54 | } 55 | } 56 | --- 57 | apiVersion: v1 58 | kind: ConfigMap 59 | metadata: 60 | name: edgehub 61 | data: 62 | desiredProperties: | 63 | { 64 | "routes": { 65 | "alertsToCloud": "FROM /messages/modules/streamanalytics/* INTO $upstream", 66 | "alertsToReset": "FROM /messages/modules/streamanalytics/* INTO BrokeredEndpoint(\"/modules/tempsensor/inputs/control\")", 67 | "telemetryToAsa": "FROM /messages/modules/tempsensor/* INTO BrokeredEndpoint(\"/modules/streamanalytics/inputs/temperature\")" 68 | }, 69 | "storeAndForwardConfiguration": { 70 | "timeToLiveSecs": 7200 71 | } 72 | } 73 | --- 74 | apiVersion: v1 75 | kind: ConfigMap 76 | metadata: 77 | name: tempsensor 78 | data: 79 | status: running 80 | restartPolicy: always 81 | version: "1.0" 82 | createOptions: | 83 | {} 84 | --- 85 | apiVersion: v1 86 | kind: ConfigMap 87 | metadata: 88 | name: streamanalytics 89 | data: 90 | status: running 91 | restartPolicy: always 92 | version: "1.0" 93 | createOptions: | 94 | { 95 | "Env": [ 96 | "PlanId=REDACTED" 97 | ] 98 | } 99 | desiredProperties: | 100 | { 101 | "ASAJobInfo": "REDACTED", 102 | "ASAJobResourceId": "REDACTED", 103 | "ASAJobEtag": "REDACTED", 104 | "PublishTimestamp": "12/11/2018 9:00:57 AM" 105 | } 106 | -------------------------------------------------------------------------------- /iotedge/templates/arm32v7/tempsensor-function-arm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: tempsensor-function-arm 5 | spec: 6 | replicas: 2 7 | strategy: 8 | rollingUpdate: 9 | maxSurge: 0 10 | maxUnavailable: 100% 11 | selector: 12 | matchLabels: 13 | app: tempsensor-function-arm 14 | minReadySeconds: 5 15 | template: 16 | metadata: 17 | name: tempsensor-function-arm 18 | labels: 19 | app: tempsensor-function-arm 20 | annotations: 21 | isEdgeDeployment: "true" 22 | targetCondition: "tags.location.building='mobile' AND tags.environment='test'" 23 | priority: "15" 24 | loggingOptions: "" 25 | spec: 26 | containers: 27 | - name: tempsensor 28 | image: mcr.microsoft.com/azureiotedge-simulated-temperature-sensor:1.0 29 | - name: function 30 | image: REDACTED.azurecr.io/filterfunction:0.0.1-arm32v7 31 | nodeSelector: 32 | type: virtual-kubelet 33 | tolerations: 34 | - key: virtual-kubelet.io/provider 35 | operator: Equal 36 | value: iotedge 37 | effect: NoSchedule 38 | --- 39 | apiVersion: v1 40 | kind: ConfigMap 41 | metadata: 42 | name: edgeagent 43 | data: 44 | desiredProperties: | 45 | { 46 | "runtime": { 47 | "settings": { 48 | "registryCredentials": { 49 | "docker": { 50 | "address": "REDACTED", 51 | "password": "REDACTED", 52 | "username": "REDACTED" 53 | } 54 | } 55 | } 56 | }, 57 | "systemModules": { 58 | "edgeHub": { 59 | "env": { 60 | "OptimizeForPerformance": { 61 | "value": "false" 62 | } 63 | } 64 | } 65 | } 66 | } 67 | --- 68 | apiVersion: v1 69 | kind: ConfigMap 70 | metadata: 71 | name: edgehub 72 | data: 73 | desiredProperties: | 74 | { 75 | "routes": { 76 | "sensorToFilter":"FROM /messages/modules/tempsensor/outputs/temperatureOutput INTO BrokeredEndpoint(\"/modules/function/inputs/input1\")", 77 | "filterToIoTHub":"FROM /messages/modules/function/outputs/* INTO $upstream" 78 | }, 79 | "storeAndForwardConfiguration": { 80 | "timeToLiveSecs": 7200 81 | } 82 | } 83 | --- 84 | apiVersion: v1 85 | kind: ConfigMap 86 | metadata: 87 | name: tempsensor 88 | data: 89 | status: running 90 | restartPolicy: always 91 | version: "1.0" 92 | createOptions: | 93 | {} 94 | --- 95 | apiVersion: v1 96 | kind: ConfigMap 97 | metadata: 98 | name: function 99 | data: 100 | status: running 101 | restartPolicy: always 102 | version: "1.0" 103 | createOptions: | 104 | { 105 | "HostConfig": { 106 | "PortBindings": { 107 | "80/tcp": [ 108 | { 109 | "HostPort": "80" 110 | } 111 | ] 112 | } 113 | } 114 | } 115 | -------------------------------------------------------------------------------- /aks-engine/aksEngineAad.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "vlabs", 3 | "properties": { 4 | "orchestratorProfile": { 5 | "orchestratorType": "Kubernetes", 6 | "orchestratorRelease": "1.15", 7 | "orchestratorVersion": "1.15.0", 8 | "kubernetesConfig": { 9 | "kubeletConfig": { 10 | "--max-pods": "110" 11 | }, 12 | "controllerManagerConfig": { 13 | "--feature-gates": "ServiceNodeExclusion=true" 14 | }, 15 | "useManagedIdentity": true, 16 | "loadBalancerSku": "standard", 17 | "networkPlugin": "azure", 18 | "networkPolicy": "azure", 19 | "containerRuntime": "docker", 20 | "mobyVersion": "3.0.5", 21 | "enablePodSecurityPolicy": true, 22 | "enableRbac": true, 23 | "etcdDiskSizeGB": "256", 24 | "useInstanceMetadata": true, 25 | "kubeProxyMode": "iptables", 26 | "addons": [ 27 | { 28 | "name": "tiller", 29 | "enabled": true 30 | }, 31 | { 32 | "name": "kubernetes-dashboard", 33 | "enabled": false 34 | }, 35 | { 36 | "name": "cluster-autoscaler", 37 | "enabled": false 38 | }, 39 | { 40 | "name": "container-monitoring", 41 | "enabled": false 42 | }, 43 | { 44 | "name": "blobfuse-flexvolume", 45 | "enabled": false 46 | }, 47 | { 48 | "name": "smb-flexvolume", 49 | "enabled": false 50 | }, 51 | { 52 | "name": "keyvault-flexvolume", 53 | "enabled": false 54 | }, 55 | { 56 | "name": "aad-pod-identity", 57 | "enabled": false 58 | } 59 | ], 60 | "privateCluster": { 61 | "enabled": false 62 | } 63 | } 64 | }, 65 | "masterProfile": { 66 | "count": 1, 67 | "dnsPrefix": "azst-akse1", 68 | "vmSize": "Standard_D2_v3", 69 | "distro": "aks-ubuntu-18.04", 70 | "osDiskSizeGB": 30, 71 | "storageProfile": "ManagedDisks", 72 | "availabilityProfile": "AvailabilitySet", 73 | "cosmosEtcd": false 74 | }, 75 | "agentPoolProfiles": [ 76 | { 77 | "name": "nodepool1", 78 | "count": 2, 79 | "vmSize": "Standard_D2_v3", 80 | "osType": "Linux", 81 | "distro": "aks-ubuntu-18.04", 82 | "osDiskSizeGB": 30, 83 | "storageProfile": "ManagedDisks", 84 | "availabilityProfile": "VirtualMachineScaleSets", 85 | "vmssOverProvisioningEnabled": true 86 | } 87 | ], 88 | "aadProfile": { 89 | "clientAppID": "REDACTED", 90 | "serverAppID": "REDACTED", 91 | "adminGroupID": "REDACTED", 92 | "tenantID": "REDACTED" 93 | }, 94 | "linuxProfile": { 95 | "adminUsername": "azureuser", 96 | "ssh": { 97 | "publicKeys": [ 98 | { 99 | "keyData": "REDACTED" 100 | } 101 | ] 102 | } 103 | } 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /hxe-aci/deploy_HXE_ACI_ARM.ps1: -------------------------------------------------------------------------------- 1 | #Variables for HXE ACI deployment 2 | $resourceGroupName='aci-hxe-rg' 3 | $aciInstance='aci-hxe-instance' 4 | $fileShareName='hxe-config' 5 | $aciHxeImage='registry-1.docker.io/store/saplabs/hanaexpress:2.00.045.00.20200121.1' 6 | $registryLoginServer='registry-1.docker.io' 7 | $gitHubAciHxeUri='https://raw.githubusercontent.com/neumanndaniel/kubernetes/master/hxe-aci/aciHxe.json' 8 | 9 | $inputKey=Read-Host '(1) West Europe 10 | (2) North Europe 11 | (3) East US 12 | (4) West US 13 | Enter Azure region for AKS deployment' 14 | switch ($inputKey.ToUpper()) { 15 | 1 { 16 | $azureRegion='westeurope' 17 | } 18 | 2 { 19 | $azureRegion='northeurope' 20 | } 21 | 3 { 22 | $azureRegion='eastus' 23 | } 24 | 4 { 25 | $azureRegion='westus' 26 | } 27 | } 28 | 29 | #Create resource group 30 | az group create --name $resourceGroupName --location $azureRegion --output table 31 | 32 | #Prepare deployment files and create master password JSON 33 | $credential=Get-Credential -UserName hxeMasterPassword 34 | $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credential.Password) 35 | $masterPassword=[System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($BSTR) 36 | 37 | $jsonDefinition='{'+'"'+'master_password'+'"'+' : '+'"'+$masterPassword+'"'+'}' 38 | 39 | Write-Output $jsonDefinition > masterPassword.json 40 | 41 | $jsonDefinition=$null 42 | $BSTR=$null 43 | $credential=$null 44 | 45 | #Create Azure file share and upload masterPassword.json 46 | $storageAccountName=(New-Guid).Guid 47 | $storageAccountName=$storageAccountName -replace "-","" 48 | $storageAccountName=$storageAccountName.Substring(0,20) 49 | 50 | az storage account create --name $storageAccountName --resource-group $resourceGroupName --kind StorageV2 --sku Standard_LRS --https-only true --encryption-services blob file 51 | az storage share create --name $fileShareName --account-name $storageAccountName 52 | az storage file upload --share-name $fileShareName --account-name $storageAccountName --source ./masterPassword.json 53 | $storageAccountKeys = az storage account keys list --account-name $storageAccountName --resource-group $resourceGroupName | ConvertFrom-Json 54 | 55 | #Enter Docker account details and create docker registry secret 56 | $credential=Get-Credential -Title 'Enter Docker account username and password' 57 | $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credential.Password) 58 | $dockerPassword=[System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($BSTR) 59 | $dockerUsername=$credential.UserName 60 | 61 | #HANA Express Edition deployment on ACI 62 | az group deployment create --resource-group $resourceGroupName --name $aciInstance ` 63 | --template-uri $gitHubAciHxeUri --parameters containerName=$aciInstance containerImage=$aciHxeImage ` 64 | imageRegistryLoginServer=$registryLoginServer imageUsername=$dockerUsername imagePassword=$dockerPassword ` 65 | osType=Linux numberCores=4 memory=14 ipType=Public fileShareStorageAccount=$storageAccountName fileShareName=$fileShareName 66 | 67 | $dockerPassword=$null 68 | $dockerUsername=$null 69 | $BSTR=$null 70 | $credential=$null 71 | $storageAccountKeys=$null 72 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer-kubernetes-events/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: fluent-bit-kubernetes-events 6 | version: v3.2.3 7 | kubernetes.io/cluster-service: "true" 8 | name: fluent-bit-kubernetes-events 9 | namespace: logging 10 | spec: 11 | replicas: 1 12 | strategy: 13 | type: Recreate 14 | selector: 15 | matchLabels: 16 | app: fluent-bit-kubernetes-events 17 | template: 18 | metadata: 19 | labels: 20 | app: fluent-bit-kubernetes-events 21 | version: v3.2.3 22 | kubernetes.io/cluster-service: "true" 23 | spec: 24 | terminationGracePeriodSeconds: 75 25 | containers: 26 | - name: fluent-bit-kubernetes-events 27 | image: cr.fluentbit.io/fluent/fluent-bit:3.2.3 28 | imagePullPolicy: IfNotPresent 29 | ports: 30 | - containerPort: 2020 31 | livenessProbe: 32 | httpGet: 33 | path: /api/v1/health 34 | port: 2020 35 | failureThreshold: 3 36 | initialDelaySeconds: 60 37 | periodSeconds: 10 38 | successThreshold: 1 39 | timeoutSeconds: 1 40 | env: 41 | - name: FLUENT_ADX_TENANT_ID 42 | valueFrom: 43 | secretKeyRef: 44 | name: azuredataexplorer 45 | key: tenant_id 46 | - name: FLUENT_ADX_CLIENT_ID 47 | valueFrom: 48 | secretKeyRef: 49 | name: azuredataexplorer 50 | key: client_id 51 | - name: FLUENT_ADX_CLIENT_SECRET 52 | valueFrom: 53 | secretKeyRef: 54 | name: azuredataexplorer 55 | key: client_secret 56 | - name: CLUSTER 57 | value: aks-azst-1 58 | - name: REGION 59 | value: northeurope 60 | - name: ENVIRONMENT 61 | value: prod 62 | - name: NODE_IP 63 | valueFrom: 64 | fieldRef: 65 | apiVersion: v1 66 | fieldPath: status.hostIP 67 | volumeMounts: 68 | - name: fluent-bit-kubernetes-events-config 69 | mountPath: /fluent-bit/etc/ 70 | - name: fluent-bit-kubernetes-events-data 71 | mountPath: /fluent-bit/data/ 72 | resources: 73 | limits: 74 | cpu: 500m 75 | memory: 750Mi 76 | requests: 77 | cpu: 75m 78 | memory: 325Mi 79 | securityContext: 80 | runAsNonRoot: true 81 | runAsUser: 65534 82 | runAsGroup: 65534 83 | readOnlyRootFilesystem: true 84 | allowPrivilegeEscalation: false 85 | volumes: 86 | - name: fluent-bit-kubernetes-events-config 87 | configMap: 88 | name: fluent-bit-kubernetes-events-config 89 | - name: fluent-bit-kubernetes-events-data 90 | persistentVolumeClaim: 91 | claimName: fluent-bit-kubernetes-events 92 | serviceAccountName: fluent-bit-kubernetes-events 93 | priorityClassName: system-cluster-critical 94 | -------------------------------------------------------------------------------- /ambassador/ambassador-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | service: ambassador-admin 6 | name: ambassador-admin 7 | spec: 8 | type: NodePort 9 | ports: 10 | - name: ambassador-admin 11 | port: 8877 12 | targetPort: 8877 13 | selector: 14 | service: ambassador 15 | --- 16 | apiVersion: rbac.authorization.k8s.io/v1beta1 17 | kind: ClusterRole 18 | metadata: 19 | name: ambassador 20 | rules: 21 | - apiGroups: [""] 22 | resources: 23 | - namespaces 24 | - services 25 | - secrets 26 | - endpoints 27 | verbs: ["get", "list", "watch"] 28 | --- 29 | apiVersion: v1 30 | kind: ServiceAccount 31 | metadata: 32 | name: ambassador 33 | --- 34 | apiVersion: rbac.authorization.k8s.io/v1beta1 35 | kind: ClusterRoleBinding 36 | metadata: 37 | name: ambassador 38 | roleRef: 39 | apiGroup: rbac.authorization.k8s.io 40 | kind: ClusterRole 41 | name: ambassador 42 | subjects: 43 | - kind: ServiceAccount 44 | name: ambassador 45 | namespace: default 46 | --- 47 | apiVersion: apps/v1 48 | kind: Deployment 49 | metadata: 50 | name: ambassador 51 | spec: 52 | replicas: 3 53 | strategy: 54 | rollingUpdate: 55 | maxSurge: 0 56 | maxUnavailable: 1 57 | minReadySeconds: 5 58 | selector: 59 | matchLabels: 60 | service: ambassador 61 | template: 62 | metadata: 63 | annotations: 64 | sidecar.istio.io/inject: "false" 65 | "consul.hashicorp.com/connect-inject": "false" 66 | labels: 67 | service: ambassador 68 | spec: 69 | affinity: 70 | podAntiAffinity: 71 | requiredDuringSchedulingIgnoredDuringExecution: 72 | - labelSelector: 73 | matchExpressions: 74 | - key: service 75 | operator: In 76 | values: 77 | - ambassador 78 | topologyKey: kubernetes.io/hostname 79 | serviceAccountName: ambassador 80 | containers: 81 | - name: ambassador 82 | image: quay.io/datawire/ambassador:0.60.1 83 | resources: 84 | limits: 85 | cpu: 1 86 | memory: 400Mi 87 | requests: 88 | cpu: 200m 89 | memory: 100Mi 90 | env: 91 | - name: AMBASSADOR_NAMESPACE 92 | valueFrom: 93 | fieldRef: 94 | fieldPath: metadata.namespace 95 | ports: 96 | - name: http 97 | containerPort: 8080 98 | - name: https 99 | containerPort: 8443 100 | - name: admin 101 | containerPort: 8877 102 | livenessProbe: 103 | httpGet: 104 | path: /ambassador/v0/check_alive 105 | port: 8877 106 | initialDelaySeconds: 30 107 | periodSeconds: 3 108 | readinessProbe: 109 | httpGet: 110 | path: /ambassador/v0/check_ready 111 | port: 8877 112 | initialDelaySeconds: 30 113 | periodSeconds: 3 114 | restartPolicy: Always 115 | securityContext: 116 | runAsUser: 8888 117 | -------------------------------------------------------------------------------- /aks/aksBaseImageUpdate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | set -o pipefail 5 | 6 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Gathering information about the Azure Kubernetes Service cluster and the latest base image..." 7 | RESOURCE_GROUP=$(kubectl get node $(kubectl get nodes|grep vmss --max-count=1|cut -d ' ' -f 1) -o json|jq '.metadata.labels'|grep kubernetes.azure.com/cluster|cut -d '"' -f4) 8 | VM_SCALE_SETS=$(az vmss list --resource-group $RESOURCE_GROUP| jq -r '.[].name') 9 | 10 | for VMSS in $VM_SCALE_SETS; do 11 | VMSS_PROPERTIES=$(az vmss show --resource-group $RESOURCE_GROUP --name $VMSS) 12 | 13 | if [[ $(echo $VMSS_PROPERTIES|jq -r '.virtualMachineProfile.storageProfile.imageReference.offer') == "WindowsServer" ]]; then 14 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Skipping Windows VMSS $VMSS..." 15 | continue 16 | fi 17 | 18 | OFFER=$(echo $VMSS_PROPERTIES|jq -r '.virtualMachineProfile.storageProfile.imageReference.offer') 19 | PUBLISHER=$(echo $VMSS_PROPERTIES|jq -r '.virtualMachineProfile.storageProfile.imageReference.publisher') 20 | SKU_TEMP=$(echo $VMSS_PROPERTIES|jq -r '.virtualMachineProfile.storageProfile.imageReference.sku'|rev|cut -c 7-|rev) 21 | SKU=$SKU_TEMP$(date +"%Y%m") 22 | 23 | BASE_IMAGES=$(az vm image list --offer $OFFER --publisher $PUBLISHER --sku $SKU --all) 24 | if [[ $(echo $BASE_IMAGES|jq length) -eq 0 ]]; then 25 | SKU=$SKU_TEMP$(date +"%Y%m" --date="last month") 26 | BASE_IMAGES=$(az vm image list --offer $OFFER --publisher $PUBLISHER --sku $SKU --all) 27 | fi 28 | BASE_IMAGE_COUNT=$(echo $BASE_IMAGES|jq length) 29 | LATEST_BASE_IMAGE=$(echo $BASE_IMAGES|jq ".[$BASE_IMAGE_COUNT-1]") 30 | 31 | if [[ $(echo $LATEST_BASE_IMAGE|jq -r '.version') == $(echo $VMSS_PROPERTIES|jq -r '.virtualMachineProfile.storageProfile.imageReference.version') ]]; then 32 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Skipping VMSS $VMSS. No newer base image version available..." 33 | continue 34 | fi 35 | 36 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Updating base image for VMSS $VMSS..." 37 | az vmss update --resource-group $RESOURCE_GROUP --name $VMSS \ 38 | --set virtualMachineProfile.storageProfile.imageReference.sku=$(echo $LATEST_BASE_IMAGE|jq -r '.sku') \ 39 | virtualMachineProfile.storageProfile.imageReference.version=$(echo $LATEST_BASE_IMAGE|jq -r '.version')|jq '.virtualMachineProfile.storageProfile.imageReference' 40 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Updating VMSS instances..." 41 | VMSS_INSTANCES=$(kubectl get nodes|grep $VMSS|cut -d ' ' -f1) 42 | for INSTANCE in $VMSS_INSTANCES; do 43 | TEMP_INSTANCE_ID=$(kubectl get nodes $INSTANCE -o yaml|grep providerID) 44 | INSTANCE_ID=$(echo $TEMP_INSTANCE_ID|cut -d '/' -f13) 45 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Draining node $INSTANCE..." 46 | kubectl drain $INSTANCE --ignore-daemonsets --delete-local-data --force 47 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Updating VMSS instance $INSTANCE..." 48 | az vmss update-instances --instance-ids $INSTANCE_ID --name $VMSS --resource-group $RESOURCE_GROUP 49 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Uncordon node $INSTANCE..." 50 | kubectl uncordon $INSTANCE 51 | done 52 | done 53 | 54 | echo "[$(date +"%Y-%m-%d %H:%M:%S")] Base image update finished..." 55 | -------------------------------------------------------------------------------- /ambassador/ambassador-rbac-soft.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | service: ambassador-admin 6 | name: ambassador-admin 7 | spec: 8 | type: NodePort 9 | ports: 10 | - name: ambassador-admin 11 | port: 8877 12 | targetPort: 8877 13 | selector: 14 | service: ambassador 15 | --- 16 | apiVersion: rbac.authorization.k8s.io/v1beta1 17 | kind: ClusterRole 18 | metadata: 19 | name: ambassador 20 | rules: 21 | - apiGroups: [""] 22 | resources: 23 | - namespaces 24 | - services 25 | - secrets 26 | - endpoints 27 | verbs: ["get", "list", "watch"] 28 | --- 29 | apiVersion: v1 30 | kind: ServiceAccount 31 | metadata: 32 | name: ambassador 33 | --- 34 | apiVersion: rbac.authorization.k8s.io/v1beta1 35 | kind: ClusterRoleBinding 36 | metadata: 37 | name: ambassador 38 | roleRef: 39 | apiGroup: rbac.authorization.k8s.io 40 | kind: ClusterRole 41 | name: ambassador 42 | subjects: 43 | - kind: ServiceAccount 44 | name: ambassador 45 | namespace: default 46 | --- 47 | apiVersion: apps/v1 48 | kind: Deployment 49 | metadata: 50 | name: ambassador 51 | spec: 52 | replicas: 3 53 | strategy: 54 | rollingUpdate: 55 | maxSurge: 0 56 | maxUnavailable: 1 57 | minReadySeconds: 5 58 | selector: 59 | matchLabels: 60 | service: ambassador 61 | template: 62 | metadata: 63 | annotations: 64 | sidecar.istio.io/inject: "false" 65 | "consul.hashicorp.com/connect-inject": "false" 66 | labels: 67 | service: ambassador 68 | spec: 69 | affinity: 70 | podAntiAffinity: 71 | preferredDuringSchedulingIgnoredDuringExecution: 72 | - weight: 100 73 | podAffinityTerm: 74 | labelSelector: 75 | matchExpressions: 76 | - key: service 77 | operator: In 78 | values: 79 | - ambassador 80 | topologyKey: kubernetes.io/hostname 81 | serviceAccountName: ambassador 82 | containers: 83 | - name: ambassador 84 | image: quay.io/datawire/ambassador:0.60.1 85 | resources: 86 | limits: 87 | cpu: 1 88 | memory: 400Mi 89 | requests: 90 | cpu: 200m 91 | memory: 100Mi 92 | env: 93 | - name: AMBASSADOR_NAMESPACE 94 | valueFrom: 95 | fieldRef: 96 | fieldPath: metadata.namespace 97 | ports: 98 | - name: http 99 | containerPort: 8080 100 | - name: https 101 | containerPort: 8443 102 | - name: admin 103 | containerPort: 8877 104 | livenessProbe: 105 | httpGet: 106 | path: /ambassador/v0/check_alive 107 | port: 8877 108 | initialDelaySeconds: 30 109 | periodSeconds: 3 110 | readinessProbe: 111 | httpGet: 112 | path: /ambassador/v0/check_ready 113 | port: 8877 114 | initialDelaySeconds: 30 115 | periodSeconds: 3 116 | restartPolicy: Always 117 | securityContext: 118 | runAsUser: 8888 119 | -------------------------------------------------------------------------------- /hxe-aci/deploy_HXE_ACI.ps1: -------------------------------------------------------------------------------- 1 | #Variables for HXE ACI deployment 2 | $resourceGroupName='aci-hxe-rg' 3 | $aciInstance='aci-hxe-instance' 4 | $fileShareName='hxe-config' 5 | $aciHxeImage='registry-1.docker.io/store/saplabs/hanaexpress:2.00.045.00.20200121.1' 6 | $registryLoginServer='registry-1.docker.io' 7 | 8 | $inputKey=Read-Host '(1) West Europe 9 | (2) North Europe 10 | (3) East US 11 | (4) West US 12 | Enter Azure region for AKS deployment' 13 | switch ($inputKey.ToUpper()) { 14 | 1 { 15 | $azureRegion='westeurope' 16 | } 17 | 2 { 18 | $azureRegion='northeurope' 19 | } 20 | 3 { 21 | $azureRegion='eastus' 22 | } 23 | 4 { 24 | $azureRegion='westus' 25 | } 26 | } 27 | 28 | #Create resource group 29 | az group create --name $resourceGroupName --location $azureRegion --output table 30 | 31 | #Prepare deployment files and create master password JSON 32 | $credential=Get-Credential -UserName hxeMasterPassword 33 | $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credential.Password) 34 | $masterPassword=[System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($BSTR) 35 | 36 | $jsonDefinition='{'+'"'+'master_password'+'"'+' : '+'"'+$masterPassword+'"'+'}' 37 | 38 | Write-Output $jsonDefinition > masterPassword.json 39 | 40 | $jsonDefinition=$null 41 | $BSTR=$null 42 | $credential=$null 43 | 44 | #Create Azure file share and upload masterPassword.json 45 | $storageAccountName=(New-Guid).Guid 46 | $storageAccountName=$storageAccountName -replace "-","" 47 | $storageAccountName=$storageAccountName.Substring(0,20) 48 | 49 | az storage account create --name $storageAccountName --resource-group $resourceGroupName --kind StorageV2 --sku Standard_LRS --https-only true --encryption-services blob file 50 | az storage share create --name $fileShareName --account-name $storageAccountName 51 | az storage file upload --share-name $fileShareName --account-name $storageAccountName --source ./masterPassword.json 52 | $storageAccountKeys = az storage account keys list --account-name $storageAccountName --resource-group $resourceGroupName | ConvertFrom-Json 53 | 54 | #Enter Docker account details and create docker registry secret 55 | $credential=Get-Credential -Title 'Enter Docker account username and password' 56 | $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credential.Password) 57 | $dockerPassword=[System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($BSTR) 58 | $dockerUsername=$credential.UserName 59 | 60 | #HANA Express Edition deployment on ACI 61 | az container create --resource-group $resourceGroupName ` 62 | --name $aciInstance --image $aciHxeImage ` 63 | --os-type Linux --cpu 4 --memory 14 --dns-name-label $aciInstance --ip-address public --ports 39013 39015 39017 39041 59013 ` 64 | --registry-login-server $registryLoginServer --registry-username $dockerUsername ` 65 | --registry-password $dockerPassword ` 66 | --command-line "/bin/bash -c '/run_hana --agree-to-sap-license --dont-check-system --passwords-url file:///hana/hxeconfig/masterPassword.json'" ` 67 | --azure-file-volume-share-name $fileShareName --azure-file-volume-account-name $storageAccountName ` 68 | --azure-file-volume-account-key $storageAccountKeys[0].value ` 69 | --azure-file-volume-mount-path /hana/hxeconfig 70 | 71 | $dockerPassword=$null 72 | $dockerUsername=$null 73 | $BSTR=$null 74 | $credential=$null 75 | $storageAccountKeys=$null 76 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer/adx-output/daemon-set.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: fluent-bit 5 | namespace: logging 6 | labels: 7 | app: fluent-bit 8 | version: v3.2.2 9 | kubernetes.io/cluster-service: "true" 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: fluent-bit 14 | template: 15 | metadata: 16 | labels: 17 | app: fluent-bit 18 | version: v3.2.2 19 | kubernetes.io/cluster-service: "true" 20 | spec: 21 | terminationGracePeriodSeconds: 75 22 | containers: 23 | - name: fluent-bit 24 | image: cr.fluentbit.io/fluent/fluent-bit:3.2.2 25 | imagePullPolicy: IfNotPresent 26 | ports: 27 | - containerPort: 2020 28 | livenessProbe: 29 | httpGet: 30 | path: /api/v1/health 31 | port: 2020 32 | failureThreshold: 3 33 | initialDelaySeconds: 60 34 | periodSeconds: 10 35 | successThreshold: 1 36 | timeoutSeconds: 1 37 | env: 38 | - name: FLUENT_ADX_TENANT_ID 39 | valueFrom: 40 | secretKeyRef: 41 | name: azuredataexplorer 42 | key: tenant_id 43 | - name: FLUENT_ADX_CLIENT_ID 44 | valueFrom: 45 | secretKeyRef: 46 | name: azuredataexplorer 47 | key: client_id 48 | - name: FLUENT_ADX_CLIENT_SECRET 49 | valueFrom: 50 | secretKeyRef: 51 | name: azuredataexplorer 52 | key: client_secret 53 | - name: CLUSTER 54 | value: aks-azst-1 55 | - name: REGION 56 | value: northeurope 57 | - name: ENVIRONMENT 58 | value: prod 59 | - name: NODE_IP 60 | valueFrom: 61 | fieldRef: 62 | apiVersion: v1 63 | fieldPath: status.hostIP 64 | resources: 65 | limits: 66 | cpu: 500m 67 | memory: 750Mi 68 | requests: 69 | cpu: 75m 70 | memory: 325Mi 71 | volumeMounts: 72 | - name: varlog 73 | mountPath: /var/log 74 | - name: varlibdockercontainers 75 | mountPath: /var/lib/docker/containers 76 | readOnly: true 77 | - name: fluent-bit-config 78 | mountPath: /fluent-bit/etc/ 79 | securityContext: 80 | readOnlyRootFilesystem: true 81 | allowPrivilegeEscalation: false 82 | volumes: 83 | - name: varlog 84 | hostPath: 85 | path: /var/log 86 | - name: varlibdockercontainers 87 | hostPath: 88 | path: /var/lib/docker/containers 89 | - name: fluent-bit-config 90 | configMap: 91 | name: fluent-bit-config 92 | serviceAccountName: fluent-bit 93 | priorityClassName: system-node-critical 94 | tolerations: 95 | - key: node-role.kubernetes.io/master 96 | operator: Exists 97 | effect: NoSchedule 98 | - operator: "Exists" 99 | effect: "NoExecute" 100 | - operator: "Exists" 101 | effect: "NoSchedule" 102 | -------------------------------------------------------------------------------- /fluent-bit/azure-data-explorer/kafka-output/daemon-set.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: fluent-bit 5 | namespace: logging 6 | labels: 7 | app: fluent-bit 8 | version: v3.1.4 9 | kubernetes.io/cluster-service: "true" 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: fluent-bit 14 | template: 15 | metadata: 16 | labels: 17 | app: fluent-bit 18 | version: v3.1.4 19 | kubernetes.io/cluster-service: "true" 20 | spec: 21 | terminationGracePeriodSeconds: 75 22 | containers: 23 | - name: fluent-bit 24 | image: cr.fluentbit.io/fluent/fluent-bit:3.1.4 25 | imagePullPolicy: IfNotPresent 26 | ports: 27 | - containerPort: 2020 28 | livenessProbe: 29 | httpGet: 30 | path: /api/v1/health 31 | port: 2020 32 | failureThreshold: 3 33 | initialDelaySeconds: 60 34 | periodSeconds: 10 35 | successThreshold: 1 36 | timeoutSeconds: 1 37 | env: 38 | - name: FLUENT_BIT_EVENT_HUB_NAMESPACE 39 | valueFrom: 40 | secretKeyRef: 41 | name: azureeventhub 42 | key: namespace 43 | - name: FLUENT_BIT_EVENT_HUB 44 | valueFrom: 45 | secretKeyRef: 46 | name: azureeventhub 47 | key: topic 48 | - name: FLUENT_BIT_EVENT_HUB_CONNECTION_STRING 49 | valueFrom: 50 | secretKeyRef: 51 | name: azureeventhub 52 | key: connection_string 53 | - name: CLUSTER 54 | value: aks-azst-1 55 | - name: REGION 56 | value: northeurope 57 | - name: ENVIRONMENT 58 | value: prod 59 | - name: NODE_IP 60 | valueFrom: 61 | fieldRef: 62 | apiVersion: v1 63 | fieldPath: status.hostIP 64 | resources: 65 | limits: 66 | cpu: 500m 67 | memory: 750Mi 68 | requests: 69 | cpu: 75m 70 | memory: 325Mi 71 | volumeMounts: 72 | - name: varlog 73 | mountPath: /var/log 74 | - name: varlibdockercontainers 75 | mountPath: /var/lib/docker/containers 76 | readOnly: true 77 | - name: fluent-bit-config 78 | mountPath: /fluent-bit/etc/ 79 | securityContext: 80 | readOnlyRootFilesystem: true 81 | allowPrivilegeEscalation: false 82 | volumes: 83 | - name: varlog 84 | hostPath: 85 | path: /var/log 86 | - name: varlibdockercontainers 87 | hostPath: 88 | path: /var/lib/docker/containers 89 | - name: fluent-bit-config 90 | configMap: 91 | name: fluent-bit-config 92 | serviceAccountName: fluent-bit 93 | priorityClassName: system-node-critical 94 | tolerations: 95 | - key: node-role.kubernetes.io/master 96 | operator: Exists 97 | effect: NoSchedule 98 | - operator: "Exists" 99 | effect: "NoExecute" 100 | - operator: "Exists" 101 | effect: "NoSchedule" 102 | -------------------------------------------------------------------------------- /on-azure/deploy_AKS.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | set -o pipefail 5 | 6 | resourceGroupName='aks-demo-rg' 7 | aksClusterName='aks-demo-cluster' 8 | aksAciConnectorName='aciconnector' 9 | acrRegistryName='aksdemoacr' 10 | omsWorkspaceName='aks-demo-oms' 11 | gitHubTemplateUri='https://raw.githubusercontent.com/neumanndaniel/armtemplates/master/operationsmanagement/aksMonitoringSolution.json' 12 | 13 | echo '(1) West Europe 14 | (2) East US 15 | (3) Southeast Asia 16 | Enter Azure region for AKS deployment:' 17 | 18 | read inputKey 19 | 20 | case $inputKey in 21 | 1) 22 | azureRegion='westeurope' 23 | ;; 24 | 2) 25 | azureRegion='eastus' 26 | ;; 27 | 3) 28 | azureRegion='southeastasia' 29 | ;; 30 | esac 31 | 32 | #Create Kubernetes service principal account 33 | echo '>>Creating Kubernetes service principal account:' 34 | kubernetesServicePrincipal=$(az ad sp create-for-rbac --skip-assignment --verbose) 35 | 36 | #Create resource group 37 | echo '>>Creating resource group:' 38 | az group create --name $resourceGroupName --location $azureRegion --output table 39 | 40 | #Create ACR container registry 41 | echo '>>Creating ACR container registry:' 42 | az acr create --resource-group $resourceGroupName --name $acrRegistryName --sku Basic --admin-enabled true --output table 43 | 44 | #Assigning AKS Service Principal the reader role on ACR 45 | acrId=$(az acr show --resource-group $resourceGroupName --name $acrRegistryName --query "id" --output tsv) 46 | 47 | az role assignment create --assignee $(echo $kubernetesServicePrincipal|jq -r .appId) --role Reader --scope $acrId --verbose --output table 48 | 49 | #Create AKS cluster 50 | echo '>>Creating AKS cluster:' 51 | az aks create --resource-group $resourceGroupName --name $aksClusterName --node-count 1 --node-vm-size Standard_D2s_v3 --generate-ssh-keys --disable-rbac --service-principal $(echo $kubernetesServicePrincipal|jq -r .appId) --client-secret $(echo $kubernetesServicePrincipal|jq -r .password) --output table 52 | 53 | #Getting AKS cluster credentials 54 | echo '>>Getting AKS cluster credentials:' 55 | az aks get-credentials --resource-group $resourceGroupName --name $aksClusterName --admin 56 | 57 | #Deploy AKS ACI connector for Linux 58 | echo '>>Deploying ACI connector for Linux to AKS cluster:' 59 | helm init 60 | echo '>>Waiting 30 seconds to spin up tiller pod:' 61 | sleep 30 62 | az aks install-connector --resource-group $resourceGroupName --name $aksClusterName --connector-name $aksAciConnectorName --service-principal $(echo $kubernetesServicePrincipal|jq -r .appId) --client-secret $(echo $kubernetesServicePrincipal|jq -r .password) 63 | 64 | kubernetesServicePrincipal=$(echo $kubernetesServicePrincipal > /dev/null) 65 | 66 | #Create Log Analytics workspace, add the container monitoring solution to the workspace and deploy Log Analytics agent on the AKS cluster 67 | echo '>>Creating Log Analytics workspace and deploy OMS agent to AKS cluster:' 68 | az group deployment create --resource-group $resourceGroupName --template-uri $gitHubTemplateUri --parameters workspaceName=$omsWorkspaceName --verbose > /dev/null 69 | 70 | workspaceResourceId=$(az resource show --resource-group $resourceGroupName --name $omsWorkspaceName --resource-type 'Microsoft.OperationalInsights/workspaces' --verbose) 71 | 72 | az aks enable-addons --addons monitoring --resource-group $resourceGroupName --name $aksClusterName --workspace-resource-id $(echo $workspaceResourceId|jq -r .id) --output table 73 | -------------------------------------------------------------------------------- /on-azure/deploy_AKS.ps1: -------------------------------------------------------------------------------- 1 | #Variables for AKS deployment 2 | $resourceGroupName='aks-demo-rg' 3 | $aksClusterName='aks-demo-cluster' 4 | $aksAciConnectorName='aciconnector' 5 | $acrRegistryName='aksdemoacr' 6 | $omsWorkspaceName='aks-demo-oms' 7 | $gitHubTemplateUri='https://raw.githubusercontent.com/neumanndaniel/armtemplates/master/operationsmanagement/aksMonitoringSolution.json' 8 | 9 | $inputKey=Read-Host '(1) West Europe 10 | (2) East US 11 | (3) Southeast Asia 12 | Enter Azure region for AKS deployment' 13 | 14 | switch ($inputKey.ToUpper()) { 15 | 1 { 16 | $azureRegion='westeurope' 17 | } 18 | 2 { 19 | $azureRegion='eastus' 20 | } 21 | 3 { 22 | $azureRegion='southeastasia' 23 | } 24 | } 25 | 26 | #Create Kubernetes service principal account 27 | Write-Output '>>Creating Kubernetes service principal account:' 28 | $kubernetesServicePrincipal = az ad sp create-for-rbac --skip-assignment --verbose 29 | 30 | #Create resource group 31 | Write-Output '>>Creating resource group:' 32 | az group create --name $resourceGroupName --location $azureRegion --output table 33 | 34 | #Create ACR container registry 35 | Write-Output '>>Creating ACR container registry:' 36 | az acr create --resource-group $resourceGroupName --name $acrRegistryName --sku Basic --admin-enabled true --output table 37 | 38 | #Assigning AKS Service Principal the reader role on ACR 39 | $acrId=$(az acr show --resource-group $resourceGroupName --name $acrRegistryName --query "id" --output tsv) 40 | 41 | az role assignment create --assignee ($kubernetesServicePrincipal|ConvertFrom-Json).appId --role Reader --scope $acrId --verbose --output table 42 | 43 | #Create AKS cluster 44 | Write-Output '>>Creating AKS cluster:' 45 | az aks create --resource-group $resourceGroupName --name $aksClusterName --node-count 1 --node-vm-size Standard_D2s_v3 --generate-ssh-keys --disable-rbac --service-principal ($kubernetesServicePrincipal|ConvertFrom-Json).appId --client-secret ($kubernetesServicePrincipal|ConvertFrom-Json).password --output table 46 | 47 | #Getting AKS cluster credentials 48 | Write-Output '>>Getting AKS cluster credentials:' 49 | az aks get-credentials --resource-group $resourceGroupName --name $aksClusterName --admin 50 | 51 | #Deploy AKS ACI connector for Linux 52 | Write-Output '>>Deploying ACI connector for Linux to AKS cluster:' 53 | helm init 54 | Write-Output '>>Waiting 30 seconds to spin up tiller pod:' 55 | Start-Sleep -Seconds 30 56 | az aks install-connector --resource-group $resourceGroupName --name $aksClusterName --connector-name $aksAciConnectorName --service-principal ($kubernetesServicePrincipal|ConvertFrom-Json).appId --client-secret ($kubernetesServicePrincipal|ConvertFrom-Json).password 57 | 58 | $kubernetesServicePrincipal = $null 59 | 60 | #Create Log Analytics workspace, add the container monitoring solution to the workspace and deploy Log Analytics agent on the AKS cluster 61 | Write-Output '>>Creating Log Analytics workspace and deploy OMS agent to AKS cluster:' 62 | $null=az group deployment create --resource-group $resourceGroupName --template-uri $gitHubTemplateUri --parameters workspaceName=$omsWorkspaceName --verbose|ConvertFrom-Json 63 | 64 | $workspaceResourceId=az resource show --resource-group $resourceGroupName --name $omsWorkspaceName --resource-type 'Microsoft.OperationalInsights/workspaces' --verbose|ConvertFrom-Json 65 | 66 | az aks enable-addons --addons monitoring --resource-group $resourceGroupName --name $aksClusterName --workspace-resource-id $workspaceResourceId.id --output table 67 | -------------------------------------------------------------------------------- /devTestLabs/secretProvisioning.ps1: -------------------------------------------------------------------------------- 1 | Param 2 | ( 3 | [Parameter(Mandatory = $true, HelpMessage = 'Azure Key Vault name')] 4 | [String] 5 | $keyVaultName 6 | ) 7 | 8 | #Variables section 9 | $connectionName = "AzureRunAsConnection" 10 | $aadServicePrincipalIdName = "kubernetesId" 11 | $aadServicePrincipalSecretName = "kubernetesSecret" 12 | $targetKeyVaultName = $keyVaultName.Split("/") 13 | $targetKeyVaultName = $targetKeyVaultName[$targetKeyVaultName.Length - 1] 14 | $resourceGroupName = $keyVaultName.Split("/") 15 | $resourceGroupName = $resourceGroupName[$resourceGroupName.Length - 5] 16 | 17 | #Azure login with Azure Automation service account 18 | try { 19 | # Get the connection "AzureRunAsConnection " 20 | $servicePrincipalConnection = Get-AutomationConnection -Name $connectionName 21 | 22 | "Logging in to Azure..." 23 | Add-AzureRmAccount ` 24 | -ServicePrincipal ` 25 | -TenantId $servicePrincipalConnection.TenantId ` 26 | -ApplicationId $servicePrincipalConnection.ApplicationId ` 27 | -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 28 | } 29 | catch { 30 | if (!$servicePrincipalConnection) { 31 | $ErrorMessage = "Connection $connectionName not found." 32 | throw $ErrorMessage 33 | } 34 | else { 35 | Write-Error -Message $_.Exception 36 | throw $_.Exception 37 | } 38 | } 39 | 40 | #Identifying source Key Vault of the Azure DevTest Lab 41 | try { 42 | $keyVaults = (Get-AzureRmKeyVault -ResourceGroupName $resourceGroupName).VaultName 43 | $sourceKeyVaultName = $null 44 | foreach($item in $keyVaults) { 45 | $temp=$item -replace "[a-z]" 46 | if($temp.length -le 4) { 47 | $sourceKeyVaultName = $item 48 | if($sourceKeyVaultName -eq $targetKeyVaultName) { 49 | exit 50 | } 51 | } 52 | } 53 | } 54 | catch { 55 | Write-Output 'ERROR:' 56 | Write-Output $_ 57 | } 58 | 59 | #Set Azure Automation service principal access on target Key Vault 60 | try { 61 | $secretPermissions = 'backup', 'delete', 'get', 'list', 'recover', 'restore', 'set' 62 | Set-AzureRmKeyVaultAccessPolicy -VaultName $targetKeyVaultName -ServicePrincipalName $servicePrincipalConnection.ApplicationId -PermissionsToSecrets $secretPermissions 63 | } 64 | catch { 65 | Write-Output 'ERROR:' 66 | Write-Output $_ 67 | } 68 | 69 | #Read Kubernetes service principal id, secret and custom RBAC role id from source Key Vault and write to target Key Vault 70 | try { 71 | $aadServicePrincipalId = Get-AzureKeyVaultSecret -VaultName $sourceKeyVaultName -Name $aadServicePrincipalIdName 72 | $aadServicePrincipalSecret = Get-AzureKeyVaultSecret -VaultName $sourceKeyVaultName -Name $aadServicePrincipalSecretName 73 | $null=Set-AzureKeyVaultSecret -VaultName $targetKeyVaultName -Name $aadServicePrincipalIdName -SecretValue $aadServicePrincipalId.SecretValue 74 | $null=Set-AzureKeyVaultSecret -VaultName $targetKeyVaultName -Name $aadServicePrincipalSecretName -SecretValue $aadServicePrincipalSecret.SecretValue 75 | } 76 | catch { 77 | Write-Output 'ERROR:' 78 | Write-Output $_ 79 | } 80 | 81 | #Revoke Azure Automation service principal access on target Key Vault 82 | try { 83 | Set-AzureRmKeyVaultAccessPolicy -VaultName $targetKeyVaultName -ServicePrincipalName $servicePrincipalConnection.ApplicationId -PermissionsToSecrets @() 84 | } 85 | catch { 86 | Write-Output 'ERROR:' 87 | Write-Output $_ 88 | } 89 | -------------------------------------------------------------------------------- /cilium/prometheus-metrics/aks/config-map.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: alloy-config 5 | namespace: grafana-alloy 6 | labels: 7 | app: grafana-alloy 8 | data: 9 | config.alloy: | 10 | logging { 11 | level = "info" 12 | format = "json" 13 | } 14 | 15 | discovery.kubernetes "pods" { 16 | role = "pod" 17 | 18 | namespaces { 19 | own_namespace = false 20 | 21 | names = ["kube-system"] 22 | } 23 | 24 | selectors { 25 | role = "pod" 26 | field = "spec.nodeName=" + coalesce(sys.env("HOSTNAME"), constants.hostname) 27 | } 28 | } 29 | 30 | discovery.relabel "pods" { 31 | targets = discovery.kubernetes.pods.targets 32 | 33 | rule { 34 | source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_part_of"] 35 | action = "keep" 36 | regex = `cilium` 37 | } 38 | 39 | rule { 40 | source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_scrape"] 41 | action = "keep" 42 | regex = `true` 43 | } 44 | 45 | rule { 46 | source_labels = ["__address__", "__meta_kubernetes_pod_annotation_prometheus_io_port"] 47 | action = "replace" 48 | regex = `([^:]+)(?::\d+)?;(\d+)` 49 | replacement = "${1}:${2}" 50 | target_label = "__address__" 51 | } 52 | 53 | rule { 54 | source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_path"] 55 | action = "replace" 56 | regex = `(.+)` 57 | target_label = "__metrics_path__" 58 | } 59 | 60 | rule { 61 | source_labels = ["__meta_kubernetes_service_annotation_prometheus_io_scheme"] 62 | action = "replace" 63 | regex = `(https?)` 64 | target_label = "__scheme__" 65 | } 66 | 67 | rule { 68 | action = "labelmap" 69 | regex = `__meta_kubernetes_pod_label_(.+)` 70 | } 71 | 72 | rule { 73 | source_labels = ["__meta_kubernetes_namespace"] 74 | action = "replace" 75 | target_label = "namespace" 76 | } 77 | 78 | rule { 79 | source_labels = ["__meta_kubernetes_pod_name"] 80 | action = "replace" 81 | target_label = "pod" 82 | } 83 | 84 | rule { 85 | source_labels = ["__meta_kubernetes_pod_container_port_number"] 86 | action = "keep" 87 | regex = `\d+` 88 | } 89 | 90 | rule { 91 | replacement = sys.env("CLUSTER") 92 | target_label = "cluster" 93 | } 94 | } 95 | 96 | prometheus.scrape "pods" { 97 | job_name = "kubernetes-pods" 98 | honor_labels = true 99 | 100 | targets = discovery.relabel.pods.output 101 | forward_to = [prometheus.relabel.pods.receiver] 102 | 103 | scrape_interval = "30s" 104 | scheme = "http" 105 | } 106 | 107 | prometheus.relabel "pods" { 108 | forward_to = [prometheus.remote_write.azure_managed_prometheus.receiver] 109 | 110 | rule { 111 | source_labels = ["__name__"] 112 | action = "keep" 113 | regex = sys.env("REGEX_METRICS_FILTER") 114 | } 115 | } 116 | 117 | prometheus.remote_write "azure_managed_prometheus" { 118 | endpoint { 119 | url = sys.env("ENDPOINT_URL") 120 | 121 | azuread { 122 | cloud = "AzurePublic" 123 | managed_identity { 124 | client_id = sys.env("CLIENT_ID") 125 | } 126 | } 127 | } 128 | } 129 | -------------------------------------------------------------------------------- /cilium/prometheus-metrics/k8s/config-map.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: alloy-config 5 | namespace: grafana-alloy 6 | labels: 7 | app: grafana-alloy 8 | data: 9 | config.alloy: | 10 | logging { 11 | level = "info" 12 | format = "json" 13 | } 14 | 15 | discovery.kubernetes "pods" { 16 | role = "pod" 17 | 18 | namespaces { 19 | own_namespace = false 20 | 21 | names = ["kube-system"] 22 | } 23 | 24 | selectors { 25 | role = "pod" 26 | field = "spec.nodeName=" + coalesce(sys.env("HOSTNAME"), constants.hostname) 27 | } 28 | } 29 | 30 | discovery.relabel "pods" { 31 | targets = discovery.kubernetes.pods.targets 32 | 33 | rule { 34 | source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_part_of"] 35 | action = "keep" 36 | regex = `cilium` 37 | } 38 | 39 | rule { 40 | source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_scrape"] 41 | action = "keep" 42 | regex = `true` 43 | } 44 | 45 | rule { 46 | source_labels = ["__address__", "__meta_kubernetes_pod_annotation_prometheus_io_port"] 47 | action = "replace" 48 | regex = `([^:]+)(?::\d+)?;(\d+)` 49 | replacement = "${1}:${2}" 50 | target_label = "__address__" 51 | } 52 | 53 | rule { 54 | source_labels = ["__meta_kubernetes_pod_annotation_prometheus_io_path"] 55 | action = "replace" 56 | regex = `(.+)` 57 | target_label = "__metrics_path__" 58 | } 59 | 60 | rule { 61 | source_labels = ["__meta_kubernetes_service_annotation_prometheus_io_scheme"] 62 | action = "replace" 63 | regex = `(https?)` 64 | target_label = "__scheme__" 65 | } 66 | 67 | rule { 68 | action = "labelmap" 69 | regex = `__meta_kubernetes_pod_label_(.+)` 70 | } 71 | 72 | rule { 73 | source_labels = ["__meta_kubernetes_namespace"] 74 | action = "replace" 75 | target_label = "namespace" 76 | } 77 | 78 | rule { 79 | source_labels = ["__meta_kubernetes_pod_name"] 80 | action = "replace" 81 | target_label = "pod" 82 | } 83 | 84 | rule { 85 | source_labels = ["__meta_kubernetes_pod_container_port_number"] 86 | action = "keep" 87 | regex = `\d+` 88 | } 89 | 90 | rule { 91 | replacement = sys.env("CLUSTER") 92 | target_label = "cluster" 93 | } 94 | } 95 | 96 | prometheus.scrape "pods" { 97 | job_name = "kubernetes-pods" 98 | honor_labels = true 99 | 100 | targets = discovery.relabel.pods.output 101 | forward_to = [prometheus.relabel.pods.receiver] 102 | 103 | scrape_interval = "30s" 104 | scheme = "http" 105 | } 106 | 107 | prometheus.relabel "pods" { 108 | forward_to = [prometheus.remote_write.azure_managed_prometheus.receiver] 109 | 110 | rule { 111 | source_labels = ["__name__"] 112 | action = "keep" 113 | regex = sys.env("REGEX_METRICS_FILTER") 114 | } 115 | } 116 | 117 | prometheus.remote_write "azure_managed_prometheus" { 118 | endpoint { 119 | url = sys.env("ENDPOINT_URL") 120 | 121 | oauth2 { 122 | client_id = sys.env("CLIENT_ID") 123 | client_secret = sys.env("CLIENT_SECRET") 124 | token_url = "https://login.microsoftonline.com/" + sys.env("TENANT_ID") + "/oauth2/v2.0/token" 125 | scopes = ["https://monitor.azure.com/.default"] 126 | } 127 | } 128 | } 129 | -------------------------------------------------------------------------------- /backup/createManagedDiskSnapshot.ps1: -------------------------------------------------------------------------------- 1 | #Parameter section 2 | Param 3 | ( 4 | [Parameter(Mandatory = $true, HelpMessage = 'Resource id of the managed disk')] 5 | [String] 6 | $managedDiskResourceId, 7 | [Parameter(Mandatory = $true, HelpMessage = 'Retention time in days for the managed disk snapshots')] 8 | [String] 9 | $retentionTime, 10 | [Parameter(Mandatory = $true, HelpMessage = 'Resource group name for the managed disk snapshots')] 11 | [String] 12 | $resourceGroupName, 13 | [Parameter(Mandatory = $true, HelpMessage = 'Resource id of the storage account name of the Azure table storage')] 14 | [String] 15 | $storageAccountResourceId, 16 | [Parameter(Mandatory = $true, HelpMessage = 'Name of the Azure table storage')] 17 | [String] 18 | $storageTableName 19 | ) 20 | 21 | #Login section 22 | "Logging in..." 23 | $connectionName = "AzureRunAsConnection" 24 | try { 25 | $servicePrincipalConnection = Get-AutomationConnection -Name $connectionName 26 | $null = Add-AzureRmAccount ` 27 | -ServicePrincipal ` 28 | -TenantId $servicePrincipalConnection.TenantId ` 29 | -ApplicationId $servicePrincipalConnection.ApplicationId ` 30 | -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 31 | } 32 | catch { 33 | if (!$servicePrincipalConnection) { 34 | $ErrorMessage = "Connection $connectionName not found." 35 | throw $ErrorMessage 36 | } 37 | else { 38 | Write-Error -Message $_.Exception 39 | throw $_.Exception 40 | } 41 | } 42 | 43 | "Getting / setting inputs..." 44 | $parameterInput = ($managedDiskResourceId -split "/") 45 | $diskName = $parameterInput[8] 46 | $resourceGroup = $parameterInput[4] 47 | $managedDisk = Get-AzureRmDisk -ResourceGroupName $resourceGroup -DiskName $diskName 48 | $date = Get-Date 49 | 50 | $storageParameterInput = ($storageAccountResourceId -split "/") 51 | $storageAccountName = $storageParameterInput[8] 52 | $resourceGroupStorage = $storageParameterInput[4] 53 | 54 | $resourceGroupCheck = Get-AzureRmResourceGroup -Name $resourceGroupName -Location $managedDisk.Location 55 | if (!$resourceGroupCheck) { 56 | "Initial resource group setup..." 57 | New-AzureRmResourceGroup -Name $resourceGroupName -Location $managedDisk.Location 58 | } 59 | 60 | "Creating snapshot..." 61 | $snapshotConfig = New-AzureRmSnapshotConfig ` 62 | -SourceResourceId $managedDiskResourceId -Location $managedDisk.location -SkuName Standard_LRS ` 63 | -CreateOption copy -Tag @{createdOn = "$date"; retentionTime = "$retentionTime"} 64 | 65 | $snapshotName = $diskName + "-" + $date.Year + "-" + $date.Month + "-" + $date.Day + "-" + $date.Hour + "-" + $date.Minute 66 | $snapshot = New-AzureRmSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $snapshotName -Snapshot $snapshotConfig 67 | 68 | 69 | "Getting storage context..." 70 | $storageContext = (Get-AzureRmStorageAccount -ResourceGroupName $resourceGroupStorage -Name $storageAccountName).Context 71 | $table = Get-AzureStorageTable -Name $storageTableName -Context $storageContext 72 | 73 | "Writing table..." 74 | $dateParitionKey = [String]$date.Year + "-" + [String]$date.Month + "-" + [String]$date.Day 75 | $array = @{"azureRegion" = $managedDisk.Location; "retentionTime" = $retentionTime; "resourceId" = $snapshot.Id} 76 | Add-StorageTableRow -table $table -partitionKey $dateParitionKey -rowKey $snapshotName -property $array -ErrorAction Continue 77 | 78 | "Removing old backups..." 79 | [System.Collections.ArrayList]$backupTableStorage = (Get-AzureStorageTableRowAll $table) 80 | $daysBack = "-" + $retentionTime 81 | $oldDate = (Get-Date).AddDays($daysBack) 82 | $oldDateParitionKey = [String]$oldDate.Year + "-" + [String]$oldDate.Month + "-" + [String]$oldDate.Day 83 | foreach ($item in $backupTableStorage) { 84 | if ($item.PartitionKey -eq $oldDateParitionKey) { 85 | Remove-AzureStorageTableRow -table $table -partitionKey $item.PartitionKey -rowKey $item.RowKey -Verbose 86 | Remove-AzureRmResource -ResourceId $item.resourceId -Force 87 | } 88 | } 89 | -------------------------------------------------------------------------------- /envoy-ratelimit/config-map.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: ratelimit-config 5 | namespace: ratelimit 6 | data: 7 | config.yaml: |- 8 | domain: ratelimit 9 | descriptors: 10 | - key: PATH 11 | value: "/src-ip" 12 | rate_limit: 13 | unit: second 14 | requests_per_unit: 1 15 | - key: remote_address 16 | rate_limit: 17 | requests_per_unit: 10 18 | unit: second 19 | - key: HOST 20 | value: "aks.danielstechblog.de" 21 | rate_limit: 22 | unit: second 23 | requests_per_unit: 5 24 | --- 25 | apiVersion: v1 26 | kind: ConfigMap 27 | metadata: 28 | name: statsd-exporter-config 29 | namespace: ratelimit 30 | data: 31 | config.yaml: | 32 | defaults: 33 | ttl: 1m # Resets the metrics every minute 34 | mappings: 35 | - match: 36 | "ratelimit.service.rate_limit.*.*.near_limit" 37 | name: "ratelimit_service_rate_limit_near_limit" 38 | timer_type: "histogram" 39 | labels: 40 | domain: "$1" 41 | key1: "$2" 42 | - match: 43 | "ratelimit.service.rate_limit.*.*.over_limit" 44 | name: "ratelimit_service_rate_limit_over_limit" 45 | timer_type: "histogram" 46 | labels: 47 | domain: "$1" 48 | key1: "$2" 49 | - match: 50 | "ratelimit.service.rate_limit.*.*.total_hits" 51 | name: "ratelimit_service_rate_limit_total_hits" 52 | timer_type: "histogram" 53 | labels: 54 | domain: "$1" 55 | key1: "$2" 56 | - match: 57 | "ratelimit.service.rate_limit.*.*.within_limit" 58 | name: "ratelimit_service_rate_limit_within_limit" 59 | timer_type: "histogram" 60 | labels: 61 | domain: "$1" 62 | key1: "$2" 63 | - match: 64 | "ratelimit.service.rate_limit.*.*.*.near_limit" 65 | name: "ratelimit_service_rate_limit_near_limit" 66 | timer_type: "histogram" 67 | labels: 68 | domain: "$1" 69 | key1: "$2" 70 | key2: "$3" 71 | - match: 72 | "ratelimit.service.rate_limit.*.*.*.over_limit" 73 | name: "ratelimit_service_rate_limit_over_limit" 74 | timer_type: "histogram" 75 | labels: 76 | domain: "$1" 77 | key1: "$2" 78 | key2: "$3" 79 | - match: 80 | "ratelimit.service.rate_limit.*.*.*.total_hits" 81 | name: "ratelimit_service_rate_limit_total_hits" 82 | timer_type: "histogram" 83 | labels: 84 | domain: "$1" 85 | key1: "$2" 86 | key2: "$3" 87 | - match: 88 | "ratelimit.service.rate_limit.*.*.*.within_limit" 89 | name: "ratelimit_service_rate_limit_within_limit" 90 | timer_type: "histogram" 91 | labels: 92 | domain: "$1" 93 | key1: "$2" 94 | key2: "$3" 95 | - match: 96 | "ratelimit.service.call.should_rate_limit.*" 97 | name: "ratelimit_service_should_rate_limit_error" 98 | match_metric_type: counter 99 | labels: 100 | err_type: "$1" 101 | - match: 102 | "ratelimit_server.*.total_requests" 103 | name: "ratelimit_service_total_requests" 104 | match_metric_type: counter 105 | labels: 106 | grpc_method: "$1" 107 | - match: 108 | "ratelimit_server.*.response_time" 109 | name: "ratelimit_service_response_time_seconds" 110 | timer_type: histogram 111 | labels: 112 | grpc_method: "$1" 113 | - match: 114 | "ratelimit.service.config_load_success" 115 | name: "ratelimit_service_config_load_success" 116 | match_metric_type: counter 117 | ttl: 3m 118 | - match: 119 | "ratelimit.service.config_load_error" 120 | name: "ratelimit_service_config_load_error" 121 | match_metric_type: counter 122 | ttl: 3m 123 | - match: "." 124 | match_type: "regex" 125 | action: "drop" 126 | name: "dropped" 127 | --------------------------------------------------------------------------------