OSS Post Deployment CI/CD workflow (#447)

Creates an OSS focussed CI/CD deployment, leveraging the PostDeploy script and the Reusable Workflow for Deploying clusters.

.github/workflows/AKSC_Deploy.yml

@@ -10,7 +10,7 @@ on:
       templateVersion:
         description: 'Template Version'
         required: false
-        default: '0.8.8'
+        default: '0.9.2'
         type: string
       rg:
         description: 'Resource Group name'
@@ -47,6 +47,8 @@ on:
         required: true
       USER_OBJECT_ID:
         required: false
+      DNS_ZONE_ID:
+        required: false
     outputs:
       AKSNAME:
         description: "The AKS Cluster name"
@@ -54,54 +56,90 @@ on:
       ACRNAME:
         description: "The Container Registry name"
         value: ${{ jobs.Deploy-AKSC.outputs.ACRNAME }}
-        
+
 permissions:
   id-token: write
   contents: read
 
+concurrency: "${{ inputs.environment }}-${{ inputs.rg }}"
+
 jobs:
   Deploy-AKSC:
     runs-on: ubuntu-latest
-    environment: ${{ github.event.inputs.environment }}
+    environment: ${{ inputs.environment }}
     outputs:
       AKSNAME: ${{ steps.deployAks.outputs.AKSNAME }}
       ACRNAME: ${{ steps.deployAks.outputs.ACRNAME }}
+      AKVNAME: ${{ steps.deployAks.outputs.AKVNAME }}
+      AGNAME: ${{ steps.deployAks.outputs.AGNAME }}
     steps:
       # Login to Azure
-    - uses: azure/login@v1.4.3
+    - uses: azure/login@v1.4.6
       name: Initial Login to Azure to Deploy
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
+
+    - name: Prepare params (string token replacements)
+      id: paramPrep
+      env:
+        templateParams: "${{ inputs.templateParams}}"
+      run: |
+        echo "Replacing params with secrets in param string $templateParams"
+      
+        if [[ "$templateParams" == *"_USER_OBJECT_ID_"* ]]; then
+          echo "Token _USER_OBJECT_ID_ found for secret reference replacement"
+
+          if [ -n "${{ secrets.USER_OBJECT_ID }}" ] #Is the secret accessible?
+          then
+            echo "Substitute _USER_OBJECT_ID_ placeholder value with real guid from secret"
+            templateParams=${templateParams//=_USER_OBJECT_ID_/=${{ secrets.USER_OBJECT_ID }}}
+          else
+            echo "Secret USER_OBJECT_ID not found in environment ${{ inputs.environment }}"
+          fi
+        fi
+        if [[ "$templateParams" == *"_DNS_ZONE_ID_"* ]]; then
+          echo "Token _DNS_ZONE_ID_ found for secret reference replacement"
+
+          if [ -n "${{ secrets.DNS_ZONE_ID }}" ] #Is the secret accessible?
+          then
+            echo "Substitute _DNS_ZONE_ID_ placeholder value with real value from secret"
+            templateParams=${templateParams//=_DNS_ZONE_ID_/=${{ secrets.DNS_ZONE_ID }}}
+          else
+            echo "Secret DNS_ZONE_ID not found in environment ${{ inputs.environment }}"
+          fi
+        fi
+
+        echo "Setting output param string $templateParams"
+        echo "templateParams=$templateParams" >> $GITHUB_OUTPUT
+
       # Deploy Bicep file
     - name: Deploy Bicep
       id: deployAks
       env:
-        templateParams: "${{ inputs.templateParams}}"
+        templateParams: ${{ steps.paramPrep.outputs.templateParams}} #"${{ inputs.templateParams}}"
       run: |
-        if [ -n "${{ secrets.USER_OBJECT_ID }}" ]
-        then
-          echo "Substitute _USER_OBJECT_ID_ placeholder value with real guid from secret"
-          templateParams=${templateParams//=_USER_OBJECT_ID_/=${{ secrets.USER_OBJECT_ID }}}
-        else
-          echo "USER_OBJECT_ID not being leveraged in workflow"
-        fi
-
-        DeployOut=($(az deployment group create -g ${{ inputs.rg }} --template-uri https://github.com/Azure/AKS-Construction/releases/download/${{ inputs.templateVersion }}/main.json --query "[properties.outputs.aksClusterName.value,properties.outputs.containerRegistryName.value]" -o tsv --parameters ${{ inputs.templateParamFile}} automatedDeployment=true $templateParams))
+        echo "Creating deployment ${{ inputs.resourceName }} using params $templateParams and AKSC ${{ inputs.templateVersion }}"
+        
+        DeployOut=($(az deployment group create -g ${{ inputs.rg }} -n ${{ inputs.resourceName }} --template-uri https://github.com/Azure/AKS-Construction/releases/download/${{ inputs.templateVersion }}/main.json --query "[properties.outputs.aksClusterName.value,properties.outputs.containerRegistryName.value]" -o tsv --parameters ${{ inputs.templateParamFile}} automatedDeployment=true $templateParams))
 
         aksClusterName=${DeployOut[0]}
         containerRegistryName=${DeployOut[1]}
+        keyvaultName=${DeployOut[2]}
+        appGatewayName=${DeployOut[3]}
 
         echo "aksClusterName returned from az deployment = $aksClusterName"
         echo "containerRegistryName returned from az deployment = $containerRegistryName"
-
-        echo "::set-output name=AKSNAME::$aksClusterName"
-        echo "::set-output name=ACRNAME::$containerRegistryName"
+        
+        echo "AKSNAME=$aksClusterName" >> $GITHUB_OUTPUT
+        echo "ACRNAME=$containerRegistryName" >> $GITHUB_OUTPUT
+        echo "AKVNAME=$keyvaultName" >> $GITHUB_OUTPUT
+        echo "AGNAME=$appGatewayName" >> $GITHUB_OUTPUT
 
       # Re-Login to Azure if we're using the AKS RUN COMMAND
-    - uses: azure/login@v1.4.3
+    - uses: azure/login@v1.4.6
       name: Initial Login to Azure to Deploy
       if: inputs.postScriptParams && inputs.postScriptInvokeCommand == true
       with:
@@ -112,7 +150,7 @@ jobs:
     - name: Kubelogin
       if: inputs.postScriptParams && inputs.postScriptInvokeCommand == false
       env:
-        kubeloginversion: 'v0.0.13'
+        kubeloginversion: 'v0.0.20'
       run: |
         az aks get-credentials -n ${{ steps.deployAks.outputs.AKSNAME }} -g ${{ inputs.rg }} --overwrite-existing
 
@@ -123,8 +161,22 @@ jobs:
 
     - name: Post Deploy
       if: inputs.postScriptParams
+      env:
+        postScriptParams: "${{ inputs.postScriptParams }}"
       run: |
-        postcmd="curl -sL https://github.com/Azure/AKS-Construction/releases/download/${{ inputs.templateVersion }}/postdeploy.sh | bash -s -- -r https://github.com/Azure/AKS-Construction/releases/download/${{ inputs.templateVersion }} -p KubeletId=$(az aks show -n ${{ steps.deployAks.outputs.AKSNAME }} -g ${{ inputs.rg }} --query identityProfile.kubeletidentity.clientId -o tsv),TenantId=${{ secrets.AZURE_TENANT_ID }},${{ inputs.postScriptParams }}"
+        if [[ "$postScriptParams" == *"_DNS_ZONE_ID_"* ]]; then
+          echo "Token _DNS_ZONE_ID_ found for secret reference replacement"
+
+          if [ -n "${{ secrets.DNS_ZONE_ID }}" ] #Is the secret accessible?
+          then
+            echo "Substitute _DNS_ZONE_ID_ placeholder value with real value from secret"
+            postScriptParams=${postScriptParams//=_DNS_ZONE_ID_/=${{ secrets.DNS_ZONE_ID }}}
+          else
+            echo "Secret DNS_ZONE_ID not found in environment ${{ inputs.environment }}"
+          fi
+        fi
+
+        postcmd="curl -sL https://github.com/Azure/AKS-Construction/releases/download/${{ inputs.templateVersion }}/postdeploy.sh | bash -s -- -r https://github.com/Azure/AKS-Construction/releases/download/${{ inputs.templateVersion }} -p KubeletId=$(az aks show -n ${{ steps.deployAks.outputs.AKSNAME }} -g ${{ inputs.rg }} --query identityProfile.kubeletidentity.clientId -o tsv),TenantId=${{ secrets.AZURE_TENANT_ID }},$postScriptParams"
 
         if ${{ inputs.postScriptInvokeCommand}}; then
           if [ "${{ steps.deployAks.outputs.ACRNAME }}" ]; then
@@ -134,6 +186,3 @@ jobs:
         else
           eval $postcmd
         fi
-
-
-

.github/workflows/OSSCI.yml

@@ -0,0 +1,291 @@
+name: InfraCI - OSS cluster
+
+on:
+  #Run on Manual execution
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Which GitHub Environment to deploy to'
+        required: true
+        default: "csu"
+        type: environment
+
+  #Run when PR's are made to main, where the changes are in the bicep directory or this workflow file itself
+  pull_request:
+    branches: [main]
+    paths:
+      - "bicep/*"
+      - ".github/workflows/OSSCI.yml"
+
+  #Run on a weekly schedule
+  schedule:
+    # At 9pm, every month.
+    - cron: "0 21 1 1-12 *"
+
+env:
+  RG: "AksBicepAcc-Ci-OssCluster" #The resource group we're deploying to.
+  RESNAME: "AksOss" #Used in Azure Resource Naming, overrides the default in the parameter file
+  DEPNAME: "Dep${{ github.run_number }}" #Deployment Name
+  AZCLIVERSION: 2.38.0 #Pinning to a specific AZ CLI version
+
+permissions:
+      id-token: write
+      contents: read
+
+concurrency: "OSSCI-${{ github.event.inputs.Environment != '' && github.event.inputs.Environment || 'csu' }}-AksBicepAcc-Ci-OssCluster"
+
+jobs:
+  ReusableWF:
+    runs-on: ubuntu-latest
+    environment:  ${{ github.event.inputs.Environment }}
+    outputs:
+      RG: ${{ env.RG }}
+      ENVIRONMENT: ${{ github.event.inputs.Environment != '' && github.event.inputs.Environment || 'csu' }}
+      RESNAME: ${{ env.RESNAME }}
+      PARAMFILE: ${{ env.ParamFilePath }}
+      ExistingDnsDomainName: aksc.msftcsu.net
+      ExistingDnsDomainRg: aksbicepacc-ci-deployvnet
+      
+    steps:
+      - name: Dummy step
+        run: echo "Resuable workflows can't be directly reference ENV/INPUTS (yet), so we need this job to proxy"
+
+  ContourDeploy:
+    uses: ./.github/workflows/AKSC_Deploy.yml
+    needs: [ReusableWF]
+    with:
+      environment: ${{ needs.ReusableWF.outputs.ENVIRONMENT }}
+      templateVersion: "0.9.3-preview3"
+      rg: ${{ needs.ReusableWF.outputs.RG }}
+      resourceName: azcontour
+      templateParams: resourceName=az-contour agentCount=2 JustUseSystemPool=true custom_vnet=true enable_aad=true enableAzureRBAC=true adminPrincipalId=_USER_OBJECT_ID_ registries_sku=Standard acrPushRolePrincipalId=_USER_OBJECT_ID_ networkPolicy=azure azurepolicy=audit dnsZoneId=_DNS_ZONE_ID_ keyVaultAksCSI=true keyVaultCreate=true keyVaultOfficerRolePrincipalId=_USER_OBJECT_ID_
+      postScriptParams: "ingress=contour,ingressEveryNode=true,dnsZoneId=_DNS_ZONE_ID_,certEmail=gdogg@microsoft.com,certClusterIssuer=letsencrypt-staging,monitor=oss,enableMonitorIngress=true,grafanaHostname=grafanacnt"
+    secrets:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      USER_OBJECT_ID: ${{ secrets.USER_OBJECT_ID }}
+      DNS_ZONE_ID: ${{ secrets.BYODNSZONEID }}
+
+  ContourGrafanaVerify:
+    runs-on: ubuntu-latest
+    name: Verify Grafana Dashboard
+    environment: ${{ github.event.inputs.environment }}
+    needs: [ContourDeploy]
+    env:
+      URL: "https://grafanacnt.aksc.msftcsu.net"
+    steps:
+      - name: Curl Grafana domain (on 80)
+        env:
+          HOSTNAME: grafanacnt.aksc.msftcsu.net
+        run: curl $HOSTNAME
+        
+      - name: Verify Grafana dashboard available TLS
+        timeout-minutes: 5
+        run: |
+          echo "curl $URL [$(date +"%T")]"
+          curlcommand="curl --connect-timeout 2 --retry 25 --retry-delay 20 --no-keepalive --no-tcp-nodelay -X GET --insecure --write-out %{http_code} --silent --fail --output /dev/null $URL -v --trace-time"
+          echo "Running curl command $curlcommand with retry"
+          respcode=$($curlcommand || sleep 1m; $curlcommand)
+          echo $respcode
+          curl --insecure $URL
+          
+      - name: Verify Grafana Certificate
+        run: |
+          curl --insecure -vvI $APPURL 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
+
+
+  ContourDeploy_SmokeTest_SimpleApp:
+    runs-on: ubuntu-latest
+    name: Simple App (Contour)
+    environment: ${{ github.event.inputs.environment }}
+    needs: [ContourDeploy]
+    steps:
+      - uses: actions/checkout@v2.5.0
+
+      - name: Azure Login
+        uses: Azure/login@v1.4.6
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: AKS Connect
+        env:
+          AKSNAME: ${{ needs.ContourDeploy.outputs.AKSNAME}}
+        run: az aks get-credentials -n $AKSNAME -g $RG --overwrite-existing
+
+      - name: Kubelogin
+        env:
+          kubeloginversion: 'v0.0.20'
+        run: |
+          wget https://github.com/Azure/kubelogin/releases/download/${{ env.kubeloginversion }}/kubelogin-linux-amd64.zip
+          unzip kubelogin-linux-amd64.zip
+          sudo mv bin/linux_amd64/kubelogin /usr/bin
+          kubelogin convert-kubeconfig -l azurecli
+
+      - name: Deploy Simple Workload
+        env:
+          MANIFESTTESTURL: "https://raw.githubusercontent.com/Gordonby/AKS-K8S-Lab-L200/master/azure-vote-all-in-one-redis.yaml"
+          NAMESP: "votey"
+        run: |
+            echo "Creating namespace $NAMESP"
+            kubectl create namespace $NAMESP --dry-run=client -o yaml | kubectl apply -f -
+
+            echo $MANIFESTTESTURL
+            kubectl apply -f $MANIFESTTESTURL -n  $NAMESP
+
+      - name: Verify Simple Workload
+        id: simpleworkloadverify
+        env:
+          NAMESP: "votey"
+        run: |
+          sleep 2m #Give public ip a chance to be allocated
+
+          kubectl get po -n  $NAMESP
+          kubectl get svc -n  $NAMESP
+
+          pubIp=$(kubectl get svc -n $NAMESP -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}')
+          echo $pubIp
+          echo "::set-output name=SIMWORKLOADIP::$pubIp" #outputting for conditon
+
+          curl $pubIp
+
+  #ContourSmokeTest_JavaApp-certmgr:
+  #  name: Complex App (Contour)
+  #  needs: [ContourDeploy, ReusableWF]
+  #  if: ${{ needs.ContourDeploy.outputs.AGNAME }} != '' && ${{ needs.ContourDeploy.outputs.AKVNAME }} != ''
+  #  uses: azure-samples/java-aks-keyvault-tls/.github/workflows/deployapp.yml@gb-workflow-fedcred
+  #  with:
+  #    REPOREF: "0.9.2"
+  #    RG: ${{ needs.ReusableWF.outputs.RG }}
+  #    AKSNAME: ${{ needs.ContourDeploy.outputs.AKSNAME}}
+  #    DNSDOMAIN: ${{needs.ReusableWF.outputs.ExistingDnsDomainName}}
+  #    DNSRG: ${{needs.ReusableWF.outputs.ExistingDnsDomainRg}}
+  #    DNSRECORDNAME: openjdk-demo-contour
+  #    AKVNAME: ${{ needs.ContourDeploy.outputs.AKVNAME}}
+  #    AGNAME: ${{ needs.ContourDeploy.outputs.AGNAME}}
+  #    APPNAME: openjdk-demo-contour
+  #    FRONTENDCERTTYPE: certmanager-staging
+  #    FORCEHELMCLEANINSTALL: true
+  #  secrets:
+  #    AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+  #    AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+  #    AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+  NginxDeploy:
+    uses: ./.github/workflows/AKSC_Deploy.yml
+    needs: [ReusableWF]
+    if: false #The Nginx + Grafana piece has a bug resolved in Matts branch.
+    with:
+      environment: ${{ needs.ReusableWF.outputs.ENVIRONMENT }}
+      templateVersion: "0.9.3-preview3"
+      rg: ${{ needs.ReusableWF.outputs.RG }}
+      resourceName: azcontour
+      templateParams: resourceName=az-nginx agentCount=2 JustUseSystemPool=true custom_vnet=true enable_aad=true enableAzureRBAC=true adminPrincipalId=_USER_OBJECT_ID_ registries_sku=Standard acrPushRolePrincipalId=_USER_OBJECT_ID_ networkPolicy=azure azurepolicy=audit dnsZoneId=_DNS_ZONE_ID_ keyVaultAksCSI=true keyVaultCreate=true keyVaultOfficerRolePrincipalId=_USER_OBJECT_ID_
+      postScriptParams: "ingress=nginx,ingressEveryNode=true,dnsZoneId=_DNS_ZONE_ID_,certEmail=gdogg@microsoft.com,monitor=oss,enableMonitorIngress=true,grafanaHostname=grafanangx"
+    secrets:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      USER_OBJECT_ID: ${{ secrets.USER_OBJECT_ID }}
+      DNS_ZONE_ID: ${{ secrets.BYODNSZONEID }}
+
+  NginxDeploy_SmokeTest_SimpleApp:
+    runs-on: ubuntu-latest
+    name: Simple App (Nginx)
+    environment: ${{ github.event.inputs.environment }}
+    needs: [NginxDeploy]
+    steps:
+      - uses: actions/checkout@v2.5.0
+
+      - name: Azure Login
+        uses: Azure/login@v1.4.6
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: AKS Connect
+        env:
+          AKSNAME: ${{ needs.NginxDeploy.outputs.AKSNAME}}
+        run: az aks get-credentials -n $AKSNAME -g $RG --overwrite-existing
+
+      - name: Kubelogin
+        env:
+          kubeloginversion: 'v0.0.20'
+        run: |
+          wget https://github.com/Azure/kubelogin/releases/download/${{ env.kubeloginversion }}/kubelogin-linux-amd64.zip
+          unzip kubelogin-linux-amd64.zip
+          sudo mv bin/linux_amd64/kubelogin /usr/bin
+          kubelogin convert-kubeconfig -l azurecli
+
+      - name: Deploy Simple Workload
+        env:
+          MANIFESTTESTURL: "https://raw.githubusercontent.com/Gordonby/AKS-K8S-Lab-L200/master/azure-vote-all-in-one-redis.yaml"
+          NAMESP: "votey"
+        run: |
+            echo "Creating namespace $NAMESP"
+            kubectl create namespace $NAMESP --dry-run=client -o yaml | kubectl apply -f -
+
+            echo $MANIFESTTESTURL
+            kubectl apply -f $MANIFESTTESTURL -n  $NAMESP
+
+      - name: Verify Simple Workload
+        id: simpleworkloadverify
+        env:
+          NAMESP: "votey"
+        run: |
+          sleep 2m #Give public ip a chance to be allocated
+
+          kubectl get po -n  $NAMESP
+          kubectl get svc -n  $NAMESP
+
+          pubIp=$(kubectl get svc -n $NAMESP -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}')
+          echo $pubIp
+          echo "::set-output name=SIMWORKLOADIP::$pubIp" #outputting for conditon
+
+          curl $pubIp
+
+  Cleanup:
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.environment }}
+    needs: [ContourGrafanaVerify, ContourDeploy_SmokeTest_SimpleApp, NginxDeploy_SmokeTest_SimpleApp]
+    if: false #github.event_name != 'workflow_dispatch'
+    steps:
+      - name: Azure Login
+        uses: Azure/login@v1.4.6
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+
+      - name: Install Pwsh modules
+        shell: pwsh
+        run: |
+          Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
+          Install-Module -Name Az.Accounts
+          Install-Module -Name Az.Resources
+
+      - name: Cleanup
+        shell: pwsh
+        run: |
+          $RG='${{ env.RG }}'
+
+          # Get all ARM resources from all resource groups
+          $rgToPurge = Get-AzResourceGroup -Name $RG
+          try {
+            #Remove all but public ip addresses
+            Get-AzResource -ResourceGroupName $rgToPurge.ResourceGroupName | ? {$_.ResourceType -ne "Microsoft.Network/publicIPAddresses"} | Remove-AzResource -Force
+
+            #Remove public ip addresses
+            Get-AzResource -ResourceGroupName $rgToPurge.ResourceGroupName | ? {$_.ResourceType -eq "Microsoft.Network/publicIPAddresses"} | Remove-AzResource -Force
+
+            #Final run to clean other dependant resources in parent-child graph
+            Get-AzResource -ResourceGroupName $rgToPurge.ResourceGroupName | Remove-AzResource -Force
+          }
+          Catch #we're wanting to suppress failures in this step. If it fails to clean, the nightly automation will catch it.
+          {
+            write-output error
+          }

.github/workflows/StandardCI.yml

@@ -35,6 +35,8 @@ permissions:
       id-token: write
       contents: read
 
+concurrency: "StanCI-${{ github.event.inputs.Environment != '' && github.event.inputs.Environment || 'csu' }}-AksBicepAcc-Ci-BasicCluster"
+
 jobs:
   ReusableWF:
     runs-on: ubuntu-latest

.vscode/settings.json

@@ -7,5 +7,6 @@
     },
     "editor.renderWhitespace": "all",
     "files.trimTrailingWhitespace": true,
-    "diffEditor.ignoreTrimWhitespace": false
+    "diffEditor.ignoreTrimWhitespace": false,
+    "files.eol": "\n"
 }

bicep/aksnetcontrib.bicep

@@ -2,8 +2,6 @@
 //name/rg required to new up an existing reference and form a dependency
 //principalid required as it needs to be used to establish a unique roleassignment name
 param byoAKSSubnetId string
-param user_identity_name string
-param user_identity_rg string
 param user_identity_principalId string
 
 @allowed([
@@ -25,17 +23,12 @@ resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2020-08-01
   name: existingAksSubnetName
 }
 
-resource uai 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = {
-  name: user_identity_name
-  scope: resourceGroup(user_identity_rg)
-}
-
 resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope == 'subnet') {
   name:  guid(user_identity_principalId, networkContributorRole, existingAksSubnetName)
   scope: existingAksSubnet
   properties: {
     roleDefinitionId: networkContributorRole
-    principalId: uai.properties.principalId
+    principalId: user_identity_principalId
     principalType: 'ServicePrincipal'
   }
 }
@@ -45,7 +38,7 @@ resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-pr
   scope: existingvnet
   properties: {
     roleDefinitionId: networkContributorRole
-    principalId: uai.properties.principalId
+    principalId: user_identity_principalId
     principalType: 'ServicePrincipal'
   }
 }

bicep/main.bicep

@@ -54,8 +54,6 @@ module aksnetcontrib './aksnetcontrib.bicep' = if (!empty(byoAKSSubnetId) && cre
   params: {
     byoAKSSubnetId: byoAKSSubnetId
     user_identity_principalId: createAksUai ? aksUai.properties.principalId : ''
-    user_identity_name: aksUai.name
-    user_identity_rg: resourceGroup().name
     rbacAssignmentScope: uaiNetworkScopeRbac
   }
 }

postdeploy/scripts/postdeploy.sh

@@ -1,10 +1,4 @@
 #!/bin/bash
-#
-#  Work In Progress - File not currently used!!
-#  Looking to remove the Post-Install scripting out of the react app, and to just call a bash file
-#  This way, the UI and the github actions can call a common script for all the cluster post-install configuration
-#
-#  Want to remove all 'az' cli commands out of here, into the bicep, so this only contains kubectl and helm (as need to run using invote command for secure clusters)
 
 # Fail if any command fails
 set -e
@@ -12,10 +6,12 @@ set -e
 ingress=""
 monitor=""
 enableMonitorIngress="false"
+grafanaHostname="grafana"
 ingressEveryNode=""
 dnsZoneId=""
 denydefaultNetworkPolicy=""
 certEmail=""
+certClusterIssuer="letsencrypt-prod"
 
 acrName=""
 KubeletId=""
@@ -29,7 +25,7 @@ while getopts "p:g:n:r:" opt; do
     p )
         IFS=',' read -ra params <<< "$OPTARG"
         for i in "${params[@]}"; do
-            if [[ $i =~ (ingress|monitor|enableMonitorIngress|ingressEveryNode|dnsZoneId|denydefaultNetworkPolicy|certEmail|acrName|KubeletId|TenantId)=([^ ]*) ]]; then
+            if [[ $i =~ (ingress|monitor|enableMonitorIngress|grafanaHostname|ingressEveryNode|dnsZoneId|denydefaultNetworkPolicy|certEmail|certClusterIssuer|acrName|KubeletId|TenantId)=([^ ]*) ]]; then
                 echo "set ${BASH_REMATCH[1]}=${BASH_REMATCH[2]}"
                 declare ${BASH_REMATCH[1]}=${BASH_REMATCH[2]}
             else
@@ -94,6 +90,11 @@ if [  "$monitor" ] && [[ ! "$monitor" = "oss" ]]; then
  show_usage=true
 fi
 
+if [  "$certClusterIssuer" ] && [[ ! $certClusterIssuer =~ (letsencrypt-staging|letsencrypt-prod) ]]; then
+ echo "supported cluster issuer parameter values are (letsencrypt-staging|letsencrypt-prod)"
+ show_usage=true
+fi
+
 if [ "$show_usage" ]; then
     echo "Usage: $0"
     echo "args:"
@@ -101,11 +102,13 @@ if [ "$show_usage" ]; then
     echo " [ -p: parameters] : Can provide one or multiple features:"
     echo "     ingress=<appgw|contour|nginx> - Enable cluster AutoScaler with max nodes"
     echo "     monitor=<oss> - Enable cluster AutoScaler with max nodes"
-    echo "     enableMonitorIngress=<true> - Enable Ingress for Promethous"
+    echo "     enableMonitorIngress=<true> - Enable Ingress for prometheus"
+    echo "     grafanaHostname=<true> - Specify a hostname for the grafana dashboard"
     echo "     ingressEveryNode=<true> - Enable cluster AutoScaler with max nodes"
     echo "     denydefaultNetworkPolicy=<true> - Deploy deny all network police"
     echo "     dnsZoneId=<Azure DNS Zone resourceId> - Enable cluster AutoScaler with max nodes"
     echo "     certEmail=<email for certman certificates> - Enables cert-manager"
+    echo "     certClusterIssuer=<letsencrypt-staging|letsencrypt-prod> - Specifies cert-manager cluster issuer used by grafana"
     echo "     KubeletId=<managed identity of Kubelet> *Require for cert-manager"
     echo "     TenantId=<AzureAD TenentId> *Require for cert-manager"
     echo "     acrName=<name of ACR> * If provided, used imported images for 3rd party charts"
@@ -136,7 +139,7 @@ get_image_property () {
             ((n-=1))
             else
             if $nk; then
-                #echo "new key $n - $i"
+                #echo "testing: new key $n - $i"
                 l[$n]=$(echo $i | tr -d '"')
                 nk=false
             else
@@ -254,11 +257,11 @@ if [ "$monitor" = "oss" ]; then
     kubectl create namespace ${prometheus_namespace} --dry-run=client -o yaml | kubectl apply -f -
     helm upgrade --install ${prometheus_helm_release_name} prometheus-community/kube-prometheus-stack --namespace ${prometheus_namespace} \
         --set grafana.ingress.enabled=${enableMonitorIngress} \
-        --set grafana.ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-prod \
+        --set grafana.ingress.annotations."cert-manager\.io/cluster-issuer"=$certClusterIssuer \
         --set grafana.ingress.annotations."ingress\.kubernetes\.io/force-ssl-redirect"=\"true\" \
         --set grafana.ingress.ingressClassName=${ingressClass} \
-        --set grafana.ingress.hosts[0]=grafana.${dnsZoneId_domain} \
-        --set grafana.ingress.tls[0].hosts[0]=grafana.${dnsZoneId_domain},grafana.ingress.tls[0].secretName=aks-grafana
+        --set grafana.ingress.hosts[0]=${grafanaHostname}.${dnsZoneId_domain} \
+        --set grafana.ingress.tls[0].hosts[0]=${grafanaHostname}.${dnsZoneId_domain},grafana.ingress.tls[0].secretName=aks-grafana
 fi