From 9b77c9f7e6054d7a92f14a0f4efb5bf2c66d7f88 Mon Sep 17 00:00:00 2001 From: David Newman Date: Tue, 31 Jan 2023 15:13:26 +1000 Subject: [PATCH] Update dedicated RP deployment docs to include AKS, VPN, and Hive (#2621) Co-authored-by: Matthew Barnes --- docs/deploy-full-rp-service-in-dev.md | 41 +++++++++- hack/devtools/deploy-shared-env.sh | 10 +++ pkg/deploy/assets/vpn-development.json | 101 +++++++++++++++++++++++++ 3 files changed, 149 insertions(+), 3 deletions(-) create mode 100644 pkg/deploy/assets/vpn-development.json diff --git a/docs/deploy-full-rp-service-in-dev.md b/docs/deploy-full-rp-service-in-dev.md index ea0d7c042..b84a5c13f 100644 --- a/docs/deploy-full-rp-service-in-dev.md +++ b/docs/deploy-full-rp-service-in-dev.md @@ -29,11 +29,42 @@ make dev-config.yaml ``` +1. Run `make deploy`. This will fail on the first attempt to run due to AKS not being installed, so after the first failure, please skip to the next step to deploy the VPN Gateway and then deploy AKS. + > __NOTE:__ If the deployment fails with `InvalidResourceReference` due to the RP Network Security Groups not found, delete the "gateway-production-predeploy" deployment in the gateway resource group, and re-run `make deploy`. -1. Run `make deploy` - > __NOTE:__ This will fail on the first attempt to run due to certificate and container mirroring requirements. + > __NOTE:__ If the deployment fails with `A vault with the same name already exists in deleted state`, then you will need to recover the deleted keyvaults from a previous deploy using: `az keyvault recover --name ` for each keyvault, and re-run. - > __NOTE:__ If the deployment fails with `InvalidResourceReference` due to the RP Network Security Groups not found, delete the gateway predeploy deployment, and re-run. +1. Deploy a VPN Gateway + This is required in order to be able to connect to AKS from your local machine: + ```bash + source ./hack/devtools/deploy-shared-env.sh + deploy_vpn_for_dedicated_rp + ``` + +1. Deploy AKS by running these commands from the ARO-RP root directory: + ```bash + source ./hack/devtools/deploy-shared-env.sh + deploy_aks_dev + ``` + > __NOTE:__ If the AKS deployment fails with missing RP VNETs, delete the "gateway-production-predeploy" deployment in the gateway resource group, and re-run `make deploy` and then re-run `deploy_aks_dev`. + +1. Install Hive into AKS + 1. Download the VPN config. Please note that this action will _**OVER WRITE**_ the `secrets/vpn-$LOCATION.ovpn` on your local machine. **DO NOT** run `make secrets-update` after doing this, as you will overwrite existing config, until such time as you have run `make secrets` to get the config restored. + ```bash + vpn_configuration + ``` + + 1. Connect to the Dev VPN in a new terminal: + ```bash + sudo openvpn secrets/vpn-$LOCATION.ovpn + ``` + + 1. Now that your machine is able access the AKS cluster, you can deploy Hive: + ```bash + make aks.kubeconfig + ./hack/hive-generate-config.sh + KUBECONFIG=$(pwd)/aks.kubeconfig ./hack/hive-dev-install.sh + ``` 1. Mirror the OpenShift images to your new ACR @@ -57,6 +88,10 @@ ```bash go run -tags aro ./cmd/aro mirror latest ``` + If you are going to test or work with multi-version installs, then you should mirror any additional versions as well, for example for 4.11.21 it would be + ```bash + go run -tags aro ./cmd/aro mirror 4.11.21 + ``` 1. Push the ARO and Fluentbit images to your ACR diff --git a/hack/devtools/deploy-shared-env.sh b/hack/devtools/deploy-shared-env.sh index 990eecec4..70ad7dbf1 100644 --- a/hack/devtools/deploy-shared-env.sh +++ b/hack/devtools/deploy-shared-env.sh @@ -81,6 +81,16 @@ deploy_aks_dev() { "sshRSAPublicKey=$(/dev/null } +deploy_vpn_for_dedicated_rp() { + echo "########## Deploying Dev VPN in RG $RESOURCEGROUP ##########" + az deployment group create \ + -g "$RESOURCEGROUP" \ + -n dev-vpn \ + --template-file pkg/deploy/assets/vpn-development.json \ + --parameters \ + "vpnCACertificate=$(base64 -w0 /dev/null +} + deploy_env_dev_override() { echo "########## Deploying env-development in RG $RESOURCEGROUP ##########" az deployment group create \ diff --git a/pkg/deploy/assets/vpn-development.json b/pkg/deploy/assets/vpn-development.json new file mode 100644 index 000000000..29dc0ba0f --- /dev/null +++ b/pkg/deploy/assets/vpn-development.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "publicIPAddressSkuName": { + "type": "string", + "defaultValue": "Standard" + }, + "publicIPAddressAllocationMethod": { + "type": "string", + "defaultValue": "Static" + }, + "vpnCACertificate": { + "type": "string", + "defaultValue": "" + } + }, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2020-08-01", + "name": "dev-vpn-pip", + "location": "[resourceGroup().location]", + "sku": { + "name": "[parameters('publicIPAddressSkuName')]" + }, + "properties": { + "publicIPAllocationMethod": "[parameters('publicIPAddressAllocationMethod')]" + } + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-08-01", + "name": "dev-vpn-vnet", + "location": "[resourceGroup().location]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "10.2.0.0/24" + ] + }, + "subnets": [ + { + "properties": { + "addressPrefix": "10.2.0.0/24" + }, + "name": "GatewaySubnet" + } + ] + } + }, + { + "type": "Microsoft.Network/virtualNetworkGateways", + "apiVersion": "2020-08-01", + "name": "dev-vpn", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', 'dev-vpn-pip')]", + "[resourceId('Microsoft.Network/virtualNetworks', 'dev-vpn-vnet')]" + ], + "properties": { + "ipConfigurations": [ + { + "properties": { + "subnet": { + "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'dev-vpn-vnet', 'GatewaySubnet')]" + }, + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', 'dev-vpn-pip')]" + } + }, + "name": "default" + } + ], + "vpnType": "RouteBased", + "sku": { + "name": "VpnGw1", + "tier": "VpnGw1" + }, + "vpnClientConfiguration": { + "vpnClientAddressPool": { + "addressPrefixes": [ + "192.168.255.0/24" + ] + }, + "vpnClientRootCertificates": [ + { + "properties": { + "publicCertData": "[parameters('vpnCACertificate')]" + }, + "name": "dev-vpn-ca" + } + ], + "vpnClientProtocols": [ + "OpenVPN" + ] + } + } + } + ] +}