Deploys the ARM template to a resource group. Following parameters are available:
resourceGroup
Mandatory: Resource group where to deploy. If not exists will be createdlocation
: Location where the resource group will be created. Only used if resource group do not exists. Ignored otherwiseclientId
: Client ID of the Service Principal to use when creating AKS. Only needed if AKS has to be createdpassword
: Password of the Service Principal to use when creating AKS. Only needed if AKS has to be createddeployKv
: If KeyVault has to bee deployed. Defaults totrue
.aksVersion
: Specific AKS version to install. Defaults to latest available.tryUseConsumptionPlan
: Iftrue
a consumption plan for function app will be deployed if location allows consumption plansalternativeFuncSvcPlan
: Service Plan to use if consumption plan is not deployed. Mandatory iftryUseConsumptionPlan
isfalse
.
Remmarks:
- If resource group do not exists, it will be created.
- If
clientId
orpassword
are not provided and AKS has to be created, the script will useaz ad sp create-for-rbac
to create a SP. Note that this requires permissions on the Azure Directory. If AKS already exists is not created again. - To deploy the Key Vault the script must be able to obtain the
objectId
of the service principal that has granted access to Key Vault. This requires permissions to Azure Directory. If script can't obtain the objectId a warning is printed and key vault won't be deployed. - Script uses the same service principal for creating the AKS and giving access to Key Vault. If you need to use differnt service principals, need to deploy calling the script twice. The first time with
deployKv
to$false
and using theclientId
needed for AKS. Then call the script again, but pass theclientId
that you want to grant access to Key Vault. - If the resource group location do not accept consumption plans (for any reason) an alternative app service plan must be provided using
alternativeFuncSvcPlan
. If not, ARM template won't be installed.
Examples:
Deploy ARM:
.\Deploy-Arm-Azure.ps1 -resourceGroup MyRg
Deploy ARM using a P1
app service for function app:
.\Deploy-Arm-Azure.ps1 -resourceGroup MyRg -alternativeFuncSvcPlan P1 -tryUseConsumptionPlan $false
Deploy ARM using specified Service plan for AKS:
.\Deploy-Arm-Azure.ps1 -resourceGroup MyRg -clientId xxxx-xxx-xxx -password yyyy-yyy-yyy
Helm charts require a YAML file with some values. Those values depends on the Azure resources. This file generates this file having a template and a resource group. Script parameters are:
resourceGroup
: Resource group where resources are deployed. MandatoryresourceGroupAcr
: RG where ACR is stored. Defaults to the value ofresourceGroup
subscription
: Azure subscription to use. Defaults to current one.subscriptionAcr
: Azure subscription where ACR is stored. Defaults to current oneoutputFile
: Full path of the YAML file to write. This file must be passed to Helm charts. MandatorygvaluesTemplate
: Full path of the template file. Defaults togvalues.template
which is the one provided.ingressClass
: Ingress class for all ingress resources generated. Defaults toaddon-http-application-routing
.twitterKey
: Key of the twitter app. Needed to enable Login with Twitter in the web.twitterSecret
: Secret of the twitter app. Needed to enable Login with Twitter in the web.aksHost
: AKS public host value. Defaults to the value of the Http Application Routing. Is used to set the host value of ingress resources.sslSupport
: TLS support to install and configure. Can be one of:none
: No TLS. Ingress resources will be generated without TLS info. Default valuestaging
: Ingresses are configured to use a TLS certificate auto-generated using Let's Encrypt staging serverprod
: Ingresses are configured to use a TLS certificate auto-generated using Let's Encrypt production servercustom
: Ingresses are configured to use a custom TLS certificate stored in a Kubernetes Secret
tlsSecretName
: Name of the Kubernetes secret that contains the TLS certificate. Only used ifsslSupport
iscustom
. Defaults torpsls-tls-custom
kvClientId
: Id of the Service Principal with read access to Key Vault. Defaults to the SP used to create the AKSregistryLogin
: Docker registry Login server if another Docker registry is used instead of ACR. Only used ifuseCustomRegistry
is true.registryUser
: Docker registry User if another Docker registry is used instead of ACR. Only used ifuseCustomRegistry
is true.registryPassword
: Docker registry Password if another Docker registry is used instead of ACR. Only used ifuseCustomRegistry
is true.useCustomRegistry
: Configure deployments to use another Docker registry instead of ACR. Defaults to false.googleanalytics
: Google Analytics ID. If set, GA tracking code will be added to the web.
This script uses AZ CLI to retrieve some data needed to generate a YAML file using the specified template. If you customize the helm charts can create your own template file.
Installs keyvault-flexvol on the cluster. Its a global pre-requisites that need to be installed once. No parameters needed.
Adds TLS support to the cluster. This script does two things:
- Install cert-manager on the cluster if needed with the correct CRDs (issuers and certificates)
- Adds a secret to the cluster with the TLS certificate if needed
Script parameters are:
resourceGroup
: Resource Group where AKS is. Mandatoryname
: Prefix used for the secrets. Defaults torpsls
sslSupport
TLS support to configure:none
: No TLS. Ingress resources will be generated without TLS info. Default valuestaging
: Ingresses are configured to use a TLS certificate auto-generated using Let's Encrypt staging serverprod
: Ingresses are configured to use a TLS certificate auto-generated using Let's Encrypt production servercustom
: Ingresses are configured to use a custom TLS certificate stored in a Kubernetes Secret
domain
: Domain to bind the TLS. Used if needed to create certificate CRD for cert-manager. Defaults to the value of the Http Application Routing. Not used ifsslSupport
iscustom
tlsCertFile
: TLS Certificate file in.crt
format. Mandatory ifsslSupport
iscustom
. Ignored otherwise.tlsKeyFile
: TLS Certificate public key file in.key
format. Mandatory ifsslSupport
iscustom
. Ignored otherwise.tlsSecretName
: Name of the k8s secret that will hold the TLS certificate. Used only ifsslSupport
iscustom
. IfsslSupport
isstaging
orprod
the name of the k8s secret is fixed and can't be overriden.byPassContextCheck
: Iftrue
the script checks that the currentkubectl
context has the same name of the AKS cluster. By default theaz aks get-credentials
creates contexts with the same name of the cluster, so this is a valid security check. If parameter is set tofalse
this check is skipped. Defaults totrue
.
Helper script that builds and push all or some of the docker images, using the compose files. It has the following parameters:
resourceGroup
: Resource group where ACR is deployed. MandatoryacrName
: Name of the ACR. If not provided defaults to the first ACR found in the resource group.dockerBuild
: If the docker images will be built. Build command isdocker compose build
. Defaults totrue
.dockerPush
: If the docker images will be pushed to ACR. Push command isdocker compose push
. Defaults totrue
.dockerTag
: Tag to use. Defaults tolatest
.
This script creates the docker registry secret to allow AKS pull images from ACR.
If the ACR has administrative credentials enabled, those credentials are used to create the secret. Otherwise you have to pass a Service Principal Id and Password and this SP will be granted access permisions to the ACR and the secret will be created using these SP credentials.
resourceGroup
: Resource group where AKS is deployed. MandatoryacrName
: Name of the ACR. Defaults to the first ACR found in the Resource GroupclientId
: ClientId of the service principal to use if ACR has no admin credentials enabled.password
: Password of the SP referred byclientId
This script deploys Docker images on the AKS by running the Helm Charts.
Helm charts are located in /Deploy/helm
folder.
resourceGroup
: Resource group where AKS is.
aksName
: Name of the AKS Mandatory
aksHost
: Host bound to public IP of ingress controller. Defaults to URL set by HTTP Application routing.
acrName
: Name of the ACR where images are pushed. Defaults to the first ACR found in the resource group.
name
: Base name for Helm releases. Defaults to rpsls
.
tag
: Tag of the Docker images to install. Defaults to latest
charts
: Comma-separated list with the names of charts to install. Default to all.
valuesFile
: Configuration file to use. This file is generated by calling Generate-Config.ps1
. Defaults to gvalues.yaml
.
kvDeploy
: If needs to deploy the key vault support. Defaults to true
.
kvPassword
: Password of the service principal that has granted access to Key Vault.
deployKvSecret
: If the secret for accessing the Key Vault has to be deployed or not. Defaults to true
.
Remmarks
The KeyVault support is implemented through FlexVol. It requires a Kubernetes secret with the service principal id and password that can access to the keyvault. This secret can be created by this script (if deployKvSecret
is true
) or can be deployed for some administrator (only need to do this once). The secret must be named game-api-kv
and its type is azure/kv
. Following kubectl
command can be typed to create it:
kubectl create secret generic game-api-kv --from-literal clientid=$clientId --from-literal clientsecret=$password --type=azure/kv
This script is used to package the Helm charts. It packages the charts using helm, and uploads to an ACR.
The predictor is an Azure Function in Python. This script setups its configuration
resourceGroup
: Resource group MandatoryaksHost
: Host bound to public IP of ingress controller. Defaults to URL set by HTTP Application routing.funcappName
: Name of the function app. Defaults to first function app in the resource grouptlsEnabled
: If Predictor must access Game API using HTTPS. Defaults totrue
.
Remmarks If TLS is installed using non-trusted certificates (like the one generated by LE staging), then you cannot use HTTPS (tlsEnabled
should be false)
This script sets specific DNS bound to the IP of the ingress controller of the given AKS. It is a helper script that you can use to set custom domains to your AKS, given that a "DNS Zone" is already created in Azure.
resourceGroupAks
: Resource Group where AKS is. MandatoryresourceGroupDns
: Resource Group where DNS Zone is. MandatorydnsPrefix
: DNS prefix (will be prefixed to the domain specified by the DNS)dnsZoneName
: Name of the DNS Zone to use. Defaults to the first found inresourceGroupDns
ip
: Ip to bound to the DNS. Defaults to the ip of the first ingress controller found.byPassContextCheck
: : Iftrue
the script checks that the currentkubectl
context has the same name of the AKS cluster. By default theaz aks get-credentials
creates contexts with the same name of the cluster, so this is a valid security check. If parameter is set tofalse
this check is skipped. Defaults totrue
.dnsSubscription
: Subscription where DNS Zone is. Defaults to current subscription.aksSubscription
: Subscription where AKS is. Defaults to current subscription.