add aks-engine docs

aks-engine/README.md

@@ -0,0 +1,92 @@
+# Microsoft aks-engine deployment guide on Azure China
+
+The Azure Container Service Engine (aks-engine) generates ARM (Azure Resource Manager) templates for Docker enabled clusters on Microsoft Azure with your choice of DCOS, Kubernetes, or Swarm orchestrators. The input to aks-engine is a cluster definition file which describes the desired cluster, including orchestrator, features, and agents. The structure of the input files is very similar to the public API for Azure Container Service.
+
+
+## 1. download aks-engine binary
+* take aks-engine v0.31.0 as an example 
+```
+acs_version=v0.31.0
+wget https://mirror.azure.cn/kubernetes/aks-engine/$acs_version/aks-engine-$acs_version-linux-amd64.tar.gz
+tar -xvzf aks-engine-$acs_version-linux-amd64.tar.gz
+```
+> as an alternative, you could also [Build aks-engine from source](https://github.com/Azure/aks-engine/blob/master/docs/acsengine.zh-CN.md)
+
+
+## 2. Generate an SSH Key 
+In addition to using Kubernetes APIs to interact with the clusters, cluster operators may access the master and agent machines using SSH. If you don't have an SSH key [cluster operators may generate a new one](https://github.com/Azure/aks-engine/blob/master/docs/ssh.md#ssh-key-generation).
+```
+ssh-keygen -t rsa
+```
+
+## 3. [Install azure-cli](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
+```
+sudo su
+echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ wheezy main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
+apt-key adv --keyserver packages.microsoft.com --recv-keys 417A0893
+apt-get install -y apt-transport-https
+apt-get update
+apt-get install -y azure-cli
+```
+
+## 4. Create a Service Principle
+Kubernetes clusters have integrated support for various cloud providers as core functionality. On Azure, aks-engine uses a Service Principal to interact with Azure Resource Manager (ARM). Follow the instructions to [create a new service principal](https://github.com/Azure/aks-engine/blob/master/docs/serviceprincipal.md).
+```
+az cloud set -n AzureChinaCloud
+az login
+az account set --subscription="${SUBSCRIPTION_ID}" #if there is only one subscription, this step is optional
+az ad sp create-for-rbac -n RBAC_NAME --role="Contributor" --scopes="/subscriptions/{subs-id}"
+```
+
+## 5. Clone & edit kubernetes cluster definition file [example/kubernetes.json](https://raw.githubusercontent.com/Azure/aks-engine/master/examples/kubernetes.json)
+Acs-engine consumes a [cluster definition](https://github.com/Azure/aks-engine/blob/master/docs/clusterdefinition.md) which outlines the desired shape, size, and configuration of Kubernetes. There are a number of features that can be enabled through the cluster definition:
+* adminUsername - change username for agent nodes
+* dnsPrefix - must be a region-unique name and will form part of the hostname (e.g. myprod1, staging, leapingllama) 
+* keyData - must contain the public portion of an SSH key - this will be associated with the adminUsername value found in the same section of the cluster definition (e.g. 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA....')
+* clientId - this is the service principal's appId uuid or name from step 4
+* secret - this is the service principal's password or randomly-generated password from step 4
+* add location definition `"location": "chinaeast",` behind `apiVersion: "vlabs"`
+> specify `location` as (`chinaeast`, `chinanorth`, `chinaeast2`, `chinanorth2`) in cluster defination file
+
+## 6. Generate ARM templates
+Run `./aks-engine generate kubernetes.json` command to generate a number of files that may be submitted to ARM. By default, generate will create a new directory(naming as `dnsPrefix`) after your cluster nested in the `_output` directory. The generated files include:
+* apimodel.json - is an expanded version of the cluster definition provided to the generate command. All default or computed values will be expanded during the generate phase
+* azuredeploy.json - represents a complete description of all Azure resources required to fulfill the cluster definition from apimodel.json
+* azuredeploy.parameters.json - the parameters file holds a series of custom variables which are used in various locations throughout azuredeploy.json
+* certificate and access config files - orchestrators like Kubernetes require certificates and additional configuration files (e.g. Kubernetes apiserver certificates and kubeconfig)
+
+## 7. Deploy K8S cluster with ARM
+[Deploy the output azuredeploy.json and azuredeploy.parameters.json](https://github.com/Azure/aks-engine/blob/master/docs/acsengine.md#deployment-usage)
+```
+# create a resource group first
+RESOURCE_GROUP_NAME=demo-k8s
+az group create -l chinaeast -n $RESOURCE_GROUP_NAME
+
+# deploy ARM template
+dnsPrefix=demo-k8s
+az group deployment create \
+    --name="$dnsPrefix" \
+    --resource-group=$RESOURCE_GROUP_NAME \
+    --template-file="./_output/$dnsPrefix/azuredeploy.json" \
+    --parameters "@./_output/$dnsPrefix/azuredeploy.parameters.json"
+```
+
+## 8. Verify the cluster status
+ - Log in to master node via SSH by 
+```
+ssh adminUsername@<master_node_fqdn>
+```
+> usually master_node_fqdn is `$dnsPrefix.$REGION.cloudapp.chinacloudapi.cn`
+
+ - run below command
+```
+kubectl get services --all-namespaces
+```
+> If all services(like kubernetes, heapster, kube-dns, kubernetes-dashboard, tiller-deploy) in `default` and `kube-system` namespaces are working fine, it indicates the cluster were installed correctly.
+
+## Tips
+ - [Config kubernetes dashboard (only for testing purpose)](./config-k8s-dashboard.md)
+ - If there is provision failure on the node, check following log file for diagnostics:
+```
+/var/log/azure/cluster-provision.log
+```

aks-engine/config-k8s-dashboard.md

@@ -0,0 +1,31 @@
+## Config kubernetes dashboard (only for testing purpose)
+ - Login to master node via SSH
+```
+ssh -i <path_to_id_rsa> <adminUsername>@<master_node_fqdn>
+```
+ - Download config_k8s_ui_http.sh script
+```
+curl -LO https://raw.githubusercontent.com/Azure/devops-sample-solution-for-azure-china/master-dev/acs-engine/config_k8s_ui_http.sh
+```
+ - Run following command:
+```
+bash config_k8s_ui_http.sh -c <cloud_name> -g <rg_name> -t <tenant_id> -i <app_id> -s <app_secret> -u <user_name> -p <user_pass>
+```
+Usages: 
+* -c [Cloud instance name, AzureCloud or AzureChinaCloud]"
+* -g [Resource group]"
+* -t [Service principal tenantId, e.g. 89e1b688-8d74-xxx-9680-54d0a43a4f0d ]"
+* -i [Service principal app id]"
+* -s [Service principal secret]"
+* -u [Kubernetes dashboard user name, default value is 'admin']"
+* -p [Kubernetes dashboard user password, default value is 'password']"
+
+ - Access dashboard via following link:
+```
+http://<master_node_fqdn>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
+```
+
+> You may hit access error when using kubernetes dashboard, run following command and refresh:
+> ```
+> kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard
+> ```

aks-engine/config_k8s_ui_http.sh

@@ -0,0 +1,113 @@
+#!/bin/env bash
+
+# usages: run this script in k8s master node, then could access http://{master_dns}/ui to open k8s dashboard
+# sample: bash /path/to/script/config_k8s_ui_http.sh -c AzureChinaCloud -g <rg_name> -t <tenant_id> -i <app_id> -s <app_secret> -u <user_name> -p <user_pass>
+
+set -e
+
+function log() {
+    echo "$(date "+%Y-%m-%d %H:%M:%S") $1"
+}
+
+usage(){
+  echo "Invalid option: -$OPTARG"
+  echo "Usage: deploy-docker-registry -c [Cloud instance name, AzureCloud or AzureChinaCloud]"
+  echo "                              -g [Resource group]"
+  echo "                              -t [Service principal tenant id, e.g. foo.onmicrosoft.com, bar.partner.onmschina.cn etc. ]"
+  echo "                              -i [Service principal app id]"
+  echo "                              -s [Service principal secret]"
+  echo "                              -u [Kubernetes dashboard user name, default value is 'admin']"
+  echo "                              -p [Kubernetes dashboard user password, default value is 'password']"
+  exit 1
+}
+
+while getopts ":c:g:t:i:s:u:p:" opt; do
+  case $opt in
+    c)CLOUD_NAME=$OPTARG;;
+    g)RESOURCE_GROUP=$OPTARG;;
+    t)TENANT_ID=$OPTARG;;
+    i)APP_ID=$OPTARG;;
+    s)APP_SECRET=$OPTARG;;
+    u)USER_NAME=$OPTARG;;
+    p)USER_PASS=$OPTARG;;
+    *)usage;;
+  esac
+done
+
+function main() {
+    # ensure kubectl worked well
+    log "check kubectl version"
+    kubectl version
+
+    # install nginx in master node
+    log "install nginx"
+    sudo apt-get install -q -y nginx apache2-utils
+
+    # set username and password for k8s dashboard login
+    log "set user name and password"
+    admin_user="${USER_NAME:-admin}"
+    admin_pass="${USER_PASS:-password}"
+    echo "${admin_pass}" | sudo htpasswd -c -i /etc/nginx/.htpasswd "${admin_user}"
+
+    # set nginx site config
+    log "set nginx site config"
+    echo 'server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        server_name _;
+
+        location / {
+                   proxy_pass http://localhost:8080;
+                      auth_basic "Restrict Access";
+                   auth_basic_user_file /etc/nginx/.htpasswd;
+           }
+}' | sudo tee "/etc/nginx/sites-available/default"
+
+    # set proxy from local port 8080 to k8s dashboard
+    log "set kubectl proxy"
+    sudo sh -c 'nohup kubectl proxy --port=8080 > "/var/log/kubeproxy.log" 2>&1 &'
+
+    # activate nginx config
+    log "activate nginx config"
+    sudo systemctl reload nginx
+
+    # test
+    log "test nginx"
+    sleep 10
+    curl -L http://localhost/ui -u "${admin_user}:${admin_pass}"
+
+    # install azure cli 2.0
+    log "install azure cli 2.0"
+    echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ wheezy main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
+    sudo apt-key adv --keyserver packages.microsoft.com --recv-keys 417A0893
+    sudo apt-get install -q -y apt-transport-https
+    sudo apt-get update
+    sudo apt-get install -q -y azure-cli
+
+    # azure cli login
+    log "azure cli login"
+    az cloud set -n ${CLOUD_NAME:-AzureCloud}
+    az login --service-principal -u ${APP_ID} -p ${APP_SECRET} --tenant ${TENANT_ID}
+
+    # create nsg rule
+    log "create network security group rule"
+    nsg_rule_name="allow-http"
+    nsg_name=`hostname | sed "s/-0/-nsg/"`
+    az network nsg rule create -g "${RESOURCE_GROUP}"  -n "${nsg_rule_name}" --nsg-name "${nsg_name}" --priority 111 --protocol Tcp --destination-port-ranges 80
+
+    # create lb nat rule
+    nat_rule_name="allow-master-http"
+    log "create load balancer nat rule"
+    lb_name=`hostname | sed "s/\([0-9]*\)-0/lb-\1/"`
+    az network lb inbound-nat-rule create -g "${RESOURCE_GROUP}" -n "${nat_rule_name}" --lb-name "${lb_name}" --protocol Tcp --frontend-port 80 --backend-port 80
+
+    # assign nic inbound rule
+    log "assign nic inbound rule"
+    nic_name=`hostname | sed s/-0/-nic-0/`
+    az network nic ip-config inbound-nat-rule add -g "${RESOURCE_GROUP}" -n "ipconfig1" --nic-name "${nic_name}" --lb-name "${lb_name}" --inbound-nat-rule "${nat_rule_name}"
+
+    log "kubernetes dashboard config success."
+}
+
+main 2>&1 | tee -a config_k8s_ui_http.log