Azure
/
Azure-Orbital-STAC
зеркало из https://github.com/Azure/Azure-Orbital-STAC.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Orbital-STAC/deploy/scripts/configure.sh

510 строки
22 KiB
Bash
Executable File
Исходник Постоянная ссылка Ответственный История

#!/usr/bin/env bash
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT license.
PRJ_ROOT="$(cd `dirname "${BASH_SOURCE}"`/../..; pwd)"
ENV_CODE=${1:-${ENV_CODE}}
LE_EMAIL_ADDRESS=${2:-${LE_EMAIL_ADDRESS}}
[[ -z "$ENV_CODE" ]] && { echo "Environment Code value not supplied"; exit 1; }
[[ -z "$LE_EMAIL_ADDRESS" ]] && { echo "Let's Encrypt e-mail address (LE_EMAIL_ADDRESS) not specified"; exit 1; }
set -a
set -e
ENV_NAME=${ENV_NAME:-"stac-${ENV_CODE}"}
MONITORING_RESOURCE_GROUP=${MONITORING_RESOURCE_GROUP:-"${ENV_CODE}-monitoring-rg"}
VNET_RESOURCE_GROUP=${VNET_RESOURCE_GROUP:-"${ENV_CODE}-vnet-rg"}
DATA_RESOURCE_GROUP=${DATA_RESOURCE_GROUP:-"${ENV_CODE}-data-rg"}
PROCESSING_RESOURCE_GROUP=${PROCESSING_RESOURCE_GROUP:-"${ENV_CODE}-processing-rg"}
UAMI=${UAMI:-"${ENV_CODE}-stacaks-mi"}
AKS_NAMESPACE=${AKS_NAMESPACE:-"pgstac"}
AKS_INGRESS_NAMESPACE=${AKS_INGRESS_NAMESPACE:-"ingress"}
ENV_LABEL=${ENV_LABEL:-"stacpool"} # aks agent pool name to deploy kubectl deployment yaml files
AKS_SERVICE_ACCOUNT_NAME=${AKS_SERVICE_ACCOUNT_NAME:-'stac-svc-acct'}
FEDERATED_IDENTITY_NAME="stacaksfederatedidentity"
SUBSCRIPTION=$(az account show --query id -o tsv)
AZURE_APP_INSIGHTS=$(az resource list -g $MONITORING_RESOURCE_GROUP --resource-type "Microsoft.Insights/components" \
--query "[?tags.environment && tags.environment == '$ENV_NAME'].name" -o tsv)
AZURE_LOG_CONNECTION_STRING=$(az resource show \
-g $MONITORING_RESOURCE_GROUP \
--resource-type Microsoft.Insights/components \
-n ${AZURE_APP_INSIGHTS} \
--query "properties.ConnectionString" -o tsv)
DATA_STORAGE_ACCOUNT_NAME=$(az storage account list \
--query "[?tags.store && tags.store == 'data'].name" -o tsv -g ${DATA_RESOURCE_GROUP})
DATA_STORAGE_ACCOUNT_KEY=$(az storage account keys list \
--account-name ${DATA_STORAGE_ACCOUNT_NAME} --resource-group ${DATA_RESOURCE_GROUP} \
--query "[0].value" -o tsv)
DATA_STORAGE_ACCOUNT_CONNECTION_STRING=$(az storage account show-connection-string \
--resource-group $DATA_RESOURCE_GROUP \
--name $DATA_STORAGE_ACCOUNT_NAME \
| jq -r ".connectionString")
DATA_STORAGE_ACCOUNT_BLOB_ENDPOINT=$(az storage account show -n $DATA_STORAGE_ACCOUNT_NAME \
--query primaryEndpoints.blob -otsv)
DATA_STORAGE_ACCOUNT_BLOB_DOMAIN=${DATA_STORAGE_ACCOUNT_BLOB_ENDPOINT#https://}
DATA_STORAGE_ACCOUNT_BLOB_DOMAIN=${DATA_STORAGE_ACCOUNT_BLOB_DOMAIN%%/*}
AKS_RESOURCE_GROUP=${AKS_RESOURCE_GROUP:-${PROCESSING_RESOURCE_GROUP}}
AKS_CLUSTER_NAME=$(az aks list -g ${AKS_RESOURCE_GROUP} \
--query "[?tags.type && tags.type == 'k8s'].name" -otsv)
ACR_DNS=$(az acr list -g ${PROCESSING_RESOURCE_GROUP} \
--query "[?tags.environment && tags.environment == '$ENV_NAME'].loginServer" -otsv)
AKS_OIDC_ISSUER="$(az aks show --resource-group ${AKS_RESOURCE_GROUP} \
--name ${AKS_CLUSTER_NAME} --query "oidcIssuerProfile.issuerUrl" -o tsv)"
AKS_POD_CIDR="$(az aks show -g $AKS_RESOURCE_GROUP -n $AKS_CLUSTER_NAME \
--query networkProfile.podCidr -o tsv)"
USER_ASSIGNED_CLIENT_ID="$(az identity show -g ${PROCESSING_RESOURCE_GROUP} \
--name $UAMI --query 'clientId' -o tsv)"
IDENTITY_TENANT=$(az aks show --name ${AKS_CLUSTER_NAME} \
--resource-group ${PROCESSING_RESOURCE_GROUP} --query identity.tenantId -o tsv)
az identity federated-credential create --name ${FEDERATED_IDENTITY_NAME} \
--identity-name $UAMI \
--resource-group ${PROCESSING_RESOURCE_GROUP} \
--issuer ${AKS_OIDC_ISSUER} \
--subject system:serviceaccount:${AKS_NAMESPACE}:${AKS_SERVICE_ACCOUNT_NAME} \
-o none
SERVICE_BUS_NAMESPACE=$(az servicebus namespace list \
-g ${DATA_RESOURCE_GROUP} --query "[?tags.environment && tags.environment == '$ENV_NAME'].name" -otsv)
STAC_METADATA_TYPE_NAME=${STAC_METADATA_TYPE_NAME:-"fgdc"}
COLLECTION_ID=${COLLECTION_ID:-"naip"}
JPG_EXTENSION=${JPG_EXTENSION:-"200.jpg"}
XML_EXTENSION=${XML_EXTENSION:-"aux.xml"}
REPLICAS=${REPLICAS:-"3"}
POD_CPU=${POD_CPU:-"0.5"}
POD_MEMORY=${POD_MEMORY:-"2Gi"}
GENERATE_STAC_JSON_IMAGE_NAME=${GENERATE_STAC_JSON_IMAGE_NAME:-"generate-stac-json"}
DATA_STORAGE_PGSTAC_CONTAINER_NAME=${DATA_STORAGE_PGSTAC_CONTAINER_NAME:-"pgstac"}
ENV_LABLE=${ENV_LABLE:-"stacpool"} # aks agent pool name to deploy kubectl deployment yaml files
SERVICE_BUS_AUTH_POLICY_NAME=${SERVICE_BUS_AUTH_POLICY_NAME:-"RootManageSharedAccessKey"}
SERVICE_BUS_CONNECTION_STRING=$(az servicebus namespace authorization-rule keys list \
--resource-group ${DATA_RESOURCE_GROUP} \
--namespace-name ${SERVICE_BUS_NAMESPACE} \
--name ${SERVICE_BUS_AUTH_POLICY_NAME} \
--query "primaryConnectionString" -otsv)
STAC_EVENT_CONSUMER_IMAGE_NAME=${STAC_EVENT_CONSUMER_IMAGE_NAME:-"stac-event-consumer"}
PGSTAC_SERVICE_BUS_TOPIC_NAME=${PGSTAC_SERVICE_BUS_TOPIC_NAME:-"pgstactopic"}
PGSTAC_SERVICE_BUS_TOPIC_AUTH_POLICY_NAME=${PGSTAC_SERVICE_BUS_TOPIC_AUTH_POLICY_NAME:-"pgstacpolicy"}
PGSTAC_SERVICE_BUS_SUBSCRIPTION_NAME=${PGSTAC_SERVICE_BUS_SUBSCRIPTION_NAME:-"pgstacsubscription"}
PGSTAC_SERVICE_BUS_CONNECTION_STRING=$(az servicebus topic authorization-rule keys list \
--resource-group ${DATA_RESOURCE_GROUP} \
--namespace-name ${SERVICE_BUS_NAMESPACE} \
--topic ${PGSTAC_SERVICE_BUS_TOPIC_NAME} \
--name ${PGSTAC_SERVICE_BUS_TOPIC_AUTH_POLICY_NAME} \
--query "primaryConnectionString" -otsv)
GENERATED_STAC_STORAGE_CONTAINER_NAME=${GENERATED_STAC_STORAGE_CONTAINER_NAME:-"generatedstacjson"}
KEY_VAULT_NAME=$(az keyvault list --query "[?tags.environment && tags.environment == '$ENV_NAME'].name" -o tsv -g $DATA_RESOURCE_GROUP)
PGHOST=$(az postgres flexible-server list --resource-group $DATA_RESOURCE_GROUP --query '[].fullyQualifiedDomainName' -o tsv)
PGHOSTONLY=$(az postgres flexible-server list --resource-group $DATA_RESOURCE_GROUP --query '[].name' -o tsv)
PGUSER=$(az postgres flexible-server list --resource-group $DATA_RESOURCE_GROUP --query '[].administratorLogin' -o tsv)
PGPASSWORD_SECRET_NAME=${PGPASSWORD_SECRET_NAME:-"PGAdminLoginPass"}
PGPASSWORD=$(az keyvault secret show --vault-name $KEY_VAULT_NAME --name $PGPASSWORD_SECRET_NAME --query value -o tsv)
PGDATABASE=${PGDATABASE:-"postgres"}
PGPORT=${PGPORT:-"5432"}
STACIFY_STORAGE_CONTAINER_NAME=${STACIFY_STORAGE_CONTAINER_NAME:-"stacify"}
STACIFY_SERVICE_BUS_TOPIC_NAME=${STACIFY_SERVICE_BUS_TOPIC_NAME:-"stacifytopic"}
STACIFY_SERVICE_BUS_TOPIC_AUTH_POLICY_NAME=${STACIFY_SERVICE_BUS_TOPIC_AUTH_POLICY_NAME:-"stacifypolicy"}
STACIFY_SERVICE_BUS_SUBSCRIPTION_NAME=${STACIFY_SERVICE_BUS_SUBSCRIPTION_NAME:-"stacifysubscription"}
STACIFY_SERVICE_BUS_CONNECTION_STRING=$(az servicebus topic authorization-rule keys list \
--resource-group ${DATA_RESOURCE_GROUP} \
--namespace-name ${SERVICE_BUS_NAMESPACE} \
--topic ${STACIFY_SERVICE_BUS_TOPIC_NAME} \
--name ${STACIFY_SERVICE_BUS_TOPIC_AUTH_POLICY_NAME} \
--query "primaryConnectionString" -otsv)
STAC_COLLECTION_IMAGE_NAME=${STAC_COLLECTION_IMAGE_NAME:-"stac-collection"}
STACCOLLECTION_STORAGE_CONTAINER_NAME=${STACCOLLECTION_STORAGE_CONTAINER_NAME:-"staccollection"}
STACCOLLECTION_SERVICE_BUS_TOPIC_NAME=${STACCOLLECTION_SERVICE_BUS_TOPIC_NAME:-"staccollectiontopic"}
STACCOLLECTION_SERVICE_BUS_AUTH_POLICY_NAME=${STACCOLLECTION_SERVICE_BUS_AUTH_POLICY_NAME:-"staccollectionpolicy"}
STACCOLLECTION_SERVICE_BUS_SUBSCRIPTION_NAME=${STACCOLLEcTION_SERVICE_BUS_SUBSCRIPTION_NAME:-"staccollectionsubscription"}
STACCOLLECTION_SERVICE_BUS_CONNECTION_STRING=$(az servicebus topic authorization-rule keys list \
--resource-group ${DATA_RESOURCE_GROUP} \
--namespace-name ${SERVICE_BUS_NAMESPACE} \
--topic ${STACCOLLECTION_SERVICE_BUS_TOPIC_NAME} \
--name ${STACCOLLECTION_SERVICE_BUS_AUTH_POLICY_NAME} \
--query "primaryConnectionString" -otsv)
INGRESS_PUBLIC_IP_ADDR=$(az network public-ip show -g $PROCESSING_RESOURCE_GROUP \
-n ${ENV_CODE}-stac-ingress-public-ip --query ipAddress -o tsv)
INGRESS_FQDN=$(az network public-ip show -g $PROCESSING_RESOURCE_GROUP -n ${ENV_CODE}-stac-ingress-public-ip \
--query dnsSettings.fqdn -o tsv)
DNS_LABEL_NAME=${INGRESS_FQDN%%.*}
set +a
echo 'enabling POSTGIS,BTREE_GIST in postgres'
az postgres flexible-server \
parameter set \
--resource-group $DATA_RESOURCE_GROUP --server-name $PGHOSTONLY \
--subscription $SUBSCRIPTION --name azure.extensions --value POSTGIS,BTREE_GIST \
-o none
az aks get-credentials --admin --resource-group ${AKS_RESOURCE_GROUP} \
--name ${AKS_CLUSTER_NAME} --context ${AKS_CLUSTER_NAME} --overwrite-existing \
-o none
kubectl config set-context ${AKS_CLUSTER_NAME}
NS=$(kubectl get namespace $AKS_NAMESPACE --ignore-not-found);
if [[ "$NS" ]]; then
echo "Skipping creation of ${AKS_NAMESPACE} namespace in k8s cluster as it already exists"
else
echo "Creating ${AKS_NAMESPACE} namespace in k8s cluster"
kubectl create namespace ${AKS_NAMESPACE}
fi;
echo "Install KEDA"
helm repo add kedacore https://kedacore.github.io/charts || true
helm repo update
[[ -z "$(kubectl get namespace keda --ignore-not-found)" ]] && kubectl create namespace keda
helm upgrade --install keda kedacore/keda --namespace keda
# Deploy a dummy workload to work around issue https://github.com/kedacore/keda/issues/4224
cat <<"EOF" | kubectl apply -n keda -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: dummy-workload
spec:
replicas: 0
selector:
matchLabels:
app: dummy-workload
template:
metadata:
labels:
app: dummy-workload
spec:
containers:
- name: dummy
image: busybox
---
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
name: dummy-workload
spec:
scaleTargetRef:
name: dummy-workload
minReplicaCount: 0
maxReplicaCount: 1
triggers:
- type: cron
metadata:
timezone: Etc/UTC
start: 30 * * * *
end: 45 * * * *
desiredReplicas: "0"
EOF
kubectl -n keda wait --for=condition=Ready ScaledObject/dummy-workload --timeout=3m
sleep 10
echo "Deploying stac-scaler chart to Kubernetes Cluster"
helm upgrade --install stac-scaler ${PRJ_ROOT}/deploy/helm/stac-scaler \
--namespace ${AKS_NAMESPACE} \
--create-namespace \
--set envCode=${ENV_CODE} \
--set repository=${ACR_DNS} \
--set userAssignedClientId=${USER_ASSIGNED_CLIENT_ID} \
--set serviceAccountName=${AKS_SERVICE_ACCOUNT_NAME} \
--set keyVaultName=${KEY_VAULT_NAME} \
--set tenantId=${IDENTITY_TENANT} \
--set cloudName=$(az cloud show --query name -otsv) \
--set processors.staccollection.env.DATA_STORAGE_ACCOUNT_NAME=${DATA_STORAGE_ACCOUNT_NAME} \
--set processors.staccollection.env.STACCOLLECTION_STORAGE_CONTAINER_NAME=${STACCOLLECTION_STORAGE_CONTAINER_NAME} \
--set processors.staccollection.env.PGHOST=${PGHOST} \
--set processors.staccollection.env.PGUSER=${PGUSER} \
--set processors.staccollection.env.PGDATABASE=${PGDATABASE} \
--set processors.staceventconsumer.env.DATA_STORAGE_ACCOUNT_NAME=${DATA_STORAGE_ACCOUNT_NAME} \
--set processors.staceventconsumer.env.GENERATED_STAC_STORAGE_CONTAINER_NAME=${GENERATED_STAC_STORAGE_CONTAINER_NAME} \
--set processors.staceventconsumer.env.DATA_STORAGE_PGSTAC_CONTAINER_NAME=${DATA_STORAGE_PGSTAC_CONTAINER_NAME} \
--set processors.staceventconsumer.env.PGHOST=${PGHOST} \
--set processors.staceventconsumer.env.PGUSER=${PGUSER} \
--set processors.staceventconsumer.env.PGDATABASE=${PGDATABASE} \
--set processors.generatestacjson.env.DATA_STORAGE_ACCOUNT_NAME=${DATA_STORAGE_ACCOUNT_NAME} \
--set processors.generatestacjson.env.STACIFY_STORAGE_CONTAINER_NAME=${STACIFY_STORAGE_CONTAINER_NAME} \
--set processors.generatestacjson.env.GENERATED_STAC_STORAGE_CONTAINER_NAME=${GENERATED_STAC_STORAGE_CONTAINER_NAME} \
--set processors.generatestacjson.env.DATA_STORAGE_PGSTAC_CONTAINER_NAME=${DATA_STORAGE_PGSTAC_CONTAINER_NAME} \
--set processors.generatestacjson.env.STAC_METADATA_TYPE_NAME=${STAC_METADATA_TYPE_NAME} \
--set stacfastapi.image.repository=${ACR_DNS} \
--set stacfastapi.env.POSTGRES_HOST_READER=${PGHOST} \
--set stacfastapi.env.POSTGRES_HOST_WRITER=${PGHOST} \
--set stacfastapi.env.POSTGRES_USER=${PGUSER} \
--set stacfastapi.env.PGUSER=${PGUSER} \
--set stacfastapi.env.PGHOST=${PGHOST} \
--set stacfastapi.blobStoreEndpoint=${DATA_STORAGE_ACCOUNT_BLOB_ENDPOINT} \
--set stacfastapi.hostname=${INGRESS_FQDN} \
--set stacfastapi.clusterIssuer=letsencrypt
echo "Deploying stac-browser chart to Kubernetes Cluster"
helm upgrade --install stac-browser ${PRJ_ROOT}/deploy/helm/stac-browser \
--namespace ${AKS_NAMESPACE} \
--create-namespace \
--set envCode=${ENV_CODE} \
--set repository=${ACR_DNS} \
--set hostname=${INGRESS_FQDN} \
--set clusterIssuer=letsencrypt
# Add helm repos for the nginx ingress controller and cert-manager
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo add jetstack https://charts.jetstack.io
helm repo update
# Install the cert-manager Helm chart (for letsencrypt certificates)
echo "Installing cert-manager"
kubectl create namespace $AKS_INGRESS_NAMESPACE
kubectl label namespace $AKS_INGRESS_NAMESPACE cert-manager.io/disable-validation=true
helm upgrade --install cert-manager jetstack/cert-manager \
--create-namespace \
--namespace $AKS_INGRESS_NAMESPACE \
--set installCRDs=true \
--set nodeSelector."kubernetes\.io/os"=linux
# Create a ClusterIssuer to issue certificates from Lets Encrypt
cat <<EOF | kubectl apply -n $AKS_INGRESS_NAMESPACE -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: $LE_EMAIL_ADDRESS
privateKeySecretRef:
name: letsencrypt-private-key
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux
EOF
# Wait for the cert-manager pods to be ready
echo "Waiting for cert-manager deployment to be ready..."
kubectl -n $AKS_INGRESS_NAMESPACE wait --timeout=5m \
--for=condition=Ready pod \
--selector=app.kubernetes.io/name=cert-manager
# Create a long-lived SAS token for reading from the storage account and store it in keyvault.
# The nginx ingress controller will use this for accessing the storage account via proxy
# by appending the SAS token to the URL when sending to the backend server.
SAS_TOKEN=$(az storage account generate-sas \
--resource-types sco --services b --permissions flpr \
--expiry "2037-12-31T23:59Z" \
--https-only \
--account-name $DATA_STORAGE_ACCOUNT_NAME \
--account-key $DATA_STORAGE_ACCOUNT_KEY \
-otsv)
az keyvault secret set \
--vault-name $KEY_VAULT_NAME \
--name StorageAccountReadSASToken \
--value $SAS_TOKEN \
-o none
##
## Install the nginx ingress controller, configured with the CSI secret store
## driver to access the Azure Storage Account SAS token.
##
# Create a secret provider to access the Azure Storage Account SAS token
cat <<EOF | kubectl apply -n $AKS_INGRESS_NAMESPACE -f -
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: k8s-nginx-ingress-secrets
spec:
provider: azure
secretObjects:
- secretName: azure-secrets
type: Opaque
data:
- key: StorageAccountReadSASToken
objectName: StorageAccountReadSASToken
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "false"
# The client ID of the user-assigned managed identity or application that is
# used for workload identity, and to access the keyvault.
clientID: $USER_ASSIGNED_CLIENT_ID
keyvaultName: $KEY_VAULT_NAME
tenantID: $IDENTITY_TENANT
cloudName: $(az cloud show --query name -otsv)
objects: |
array:
- |
objectName: StorageAccountReadSASToken
objectType: secret
EOF
RELEASE_NAME=ingress-nginx
# Create the credential to allow the ingress controller to use the managed identity
# to access secrets in the keyvault.
echo "Creating a federated credential for the ingress controller to access the managed identity $UAMI"
az identity federated-credential create --name nginx-ingress-access-$AKS_NAME \
--identity-name $UAMI \
--resource-group $PROCESSING_RESOURCE_GROUP \
--issuer $AKS_OIDC_ISSUER \
--subject system:serviceaccount:$AKS_INGRESS_NAMESPACE:$RELEASE_NAME \
-o none
helm upgrade --install $RELEASE_NAME ingress-nginx/ingress-nginx \
--namespace $AKS_INGRESS_NAMESPACE \
--create-namespace \
--set controller.replicaCount=2 \
--set controller.nodeSelector."kubernetes\.io/os"=linux \
--set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
--set serviceAccount.annotations."azure\.workload\.identity/client-id"=$USER_ASSIGNED_CLIENT_ID \
--set controller.config.proxy-buffer-size=32k \
--set controller.config.main-snippet="env STORAGE_SAS_TOKEN;" \
--set controller.config.http-snippet="geo \$internal_user { $AKS_POD_CIDR 1; }" \
--set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux \
--set controller.service.externalTrafficPolicy=Local \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-resource-group"="$PROCESSING_RESOURCE_GROUP" \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"="$DNS_LABEL_NAME" \
--set controller.service.loadBalancerIP=$INGRESS_PUBLIC_IP_ADDR \
--set controller.image.repository=mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller \
--set controller.image.tag=v1.7.0-3 \
--set controller.image.digest=sha256:29ad700988b2dd3e7b9b130c2625f24d5b5eae7420e3dfd6dee579a730ecbb1c \
--set "controller.extraVolumeMounts[0].name=secrets-store-inline" \
--set "controller.extraVolumeMounts[0].mountPath=/mnt/secrets-store" \
--set "controller.extraVolumeMounts[0].readOnly=true" \
--set "controller.extraVolumes[0].name=secrets-store-inline" \
--set "controller.extraVolumes[0].csi.driver=secrets-store.csi.k8s.io" \
--set "controller.extraVolumes[0].csi.readOnly=true" \
--set "controller.extraVolumes[0].csi.volumeAttributes.secretProviderClass=k8s-nginx-ingress-secrets" \
--set "controller.extraEnvs[0].name=STORAGE_SAS_TOKEN" \
--set "controller.extraEnvs[0].valueFrom.secretKeyRef.name=azure-secrets" \
--set "controller.extraEnvs[0].valueFrom.secretKeyRef.key=StorageAccountReadSASToken"
# Helm creates the service account, but there's no way to add the label we need to it.
# Add that manually after the fact.
kubectl label -n $AKS_INGRESS_NAMESPACE sa/$RELEASE_NAME azure.workload.identity/use="true"
# Wait for the ingress controller to be ready
echo "Waiting for ingress controller to be ready..."
kubectl -n $AKS_INGRESS_NAMESPACE wait --timeout=5m \
--for=condition=Ready pod \
--selector=app.kubernetes.io/name=$RELEASE_NAME
# Deploy the ingress for the blob store proxy that forwards requests
# to storage with a SAS token appended.
cat <<EOF | kubectl -n $AKS_NAMESPACE apply -f -
---
kind: Service
apiVersion: v1
metadata:
name: blobstore-proxy
spec:
type: ExternalName
externalName: $DATA_STORAGE_ACCOUNT_BLOB_DOMAIN
ports:
- port: 443
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: blobstore-proxy
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /\$1
nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/upstream-vhost: "$DATA_STORAGE_ACCOUNT_BLOB_DOMAIN"
# Rewrite URI to include SAS token (note, the query separator has to be
# in the rewrite statement, and not as part of the SAS token)
# TODO: handle URLs that might already have a query string
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_cache off;
rewrite (.*) \$1?\$storage_sas_token;
# Reads the SAS token from the STORAGE_SAS_TOKEN environment variable and
# sets as an nginx variable so we can use it in the rewrite statement. Note
# that this relies on the server configmap containing a main-snippet with an
# "env STORAGE_SAS_TOKEN" statement to ensure nginx inherits that env variable
# from its parent.
nginx.ingress.kubernetes.io/server-snippet: |
set_by_lua_block \$storage_sas_token { return os.getenv("STORAGE_SAS_TOKEN") }
spec:
ingressClassName: nginx
tls:
- hosts:
- $INGRESS_FQDN
secretName: stac-certificate
rules:
- host: $INGRESS_FQDN
http:
paths:
- path: /blobstore/(.*)
pathType: Prefix
backend:
service:
name: blobstore-proxy
port:
number: 443
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: stac-browser
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /\$2
spec:
ingressClassName: nginx
tls:
- hosts:
- $INGRESS_FQDN
secretName: stac-certificate
rules:
- host: $INGRESS_FQDN
http:
paths:
- path: /browser(/|$)(.*)
pathType: Prefix
backend:
service:
name: stac-browser
port:
number: 8080
EOF
# Deploy the auth proxy if selected
[[ -n "$SECURE_STAC_ENDPOINTS" ]] && $PRJ_ROOT/deploy/scripts/secure-stac-endpoints.sh
cat <<EOF
**** The STAC API is available at: https://$INGRESS_FQDN/api/
The TLS certificate may not have been issued yet, so you may see a warning in your browser.
If you wish to wait, you can run the following command to wait until the certificate is ready:
kubectl -n $AKS_NAMESPACE wait --timeout=10m --for=condition=Ready certificate stac-certificate
If this command times out, then it is possible there was an error with cert generation. You can
inspect the cert-manager logs to see if there was an error:
kubectl -n $AKS_INGRESS_NAMESPACE logs -l app=cert-manager
EOF
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку