-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathscript.sh
More file actions
403 lines (341 loc) · 13.8 KB
/
script.sh
File metadata and controls
403 lines (341 loc) · 13.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
##!/usr/bin/env bash
set -e
##Variables declaration
##Spoke 1 : AKS Zone
location="eastus"
aks_resource_group_name="spoke1-aks-zone"
cluster_name="rakata-aks"
cluster_node_size="Standard_B2s"
cluster_node_count="1"
node_disk_size="30"
aks_vnet_zone_name="AKS-vnet"
aks_vnet_zone_prefix="10.20.0.0/16"
aks_subnet_zone_name="AKS-subnet"
aks_subnet_zone_prefix="10.20.1.0/24"
## Spoke 2: ACR Zone
acr_resource_group_name="spoke2-acr-zone"
acr_name="rakataregistry"
acr_vnet_zone_name="acr-vnet"
acr_vnet_zone_prefix="10.22.0.0/16"
acr_subnet_zone_name="acr-subnet"
acr_subnet_zone_prefix="10.22.1.0/24"
acr_private_link="privatelink.azurecr.io"
acr_private_aks_role_reader="acr_private_aks_role_reader"
##HUB : Jump Zone
hub_resource_group_name="cloud-hub-zone"
hub_vnet_zone_name="hub-vnet"
hub_vnet_zone_prefix="10.21.0.0/16"
hub_subnet_zone_name="hub-subnet"
hub_subnet_zone_prefix="10.21.1.0/24"
hub_jumpbox_public_ip_address="jumpboxIP"
hub_jumpbox_name="JumpBox"
hub_gateway_subnet_prefix="10.21.255.0/27"
hub_gateway_subnet_name="GatewaySubnet"
hub_gateway_public_ip="VNet1GWIP"
hub_gateway_name="hub_vpn_gateway"
## Create resources groups
az group create --name $aks_resource_group_name --location $location
az group create --name $acr_resource_group_name --location $location
az group create --name $hub_resource_group_name --location $location
## Create spoke 1 AKS VNet and SubNet
az network vnet create \
--resource-group $aks_resource_group_name \
--name $aks_vnet_zone_name \
--address-prefix $aks_vnet_zone_prefix \
--subnet-name $aks_subnet_zone_name \
--subnet-prefix $aks_subnet_zone_prefix
## Create spoke 2 ACR VNet and SubNet
az network vnet create \
--resource-group $acr_resource_group_name \
--name $acr_vnet_zone_name \
--address-prefix $acr_vnet_zone_prefix \
--subnet-name $acr_subnet_zone_name \
--subnet-prefix $acr_subnet_zone_prefix
## Create hub VNet and SubNet
az network vnet create \
--resource-group $hub_resource_group_name \
--name $hub_vnet_zone_name \
--address-prefix $hub_vnet_zone_prefix \
--subnet-name $hub_subnet_zone_name \
--subnet-prefix $hub_subnet_zone_prefix
## Create zone Peering
vnet_aks_id=$(az network vnet show \
--resource-group $aks_resource_group_name \
--name $aks_vnet_zone_name \
--query id -o tsv)
echo $vnet_aks_id
vnet_hub_id=$(az network vnet show \
--resource-group $hub_resource_group_name \
--name $hub_vnet_zone_name \
--query id -o tsv)
echo $vnet_hub_id
vnet_acr_id=$(az network vnet show \
--resource-group $acr_resource_group_name \
--name $acr_vnet_zone_name \
--query id -o tsv)
echo $vnet_acr_id
### Peering AKS Zone with hub zone
az network vnet peering create \
--resource-group $aks_resource_group_name \
--name "${aks_vnet_zone_name}-to-${hub_vnet_zone_name}" \
--vnet-name $aks_vnet_zone_name \
--remote-vnet $vnet_hub_id \
--allow-vnet-access \
--allow-forwarded-traffic
az network vnet peering create \
--resource-group $hub_resource_group_name \
-name "${hub_vnet_zone_name}-to-${aks_vnet_zone_name}" \
--vnet-name $hub_vnet_zone_name \
--remote-vnet $vnet_aks_id \
--allow-vnet-access \
--allow-forwarded-traffic
### Peering ACR Zone with hub zone
az network vnet peering create \
--resource-group $acr_resource_group_name \
--name "${acs_vnet_zone_name}-to-${hub_vnet_zone_name}" \
--vnet-name $acs_vnet_zone_name \
--remote-vnet $vnet_hub_id \
--allow-vnet-access \
--allow-forwarded-traffic
az network vnet peering create \
--resource-group $hub_resource_group_name \
--name "${hub_vnet_zone_name}-to-${acs_vnet_zone_name}" \
--vnet-name $hub_vnet_zone_name \
--remote-vnet $vnet_acr_id \
--allow-vnet-access \
--allow-forwarded-traffic
### Peering AKS Zone with ACR Zone
az network vnet peering create \
--resource-group $aks_resource_group_name \
--name "${aks_vnet_zone_name}-to-${acr_vnet_zone_name}" \
--vnet-name $aks_vnet_zone_name \
--remote-vnet $vnet_acr_id \
--allow-vnet-access \
--allow-forwarded-traffic
az network vnet peering create \
--resource-group $acr_resource_group_name \
--name "${acr_vnet_zone_name}-to-${aks_vnet_zone_name}" \
--vnet-name $acr_vnet_zone_name \
--remote-vnet $vnet_aks_id \
--allow-vnet-access \
--allow-forwarded-traffic
## Create AKS Private cluster
aks_subnet_zone_id=$(az network vnet subnet show --name $aks_subnet_zone_name \
--vnet-name $aks_vnet_zone_name \
--resource-group $aks_resource_group_name \
--query id --output tsv)
## Get the latest AKS version available in the curent location
AKS_VERSION=$(az aks get-versions --location $location \
--query "orchestrators[?to_string(isPreview)=='null'] | [-1].orchestratorVersion" \
--output tsv)
echo $AKS_VERSION
az aks create --resource-group $aks_resource_group_name \
--name $cluster_name \
--kubernetes-version $AKS_VERSION \
--location $location \
--enable-private-cluster \
--node-vm-size $cluster_node_size \
--load-balancer-sku standard \
--node-count $cluster_node_count \
--node-osdisk-size $node_disk_size \
--network-plugin kubenet \
--vnet-subnet-id $aks_subnet_zone_id \
--docker-bridge-address 172.17.0.1/16 \
--dns-service-ip 10.30.0.10 \
--service-cidr 10.30.0.0/16
## Create the jumbox VM
az network public-ip create \
--resource-group $hub_resource_group_name \
--name $hub_jumpbox_public_ip_address \
--allocation-method dynamic \
--sku basic
az vm create --name $hub_jumpbox_name \
--resource-group $hub_resource_group_name \
--image UbuntuLTS \
--location $location \
--size Standard_A1_v2 \
--authentication-type ssh \
--ssh-key-values ~/.ssh/id_rsa.pub \
--admin-username jumboxadmin \
--vnet-name $hub_vnet_zone_name \
--subnet $hub_subnet_zone_name \
--public-ip-address $hub_jumpbox_public_ip_address
jumpbox_vm_public_ip=$(az vm show -d --name $hub_jumpbox_name \
--resource-group $hub_resource_group_name \
--query publicIps -o tsv)
## Link hub vnet to AKS private dns zone
node_resource_group=$(az aks show --name $cluster_name \
--resource-group $aks_resource_group_name \
--query 'nodeResourceGroup' -o tsv)
echo $node_resource_group
dnszone=$(az network private-dns zone list \
--resource-group $node_resource_group \
--query [0].name -o tsv)
echo $dnszone
echo "${hub_vnet_zone_name}-${hub_resource_group_name}"
az network private-dns link vnet create \
--name "${hub_vnet_zone_name}-${hub_resource_group_name}" \
--resource-group $node_resource_group \
--virtual-network $vnet_hub_id \
--zone-name $dnszone \
--registration-enabled false
## Create ACR with premium SKU , only premium SKU support private link
az acr create \
--name $acr_name \
--resource-group $acr_resource_group_name \
--sku Premium
REGISTRY_ID=$(az acr show --name $acr_name \
--query 'id' --output tsv)
REGISTRY_LOGIN_SERVER=$(az acr show --name $acr_name \
--query 'loginServer' --output tsv)
echo $REGISTRY_ID
echo $REGISTRY_LOGIN_SERVER
##disable subunet private endpoit policies
az network vnet subnet update \
--name $acr_subnet_zone_name \
--vnet-name $acr_vnet_zone_name \
--resource-group $acr_resource_group_name \
--disable-private-endpoint-network-policies
##Create acr private endpoint
az network private-endpoint create \
--name "${acr_name}-${acr_resource_group_name}" \
--resource-group $acr_resource_group_name \
--vnet-name $acr_vnet_zone_name \
--subnet $acr_subnet_zone_name \
--private-connection-resource-id $REGISTRY_ID \
--group-ids registry \
--connection-name "${acr_name}-${acr_resource_group_name}-cnx"
##create private dns zone with the same name as acr registry
az network private-dns zone create \
--resource-group $acr_resource_group_name \
--name $acr_private_link
##Get acr endpoint and data acr endpoint ip private addresses
acr_private_network_id=$(az network private-endpoint show \
--name "${acr_name}-${acr_resource_group_name}" \
--resource-group $acr_resource_group_name \
--query 'networkInterfaces[0].id' \
--output tsv)
acr_private_ip=$(az resource show \
--ids $acr_private_network_id \
--query 'properties.ipConfigurations[1].properties.privateIPAddress' \
--output tsv)
data_acr_private_ip=$(az resource show \
--ids $acr_private_network_id \
--query 'properties.ipConfigurations[0].properties.privateIPAddress' \
--output tsv)
echo $acr_private_ip
echo $data_acr_private_ip
##create A records in the private dns zone
az network private-dns record-set a create \
--name $acr_name \
--zone-name $acr_private_link \
--resource-group $acr_resource_group_name
az network private-dns record-set a create \
--name ${acr_name}.${location}.data \
--zone-name $acr_private_link \
--resource-group $acr_resource_group_name
az network private-dns record-set a add-record \
--record-set-name $acr_name \
--zone-name $acr_private_link \
--resource-group $acr_resource_group_name \
--ipv4-address $acr_private_ip
az network private-dns record-set a add-record \
--record-set-name ${acr_name}.${location}.data \
--zone-name $acr_private_link \
--resource-group $acr_resource_group_name \
--ipv4-address $data_acr_private_ip
##Disable public access
echo $acr_name
az acr update --name $acr_name --default-action Deny
## Link jumpbox network to acr private dns zone
az network private-dns link vnet create \
--name "${hub_vnet_zone_name}-${hub_resource_group_name}" \
--resource-group $acr_resource_group_name \
--virtual-network $vnet_hub_id \
--zone-name $acr_private_link \
--registration-enabled false
## Link AKS private network to acr private dns zone
az network private-dns link vnet create \
--name "${aks_vnet_zone_name}-${aks_resource_group_name}" \
--resource-group $acr_resource_group_name \
--virtual-network $vnet_aks_id \
--zone-name $acr_private_link \
--registration-enabled false
## Grant access to AKS to pull images from acr
acr_aks_role_password=$(az ad sp create-for-rbac \
--name $acr_private_aks_role_reader --query password -o tsv )
acr_aks_role_id=$(az ad sp list --show-mine \
--query "[?displayName=='${acr_private_aks_role_reader}'].appId | [0]" \
--output tsv)
az role assignment create --assignee $acr_aks_role_id --scope $REGISTRY_ID --role Reader
echo $acr_aks_role_password
aks_resource_group_name="spoke1-aks-zone"
cluster_name="rakata-aks"
az aks update-credentials --resource-group $aks_resource_group_name \
--name $cluster_name \
--reset-service-principal \
--service-principal $acr_aks_role_id \
--client-secret $acr_aks_role_password
#az aks browse --resource-group myResourceGroup --name myAKSCluster
## Provision network VPN GateWay in Cloud hun vnet
az network vnet subnet create --name $hub_gateway_subnet_name \
--resource-group $hub_resource_group_name \
--vnet-name $hub_vnet_zone_name \
--address-prefixes $hub_gateway_subnet_prefix
az network public-ip create --name $hub_gateway_public_ip \
--resource-group $hub_resource_group_name \
--allocation-method Dynamic
az network vnet-gateway create \
--name $hub_gateway_name \
--location $location \
--resource-group $hub_resource_group_name \
--public-ip-address $hub_gateway_public_ip \
--vnet $hub_vnet_zone_name \
--gateway-type Vpn \
--sku VpnGw1 \
--vpn-type RouteBased \
--no-wait
az network vnet-gateway show \
--name $hub_gateway_name \
--resource-group $hub_resource_group_name \
--query provisioningState \
--output tsv
# Create P2S VPN
## Generate CA certificate
### Install tools to generate CA Certificate and client certificate
sudo apt-get install strongswan -y
sudo apt-get install strongswan-pki -y
sudo apt-get install libstrongswan-extra-plugins -y
### End Installing tools
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=P2SRootCert" \
--ca --outform pem > caCert.pem
openssl x509 -in caCert.pem -outform der | base64 -w0 > caCert.cer
#Create client certificate
PASSWORD="pass@word"
USERNAME="azureuser"
ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki \
--issue --cacert caCert.pem --cakey caKey.pem \
--dn "CN=${USERNAME}" --san "${USERNAME}" \
--flag clientAuth --outform pem > "${USERNAME}Cert.pem"
openssl pkcs12 -in "${USERNAME}Cert.pem" \
-inkey "${USERNAME}Key.pem" \
-certfile caCert.pem \
-export -out "${USERNAME}.p12" \
-password "pass:${PASSWORD}"
#
az network vnet-gateway update \
--name $hub_gateway_name \
--resource-group $hub_resource_group_name \
--client-protocol SSTP \
--address-prefixes 172.16.1.0/24
az network vnet-gateway root-cert create \
--resource-group $hub_resource_group_name \
--name P2SRootCert \
--gateway-name $hub_gateway_name \
--public-cert-data caCert.cer
az network vnet-gateway vpn-client generate \
--name $hub_gateway_name \
--resource-group $hub_resource_group_name \
--processor-architecture Amd64