From 43e009280f00f8d2b3795fdeb0bb9176797f44d3 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 14:58:27 +0200 Subject: [PATCH 01/25] Use tailscale loadbalancer for cloud retro --- operator/internal/controller/stream/game_controller.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/operator/internal/controller/stream/game_controller.go b/operator/internal/controller/stream/game_controller.go index ffa97d5..3b7a79c 100644 --- a/operator/internal/controller/stream/game_controller.go +++ b/operator/internal/controller/stream/game_controller.go @@ -502,7 +502,7 @@ func (r *GameReconciler) constructWorkerDeploymentForGame(game *streamv1.Game, r func (r *GameReconciler) constructLoadBalancer(game *streamv1.Game, name string, selector string, port int32) (*corev1.Service, error) { - //className := "tailscale" + className := "tailscale" svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -510,8 +510,8 @@ func (r *GameReconciler) constructLoadBalancer(game *streamv1.Game, name string, Namespace: game.Namespace, }, Spec: corev1.ServiceSpec{ - Selector: map[string]string{"app": selector}, - // LoadBalancerClass: &className, + Selector: map[string]string{"app": selector}, + LoadBalancerClass: &className, Ports: []corev1.ServicePort{ { Port: port, From d1ecf27ea454946fb91eb819dc911fd2a7eee81f Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 15:08:15 +0200 Subject: [PATCH 02/25] Update operator version --- .github/workflows/deploy-az.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-az.yml b/.github/workflows/deploy-az.yml index fbfff18..ef8a915 100644 --- a/.github/workflows/deploy-az.yml +++ b/.github/workflows/deploy-az.yml @@ -12,7 +12,7 @@ env: REGISTRY: ghcr.io NAMESPACE: austriandatalab SUB_NAMESPACE: indiegamestream - LABEL: sha-f641ffb9ebff0a3f8c8f9b968bfd50f83a316370 + LABEL: sha-43e009280f00f8d2b3795fdeb0bb9176797f44d3 jobs: deploy: runs-on: ubuntu-latest From fd3f107f364b9649b13957e8dbab9f0c326131f0 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 15:11:20 +0200 Subject: [PATCH 03/25] Ignore error messages on already deployed mysql --- .github/workflows/deploy-az.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-az.yml b/.github/workflows/deploy-az.yml index ef8a915..a576410 100644 --- a/.github/workflows/deploy-az.yml +++ b/.github/workflows/deploy-az.yml @@ -79,10 +79,10 @@ jobs: helm repo add mysql-operator https://mysql.github.io/mysql-operator/ helm repo update helm install mysql-operator mysql-operator/mysql-operator --version "2.1.3" --wait \ - --create-namespace --namespace=mysql-operator + --create-namespace --namespace=mysql-operator || true helm install mysql mysql-operator/mysql-innodbcluster --version "2.1.3" --wait \ --create-namespace --namespace=mysql -f values.yaml \ - --set-string credentials.root.password=${{ secrets.MYSQL_ROOT_PASSWORD }} + --set-string credentials.root.password=${{ secrets.MYSQL_ROOT_PASSWORD }} || true - name: Install stunner working-directory: ./scripts/localenv From d2d166bc78f08e87f346a913e66fcc2508904c85 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 15:13:34 +0200 Subject: [PATCH 04/25] Make stunner operator deployment idempotent --- .github/workflows/deploy-az.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-az.yml b/.github/workflows/deploy-az.yml index a576410..653c2d8 100644 --- a/.github/workflows/deploy-az.yml +++ b/.github/workflows/deploy-az.yml @@ -86,7 +86,7 @@ jobs: - name: Install stunner working-directory: ./scripts/localenv - run: make install_stunner + run: make install_stunner || true - name: Install game operator manifests working-directory: ./operator From 0b6a39a352f3f14af64ed47e244b7f117b8c9946 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 15:32:26 +0200 Subject: [PATCH 05/25] Fix loadbalancer IP fetching in operator --- operator/internal/controller/stream/game_controller.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/operator/internal/controller/stream/game_controller.go b/operator/internal/controller/stream/game_controller.go index 3b7a79c..8d357ed 100644 --- a/operator/internal/controller/stream/game_controller.go +++ b/operator/internal/controller/stream/game_controller.go @@ -565,7 +565,10 @@ func waitForLoadBalancerIP(ctx context.Context, k8sClient client.Client, namespa if len(svc.Status.LoadBalancer.Ingress) > 0 { ip = svc.Status.LoadBalancer.Ingress[0].IP if ip != "" { - return true, nil + ip = svc.Status.LoadBalancer.Ingress[1].IP + if ip != "" { + return true, nil + } } } return false, nil From c69feb7967501037476db893e7afe5bd8450c5e7 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 15:37:11 +0200 Subject: [PATCH 06/25] Update operator version --- .github/workflows/deploy-az.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-az.yml b/.github/workflows/deploy-az.yml index 653c2d8..c9854f8 100644 --- a/.github/workflows/deploy-az.yml +++ b/.github/workflows/deploy-az.yml @@ -12,7 +12,7 @@ env: REGISTRY: ghcr.io NAMESPACE: austriandatalab SUB_NAMESPACE: indiegamestream - LABEL: sha-43e009280f00f8d2b3795fdeb0bb9176797f44d3 + LABEL: sha-0b6a39a352f3f14af64ed47e244b7f117b8c9946 jobs: deploy: runs-on: ubuntu-latest From 350add069a4899d95e950578b37b43e2fd092fd2 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 15:45:16 +0200 Subject: [PATCH 07/25] Fix panic --- operator/internal/controller/stream/game_controller.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/operator/internal/controller/stream/game_controller.go b/operator/internal/controller/stream/game_controller.go index 8d357ed..316177b 100644 --- a/operator/internal/controller/stream/game_controller.go +++ b/operator/internal/controller/stream/game_controller.go @@ -565,6 +565,9 @@ func waitForLoadBalancerIP(ctx context.Context, k8sClient client.Client, namespa if len(svc.Status.LoadBalancer.Ingress) > 0 { ip = svc.Status.LoadBalancer.Ingress[0].IP if ip != "" { + return true, nil + } + if len(svc.Status.LoadBalancer.Ingress) > 1 { ip = svc.Status.LoadBalancer.Ingress[1].IP if ip != "" { return true, nil From a8310db95011346ffe9b7194daf5b87de2dc21dd Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 15:50:17 +0200 Subject: [PATCH 08/25] Update operator version --- .github/workflows/deploy-az.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-az.yml b/.github/workflows/deploy-az.yml index c9854f8..c417d84 100644 --- a/.github/workflows/deploy-az.yml +++ b/.github/workflows/deploy-az.yml @@ -12,7 +12,7 @@ env: REGISTRY: ghcr.io NAMESPACE: austriandatalab SUB_NAMESPACE: indiegamestream - LABEL: sha-0b6a39a352f3f14af64ed47e244b7f117b8c9946 + LABEL: sha-350add069a4899d95e950578b37b43e2fd092fd2 jobs: deploy: runs-on: ubuntu-latest From 9bce7cf4208c65f5006e5121f9194d27770745d5 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 16:14:13 +0200 Subject: [PATCH 09/25] Increase max pod limit in terraform --- iac/kubernetes.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index 8cdb75b..ada74b8 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -13,6 +13,7 @@ resource "azurerm_kubernetes_cluster" "testCluster" { max_surge = "10%" node_soak_duration_in_minutes = 0 } + max_pods = 110 } network_profile { From 885874b8937f5fd7e895422d6b1f54902a1ec7c0 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 16:16:54 +0200 Subject: [PATCH 10/25] Add needed paramater in terraform --- iac/kubernetes.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index ada74b8..71303bd 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -14,6 +14,7 @@ resource "azurerm_kubernetes_cluster" "testCluster" { node_soak_duration_in_minutes = 0 } max_pods = 110 + temporary_name_for_rotation = "upgrade" } network_profile { From 29f34096b4aa5051d78feafbd831d88f266a7bc9 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 16:47:41 +0200 Subject: [PATCH 11/25] Add additional node --- iac/kubernetes.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index 71303bd..dbc92f1 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -6,7 +6,7 @@ resource "azurerm_kubernetes_cluster" "testCluster" { default_node_pool { name = "default" - node_count = 1 + node_count = 2 vm_size = "Standard_B2ms" upgrade_settings { drain_timeout_in_minutes = 0 @@ -14,7 +14,7 @@ resource "azurerm_kubernetes_cluster" "testCluster" { node_soak_duration_in_minutes = 0 } max_pods = 110 - temporary_name_for_rotation = "upgrade" + temporary_name_for_rotation = "upgrade2" } network_profile { From ba5f85a0ad4e1b9941e02ac76fc27e89f3745139 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 17:08:14 +0200 Subject: [PATCH 12/25] Remove unneeded terraform file --- iac/.gitignore | 1 + iac/nsg.tf | 23 ----------------------- 2 files changed, 1 insertion(+), 23 deletions(-) create mode 100644 iac/.gitignore delete mode 100644 iac/nsg.tf diff --git a/iac/.gitignore b/iac/.gitignore new file mode 100644 index 0000000..66df410 --- /dev/null +++ b/iac/.gitignore @@ -0,0 +1 @@ +.terraform* \ No newline at end of file diff --git a/iac/nsg.tf b/iac/nsg.tf deleted file mode 100644 index 41de0e6..0000000 --- a/iac/nsg.tf +++ /dev/null @@ -1,23 +0,0 @@ - -resource azurerm_network_security_group "student" { - name = "student-network-security-group" - location = var.globals.location - resource_group_name = data.azurerm_resource_group.rgruntime.name - - #tags = local.common_tags -} - -resource "azurerm_network_security_rule" "lab_nsg" { - name = "Tailscale" - description = "Tailscale UDP port for direct connections. Reduces latency." - priority = 1010 - direction = "Inbound" - access = "Allow" - protocol = "Udp" - source_port_range = "*" - destination_port_range = 41641 - source_address_prefix = "*" - destination_address_prefix = "*" - resource_group_name = data.azurerm_resource_group.rgruntime.name - network_security_group_name = azurerm_network_security_group.student.name -} \ No newline at end of file From 7a2795de1ca8486d471e2670955a2864bc71f3c4 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 17:11:07 +0200 Subject: [PATCH 13/25] Change upgrade parameters --- iac/kubernetes.tf | 6 +++--- scripts/opa/loadbalancerclass_mutator.yaml | 21 +++++++++++++++++++++ 2 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 scripts/opa/loadbalancerclass_mutator.yaml diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index dbc92f1..793ea77 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -9,12 +9,12 @@ resource "azurerm_kubernetes_cluster" "testCluster" { node_count = 2 vm_size = "Standard_B2ms" upgrade_settings { - drain_timeout_in_minutes = 0 - max_surge = "10%" + drain_timeout_in_minutes = 5 + max_surge = "50%" node_soak_duration_in_minutes = 0 } max_pods = 110 - temporary_name_for_rotation = "upgrade2" + temporary_name_for_rotation = "upgrade" } network_profile { diff --git a/scripts/opa/loadbalancerclass_mutator.yaml b/scripts/opa/loadbalancerclass_mutator.yaml new file mode 100644 index 0000000..3d9c0ad --- /dev/null +++ b/scripts/opa/loadbalancerclass_mutator.yaml @@ -0,0 +1,21 @@ +apiVersion: mutations.gatekeeper.sh/v1 +kind: Assign +metadata: + name: demo-dns-policy +spec: + applyTo: + - groups: [""] + kinds: ["Service"] + versions: ["v1"] + match: + scope: Cluster + kinds: + - apiGroups: ["*"] + kinds: ["Service"] + location: "spec[type:LoadBalancer].loadBalancerClass" + parameters: + assign: + value: "tailscale" + pathTests: + - subPath: "spec.loadBalancerClass" + condition: MustNotExist \ No newline at end of file From 0c4755c811436f69e93a960e43847829f2f95a49 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 17:12:29 +0200 Subject: [PATCH 14/25] Fix purge pipeline --- .github/workflows/deploy-az.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy-az.yml b/.github/workflows/deploy-az.yml index c417d84..9b92068 100644 --- a/.github/workflows/deploy-az.yml +++ b/.github/workflows/deploy-az.yml @@ -185,9 +185,9 @@ jobs: export TF_CLI_ARGS_init=" -backend-config=\"resource_group_name=${{ secrets.AZURERM_RESOURCE_GROUP_NAME }}\" -backend-config=\"key=${{ secrets.KEY }}.tfstate\" -backend-config=\"storage_account_name=${{ secrets.AZURERM_STORAGE_ACCOUNT_NAME }}\" -backend-config=\"container_name=tfbootstrapadmin\" -backend-config=\"subscription_id=${{ secrets.AZURERM_SUBSCRIPTION_ID }}\" -backend-config=\"tenant_id=${{ secrets.AZURERM_TENANT_ID }}\" " terraform init terraform plan -out=tfplan.bin -input=false - terraform destroy -auto-approve - terraform destroy -auto-approve - terraform destroy -auto-approve + terraform destroy -auto-approve || true + terraform destroy -auto-approve || true + terraform destroy -auto-approve || true - name: Logout of Azure run: az logout \ No newline at end of file From 65676638dfb82390c706c18231ace13c6caa5a59 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 18:43:17 +0200 Subject: [PATCH 15/25] Add LoadBalancer Mutator to keep stunner ips in tailscale --- .github/workflows/deploy-az.yml | 11 +++++++++-- scripts/opa/loadbalancerclass_mutator.yaml | 12 ++++++------ 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy-az.yml b/.github/workflows/deploy-az.yml index 9b92068..fcd737a 100644 --- a/.github/workflows/deploy-az.yml +++ b/.github/workflows/deploy-az.yml @@ -59,8 +59,7 @@ jobs: - name: Apply tailscale operator working-directory: ./iac run: | - az aks command invoke -n ${{ secrets.AZURERM_AKS_CLUSTER_NAME }} -g rg-service-not2day --command "helm uninstall tailscale-operator --namespace=tailscale || true" - az aks command invoke -n ${{ secrets.AZURERM_AKS_CLUSTER_NAME }} -g rg-service-not2day --command "helm repo add tailscale https://pkgs.tailscale.com/helmcharts && helm repo update && helm upgrade --install tailscale-operator tailscale/tailscale-operator --namespace=tailscale --create-namespace --set-string oauth.clientId=${{secrets.TAILSCALE_CLIENT_ID}} --set-string oauth.clientSecret=${{secrets.TAILSCALE_CLIENT_SECRET}} --set-string apiServerProxyConfig.mode=true --wait" + az aks command invoke -n ${{ secrets.AZURERM_AKS_CLUSTER_NAME }} -g rg-service-not2day --command "helm repo add tailscale https://pkgs.tailscale.com/helmcharts && helm repo update && helm upgrade --install tailscale-operator tailscale/tailscale-operator --namespace=tailscale --create-namespace --set-string oauth.clientId=${{secrets.TAILSCALE_CLIENT_ID}} --set-string oauth.clientSecret=${{secrets.TAILSCALE_CLIENT_SECRET}} --set-string apiServerProxyConfig.mode=true --wait || true" - name: Connect to tailscale uses: tailscale/github-action@v2 with: @@ -84,6 +83,14 @@ jobs: --create-namespace --namespace=mysql -f values.yaml \ --set-string credentials.root.password=${{ secrets.MYSQL_ROOT_PASSWORD }} || true + - name: Install Open Policy Gatekeeper + working-directory: ./scripts/opa + run: | + helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts + helm repo update + helm install gatekeeper gatekeeper/gatekeeper --namespace gatekeeper-system --create-namespace --wait || true + kubectl apply -f loadbalancerclass_mutator.yaml + - name: Install stunner working-directory: ./scripts/localenv run: make install_stunner || true diff --git a/scripts/opa/loadbalancerclass_mutator.yaml b/scripts/opa/loadbalancerclass_mutator.yaml index 3d9c0ad..04e5ec0 100644 --- a/scripts/opa/loadbalancerclass_mutator.yaml +++ b/scripts/opa/loadbalancerclass_mutator.yaml @@ -8,14 +8,14 @@ spec: kinds: ["Service"] versions: ["v1"] match: - scope: Cluster + scope: Namespaced | Cluster kinds: - apiGroups: ["*"] kinds: ["Service"] - location: "spec[type:LoadBalancer].loadBalancerClass" + labelSelector: + matchExpressions: + - {key: "stunner.l7mp.io/owned-by", operator: "In", values: ["stunner"]} + location: "spec.loadBalancerClass" parameters: assign: - value: "tailscale" - pathTests: - - subPath: "spec.loadBalancerClass" - condition: MustNotExist \ No newline at end of file + value: "tailscale" \ No newline at end of file From bf8a6709add6d85ce93d72e41fcd947660bbe863 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 19:49:45 +0200 Subject: [PATCH 16/25] Add blob storage driver to terraform --- iac/kubernetes.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index 793ea77..2e2dc41 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -23,6 +23,10 @@ resource "azurerm_kubernetes_cluster" "testCluster" { outbound_type = "loadBalancer" } + storage_profile { + blob_driver_enabled = true + } + identity { type = "SystemAssigned" } From 412a458907a18c354b0ac95255f74ae1d2783409 Mon Sep 17 00:00:00 2001 From: Jonas Konrad Date: Sat, 15 Jun 2024 20:25:24 +0200 Subject: [PATCH 17/25] Remove namespace of tailscale operator --- .github/workflows/deploy-az.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-az.yml b/.github/workflows/deploy-az.yml index fcd737a..146a975 100644 --- a/.github/workflows/deploy-az.yml +++ b/.github/workflows/deploy-az.yml @@ -59,7 +59,7 @@ jobs: - name: Apply tailscale operator working-directory: ./iac run: | - az aks command invoke -n ${{ secrets.AZURERM_AKS_CLUSTER_NAME }} -g rg-service-not2day --command "helm repo add tailscale https://pkgs.tailscale.com/helmcharts && helm repo update && helm upgrade --install tailscale-operator tailscale/tailscale-operator --namespace=tailscale --create-namespace --set-string oauth.clientId=${{secrets.TAILSCALE_CLIENT_ID}} --set-string oauth.clientSecret=${{secrets.TAILSCALE_CLIENT_SECRET}} --set-string apiServerProxyConfig.mode=true --wait || true" + az aks command invoke -n ${{ secrets.AZURERM_AKS_CLUSTER_NAME }} -g rg-service-not2day --command "helm repo add tailscale https://pkgs.tailscale.com/helmcharts && helm repo update && helm upgrade --install tailscale-operator tailscale/tailscale-operator --set-string oauth.clientId=${{secrets.TAILSCALE_CLIENT_ID}} --set-string oauth.clientSecret=${{secrets.TAILSCALE_CLIENT_SECRET}} --set-string apiServerProxyConfig.mode=true --wait || true" - name: Connect to tailscale uses: tailscale/github-action@v2 with: From 68c42fa7deaef82d1f25b0ee35b12781680cead9 Mon Sep 17 00:00:00 2001 From: Thomas Riegler Date: Sat, 15 Jun 2024 22:30:46 +0200 Subject: [PATCH 18/25] UserAssigned identities for cluster --- iac/kubernetes.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index 2e2dc41..baabc3f 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -28,7 +28,8 @@ resource "azurerm_kubernetes_cluster" "testCluster" { } identity { - type = "SystemAssigned" + type = "UserAssigned" + identity_ids = [var.myuser, "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] } private_cluster_enabled = true From 8646ae37db2b18b19aa8adc50c4674b85651cb89 Mon Sep 17 00:00:00 2001 From: Thomas Riegler Date: Sat, 15 Jun 2024 23:11:42 +0200 Subject: [PATCH 19/25] Added Admins --- iac/kubernetes.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index baabc3f..90a45fa 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -28,8 +28,13 @@ resource "azurerm_kubernetes_cluster" "testCluster" { } identity { - type = "UserAssigned" - identity_ids = [var.myuser, "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] + type = "SystemAssigned" + } + + azure_active_directory_role_based_access_control { + managed = true + azure_rbac_enabled = false + admin_group_object_ids = [var.myuser, "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] } private_cluster_enabled = true From 3e8e44073cbb7afec421936441a3cbae4e3212db Mon Sep 17 00:00:00 2001 From: Thomas Riegler Date: Sat, 15 Jun 2024 23:19:30 +0200 Subject: [PATCH 20/25] Enable Azure RBAC --- iac/kubernetes.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index 90a45fa..2714f8b 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -33,7 +33,7 @@ resource "azurerm_kubernetes_cluster" "testCluster" { azure_active_directory_role_based_access_control { managed = true - azure_rbac_enabled = false + azure_rbac_enabled = true admin_group_object_ids = [var.myuser, "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] } From 19b21845506e43a57e1536b139a1d9d8dc70db31 Mon Sep 17 00:00:00 2001 From: Thomas Riegler Date: Sat, 15 Jun 2024 23:29:15 +0200 Subject: [PATCH 21/25] Enable role based access control --- iac/kubernetes.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index 2714f8b..5a45781 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -37,6 +37,8 @@ resource "azurerm_kubernetes_cluster" "testCluster" { admin_group_object_ids = [var.myuser, "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] } + role_based_access_control_enabled = true + private_cluster_enabled = true } From 2fcd3cf04bb997fde46db7f08f2ed2b7936291f1 Mon Sep 17 00:00:00 2001 From: Thomas Riegler Date: Sat, 15 Jun 2024 23:56:31 +0200 Subject: [PATCH 22/25] Added admin role assignment --- iac/kubernetes.tf | 11 ++++++++--- iac/variables.tf | 6 ++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index 5a45781..cddb553 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -34,14 +34,19 @@ resource "azurerm_kubernetes_cluster" "testCluster" { azure_active_directory_role_based_access_control { managed = true azure_rbac_enabled = true - admin_group_object_ids = [var.myuser, "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] + admin_group_object_ids = var.aks_admin_group_object_ids } - role_based_access_control_enabled = true - private_cluster_enabled = true } +resource "azurerm_role_assignment" "admin" { + for_each = toset(var.aks_admin_group_object_ids) + scope = azurerm_kubernetes_cluster.testCluster.id + role_definition_name = "Azure Kubernetes Service Cluster User Role" + principal_id = each.value +} + /* output "client_certificate" { value = azurerm_kubernetes_cluster.testCluster.kube_config.0.client_certificate diff --git a/iac/variables.tf b/iac/variables.tf index 5fb85ae..cf91f16 100644 --- a/iac/variables.tf +++ b/iac/variables.tf @@ -13,4 +13,10 @@ variable "myuser"{ variable "cluster_name" { type = string default = "indiegamestream-cluster" +} + +variable "aks_admin_group_object_ids" { + description = "aks admin group ids" + type = list(string) + default = [var.myuser, "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] } \ No newline at end of file From 9383db131bd8518520fd4533eb0c5e734e86a356 Mon Sep 17 00:00:00 2001 From: Thomas Riegler Date: Sat, 15 Jun 2024 23:57:57 +0200 Subject: [PATCH 23/25] Removed variable --- iac/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iac/variables.tf b/iac/variables.tf index cf91f16..929c232 100644 --- a/iac/variables.tf +++ b/iac/variables.tf @@ -18,5 +18,5 @@ variable "cluster_name" { variable "aks_admin_group_object_ids" { description = "aks admin group ids" type = list(string) - default = [var.myuser, "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] + default = ["56ea78b9-6d9f-495b-85ac-7caa86ccc191", "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] } \ No newline at end of file From 2268c364035d7eda6f5391fa2cd2cedc7514af27 Mon Sep 17 00:00:00 2001 From: Thomas Riegler Date: Sun, 16 Jun 2024 00:06:32 +0200 Subject: [PATCH 24/25] Removed role assignment --- iac/kubernetes.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index cddb553..948a6dc 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -40,13 +40,6 @@ resource "azurerm_kubernetes_cluster" "testCluster" { private_cluster_enabled = true } -resource "azurerm_role_assignment" "admin" { - for_each = toset(var.aks_admin_group_object_ids) - scope = azurerm_kubernetes_cluster.testCluster.id - role_definition_name = "Azure Kubernetes Service Cluster User Role" - principal_id = each.value -} - /* output "client_certificate" { value = azurerm_kubernetes_cluster.testCluster.kube_config.0.client_certificate From 8cf3a769ac5304d62c4df69f19ef959330dc5efc Mon Sep 17 00:00:00 2001 From: Thomas Riegler Date: Sun, 16 Jun 2024 14:10:20 +0200 Subject: [PATCH 25/25] Reversed IAC changes of yesterday --- iac/kubernetes.tf | 6 ------ iac/variables.tf | 6 ------ 2 files changed, 12 deletions(-) diff --git a/iac/kubernetes.tf b/iac/kubernetes.tf index 948a6dc..2e2dc41 100644 --- a/iac/kubernetes.tf +++ b/iac/kubernetes.tf @@ -31,12 +31,6 @@ resource "azurerm_kubernetes_cluster" "testCluster" { type = "SystemAssigned" } - azure_active_directory_role_based_access_control { - managed = true - azure_rbac_enabled = true - admin_group_object_ids = var.aks_admin_group_object_ids - } - private_cluster_enabled = true } diff --git a/iac/variables.tf b/iac/variables.tf index 929c232..5fb85ae 100644 --- a/iac/variables.tf +++ b/iac/variables.tf @@ -13,10 +13,4 @@ variable "myuser"{ variable "cluster_name" { type = string default = "indiegamestream-cluster" -} - -variable "aks_admin_group_object_ids" { - description = "aks admin group ids" - type = list(string) - default = ["56ea78b9-6d9f-495b-85ac-7caa86ccc191", "7ab666bb-6355-4240-aa93-16bfbb9fd5f7"] } \ No newline at end of file