From 1a9dd11341fb781c7548b3f32b71b900d44d90cb Mon Sep 17 00:00:00 2001 From: Adrien le Maire Date: Tue, 28 Feb 2023 15:34:53 +0100 Subject: [PATCH] first commit --- README.md | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..9dabe6d --- /dev/null +++ b/README.md @@ -0,0 +1,78 @@ +Create an ASK cluster using the CLI, not yet available in Terraform due to a bug an Azure rest API : https://github.com/Azure/azure-rest-api-specs/issues/22208 +Issue on TF side : https://github.com/hashicorp/terraform-provider-azurerm/issues/19300 + +So the creation of the cluster happened like : important settings below are `--network-plugin none` and `--kube-proxy-config kube-proxy-config.json` +``` +echo "{"enabled": false}" > kube-proxy-config.json +az aks create -g "alm-aks" -l westeurope -n alm-aks --network-plugin none --os-sku CBLMariner --service-cidr 10.0.0.0/16 --node-count 1 --kubernetes-version 1.25.5 --dns-service-ip 10.0.0.10 --vnet-subnet-id /subscriptions/1afa17a1-cab0-420d-bb09-1aeb8489ea70/resourceGroups/alm-aks/providers/Microsoft.Network/virtualNetworks/aks-nodes/subnets/public --kube-proxy-config kube-proxy-config.json +``` +Gateway API : a role-oriented API https://gateway-api.sigs.k8s.io +Then we proceed with the installation of the gateway's CRD (if we don't, disable that feature as well in cillium helm values) +``` +kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.6.1/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.6.1/config/crd/standard/gateway.networking.k8s.io_gateways.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.6.1/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.6.1/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml +``` +Then we can install Cilium with the value file provided here, you just need to change `k8sServiceHost` value. +`helm upgrade -i -f cilium-vmm.yaml cilium cilium/cilium --version 1.13.0 --namespace kube-system` + +For the purpose of the demo and lack of Datadog, we will install jaeger, otel-collector and cert-manager (dependency of both) +``` +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml + +kubectl create namespace observability +kubectl create -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.42.0/jaeger-operator.yaml -n observability +kubectl apply -f jaeger.yaml + +kubectl apply -f https://github.com/open-telemetry/opentelemetry-operator/releases/latest/download/opentelemetry-operator.yaml +kubectl apply -f otelcol-hubble + +# Enable HTTP visibility for the podinfo app and all of DNS traffic: +cat << EOF|kubectl apply -f - +--- +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: default-allow +spec: + endpointSelector: {} + egress: + - toEntities: + - cluster + - world + - toEndpoints: + - {} +--- +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: dns-visibility +spec: + endpointSelector: {} + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: ANY + rules: + dns: + - matchPattern: "*" + - toFQDNs: + - matchPattern: "*" + - toEndpoints: + - {} +--- +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: "rule1" +spec: + endpointSelector: {} + ingress: + - fromEndpoints: + - {}