-
Notifications
You must be signed in to change notification settings - Fork 482
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Houssem Dellai
committed
Nov 24, 2024
1 parent
9a46f45
commit 2b1cef1
Showing
21 changed files
with
637 additions
and
1 deletion.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
# Deploying application artifacts in ACR | ||
|
||
## Introduction | ||
|
||
This is how you can use ACR to deploy app packages like `nuget`, `npm`, `maven`, `docker` etc. | ||
|
||
Azure container registry (ACR) helps you manage both the Open container initiative (OCI) artifacts and supply chain artifacts. This article guides you how to use ACR for managing OCI artifacts and supply chain artifacts effectively. Learn to store, manage, and retrieve both OCI artifacts and a graph of supply chain artifacts, including signatures, software bill of materials (SBOM), security scan results, and other types. | ||
|
||
![](images/architecture.png) | ||
|
||
Documentation: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-manage-artifact | ||
Oras project: https://oras.land/ | ||
|
||
## Lab | ||
|
||
```sh | ||
winget install oras --version 1.2.0 | ||
|
||
$RG="rg-acr-oci" | ||
$ACR_NAME="acrociregistry13" | ||
$REGISTRY="$ACR_NAME.azurecr.io" | ||
$REPO="net-monitor" | ||
$TAG="v1" | ||
$IMAGE="$REGISTRY/${REPO}:$TAG" | ||
|
||
az login | ||
az group create -n $RG -l swedencentral | ||
az acr create -n $ACR_NAME -g $RG --sku Standard | ||
az acr login -n $REGISTRY --expose-token | ||
|
||
$TOKEN=$(az acr login -n $REGISTRY --expose-token --output tsv --query accessToken) | ||
|
||
# Sign in with ORAS | ||
|
||
oras login $REGISTRY --username "00000000-0000-0000-0000-000000000000" --password $TOKEN | ||
# Login Succeeded | ||
# oras login $REGISTRY --username $USER_NAME --password $PASSWORD | ||
|
||
# Push and Pull OCI Artifacts with ORAS | ||
|
||
oras push $REGISTRY/samples/artifact:readme --artifact-type readme/example ./readme.md:application/markdown | ||
# ✓ Uploaded readme.md 589/589 B 100.00% 635ms | ||
# └─ sha256:f132432a5cb35e8e34c9669cc4c72390ca93cfc24802882941cc82b5d05133bf | ||
# ✓ Uploaded application/vnd.oci.empty.v1+json 2/2 B 100.00% 490ms | ||
# └─ sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a | ||
# ✓ Uploaded application/vnd.oci.image.manifest.v1+json 550/550 B 100.00% 287ms | ||
# └─ sha256:370e076ad19b329536da11f27a7db4a34b7f367452f0b615e905525b122cc28b | ||
# Pushed [registry] acrociregistry13.azurecr.io/samples/artifact:readme | ||
# ArtifactType: readme/example | ||
# Digest: sha256:370e076ad19b329536da11f27a7db4a34b7f367452f0b615e905525b122cc28b | ||
|
||
# To view the manifest created as a result of oras push, use oras manifest fetch: | ||
|
||
oras manifest fetch --pretty $REGISTRY/samples/artifact:readme | ||
# { | ||
# "schemaVersion": 2, | ||
# "mediaType": "application/vnd.oci.image.manifest.v1+json", | ||
# "artifactType": "readme/example", | ||
# "config": { | ||
# "mediaType": "application/vnd.oci.empty.v1+json", | ||
# "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a", | ||
# "size": 2, | ||
# "data": "e30=" | ||
# }, | ||
# "layers": [ | ||
# { | ||
# "mediaType": "application/markdown", | ||
# "digest": "sha256:f132432a5cb35e8e34c9669cc4c72390ca93cfc24802882941cc82b5d05133bf", | ||
# "size": 589, | ||
# "annotations": { | ||
# "org.opencontainers.image.title": "readme.md" | ||
# } | ||
# } | ||
# ], | ||
# "annotations": { | ||
# "org.opencontainers.image.created": "2024-10-24T10:18:02Z" | ||
# } | ||
# } | ||
|
||
# Pull an artifact | ||
|
||
mkdir ./download | ||
|
||
oras pull -o ./download $REGISTRY/samples/artifact:readme | ||
|
||
# Remove the artifact (optional) | ||
|
||
oras manifest delete $REGISTRY/samples/artifact:readme | ||
|
||
# push a nuget package | ||
|
||
oras push $REGISTRY/nuget/newtonsoft:13.0.3 --artifact-type package/nuget ./newtonsoft.json.13.0.3.nupkg | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
resource "azurerm_kubernetes_cluster" "aks" { | ||
name = "aks-cluster-swc" | ||
location = azurerm_resource_group.rg-spoke.location | ||
resource_group_name = azurerm_resource_group.rg-spoke.name | ||
dns_prefix = "aks" | ||
kubernetes_version = "1.30.5" | ||
|
||
network_profile { | ||
network_plugin = "azure" | ||
network_plugin_mode = "overlay" | ||
outbound_type = "userDefinedRouting" | ||
} | ||
|
||
default_node_pool { | ||
name = "systempool" | ||
temporary_name_for_rotation = "syspool" | ||
node_count = 3 | ||
vm_size = "standard_b2als_v2" | ||
zones = [1, 2, 3] | ||
vnet_subnet_id = azurerm_subnet.snet-aks.id | ||
} | ||
|
||
identity { | ||
type = "SystemAssigned" | ||
} | ||
|
||
lifecycle { | ||
ignore_changes = [ | ||
default_node_pool.0.upgrade_settings | ||
] | ||
} | ||
|
||
depends_on = [ | ||
azurerm_subnet_route_table_association.association_route_table_subnet_spoke, | ||
azurerm_route.route-to-nva-spoke, | ||
azurerm_route.route-firewall-ip | ||
] | ||
} | ||
|
||
resource "azapi_resource" "nodepool-egress" { | ||
type = "Microsoft.ContainerService/managedClusters/agentPools@2024-09-02-preview" | ||
parent_id = azurerm_kubernetes_cluster.aks.id | ||
name = "npegresspr" | ||
schema_validation_enabled = false | ||
|
||
body = { | ||
properties = { | ||
count = 2 | ||
mode = "Gateway" | ||
vmSize = "standard_d2pds_v6" | ||
nodeTaints = [ | ||
"kubernetes.azure.com/mode=gateway:NoSchedule" | ||
] | ||
} | ||
} | ||
|
||
depends_on = [azapi_update_resource.enable-aks-static-egress-gateway] | ||
} | ||
|
||
resource "terraform_data" "aks-get-credentials" { | ||
triggers_replace = [azurerm_kubernetes_cluster.aks.id] | ||
|
||
provisioner "local-exec" { | ||
command = "az aks get-credentials -n ${azurerm_kubernetes_cluster.aks.name} -g ${azurerm_kubernetes_cluster.aks.resource_group_name} --overwrite-existing" | ||
} | ||
} | ||
|
||
resource "azurerm_role_assignment" "network-contributor" { | ||
scope = azurerm_resource_group.rg-spoke.id | ||
role_definition_name = "Network Contributor" | ||
principal_id = azurerm_kubernetes_cluster.aks.identity.0.principal_id | ||
} | ||
|
||
resource "azurerm_role_assignment" "network-contributor-aks" { | ||
scope = azurerm_kubernetes_cluster.aks.node_resource_group_id | ||
role_definition_name = "Network Contributor" | ||
principal_id = azurerm_kubernetes_cluster.aks.identity.0.principal_id | ||
} | ||
|
||
resource "azurerm_role_assignment" "virtual-machine-contributor" { | ||
scope = azurerm_kubernetes_cluster.aks.node_resource_group_id | ||
role_definition_name = "Virtual Machine Contributor" | ||
principal_id = azurerm_kubernetes_cluster.aks.identity.0.principal_id | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
resource "azapi_update_resource" "enable-aks-static-egress-gateway" { | ||
type = "Microsoft.ContainerService/ManagedClusters@2024-09-02-preview" | ||
resource_id = azurerm_kubernetes_cluster.aks.id | ||
|
||
body = { | ||
properties = { | ||
networkProfile = { | ||
staticEgressGatewayProfile = { | ||
enabled = true | ||
} | ||
} | ||
} | ||
} | ||
} | ||
|
||
# resource "terraform_data" "enable-aks-static-egress-gateway" { | ||
# triggers_replace = [azurerm_kubernetes_cluster.aks.id] | ||
|
||
# provisioner "local-exec" { | ||
# command = "az aks update -n ${azurerm_kubernetes_cluster.aks.name} -g ${azurerm_kubernetes_cluster.aks.resource_group_name} --enable-static-egress-gateway" | ||
# } | ||
# } | ||
|
||
# az aks nodepool add -g $AKS_RG --cluster-name $AKS_NAME --name $NODEPOOL_NAME --mode gateway --node-count 2 --gateway-prefix-size $GW_PREFIX_SIZE --node-vm-size standard_d2pds_v6 | ||
|
||
# resource "terraform_data" "add-static-egress-gateway-nodepool" { | ||
# triggers_replace = [ | ||
# azurerm_kubernetes_cluster.aks.id | ||
# ] | ||
|
||
# provisioner "local-exec" { | ||
# command = "az aks nodepool add --cluster-name ${azurerm_kubernetes_cluster.aks.name} -g ${azurerm_kubernetes_cluster.aks.resource_group_name} --name npegresspr --mode gateway --node-count 2 --gateway-prefix-size 30 --node-vm-size standard_d2pds_v6" | ||
# } | ||
|
||
# depends_on = [ | ||
# terraform_data.enable-aks-static-egress-gateway | ||
# ] | ||
# } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
resource "azurerm_firewall_policy" "firewall-policy" { | ||
name = "firewall-policy" | ||
resource_group_name = azurerm_resource_group.rg-hub.name | ||
location = azurerm_resource_group.rg-hub.location | ||
sku = "Standard" # "Basic" # "Standard" # "Premium" # | ||
|
||
dns { | ||
proxy_enabled = true | ||
servers = ["168.63.129.16"] | ||
} | ||
} | ||
|
||
resource "azurerm_firewall_policy_rule_collection_group" "policy-group-allow" { | ||
name = "policy-group-allow" | ||
firewall_policy_id = azurerm_firewall_policy.firewall-policy.id | ||
priority = 1000 | ||
|
||
application_rule_collection { | ||
name = "allow-all-application" | ||
priority = 100 | ||
action = "Allow" | ||
|
||
rule { | ||
name = "allow-all" | ||
source_addresses = azurerm_virtual_network.vnet-spoke.address_space | ||
destination_fqdns = ["*"] | ||
protocols { | ||
type = "Http" | ||
port = 80 | ||
} | ||
protocols { | ||
type = "Https" | ||
port = 443 | ||
} | ||
} | ||
} | ||
|
||
network_rule_collection { | ||
name = "allow-all-network" | ||
priority = 200 | ||
action = "Allow" | ||
|
||
rule { | ||
name = "allow-all" | ||
protocols = ["TCP", "UDP", "ICMP", "Any"] | ||
source_addresses = azurerm_virtual_network.vnet-spoke.address_space | ||
destination_addresses = ["*"] | ||
destination_ports = ["*"] | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
resource "azurerm_public_ip" "pip-firewall" { | ||
name = "pip-firewall" | ||
location = azurerm_resource_group.rg-hub.location | ||
resource_group_name = azurerm_resource_group.rg-hub.name | ||
allocation_method = "Static" | ||
sku = "Standard" | ||
zones = ["1"] # ["1", "2", "3"] | ||
} | ||
|
||
resource "azurerm_firewall" "firewall" { | ||
name = "firewall" | ||
location = azurerm_resource_group.rg-hub.location | ||
resource_group_name = azurerm_resource_group.rg-hub.name | ||
sku_name = "AZFW_VNet" | ||
sku_tier = "Standard" | ||
zones = ["1"] # ["1", "2", "3"] | ||
firewall_policy_id = azurerm_firewall_policy.firewall-policy.id | ||
|
||
ip_configuration { | ||
name = "configuration" | ||
subnet_id = azurerm_subnet.snet-firewall.id | ||
public_ip_address_id = azurerm_public_ip.pip-firewall.id | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
resource "azurerm_log_analytics_workspace" "log_analytics" { | ||
name = "log-analytics" | ||
location = azurerm_resource_group.rg-hub.location | ||
resource_group_name = azurerm_resource_group.rg-hub.name | ||
internet_ingestion_enabled = true | ||
internet_query_enabled = true | ||
sku = "PerGB2018" | ||
retention_in_days = 30 | ||
daily_quota_gb = -1 | ||
} | ||
|
||
data "azurerm_monitor_diagnostic_categories" "categories" { | ||
resource_id = azurerm_firewall.firewall.id | ||
} | ||
|
||
resource "azurerm_monitor_diagnostic_setting" "diagnostics_firewall" { | ||
name = "diagnostics-firewall" | ||
target_resource_id = azurerm_firewall.firewall.id | ||
log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics.id | ||
log_analytics_destination_type = "Dedicated" | ||
|
||
|
||
dynamic "enabled_log" { | ||
for_each = data.azurerm_monitor_diagnostic_categories.categories.log_category_types | ||
|
||
content { | ||
category = enabled_log.key | ||
} | ||
} | ||
|
||
dynamic "metric" { | ||
for_each = data.azurerm_monitor_diagnostic_categories.categories.metrics | ||
|
||
content { | ||
category = metric.key | ||
} | ||
} | ||
|
||
lifecycle { | ||
ignore_changes = [ | ||
log_analytics_destination_type | ||
] | ||
} | ||
} |
21 changes: 21 additions & 0 deletions
21
69_kube_egress_gateway_private/nginx-deployment-private.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: nginx-private | ||
spec: | ||
replicas: 3 | ||
selector: | ||
matchLabels: | ||
app: nginx | ||
template: | ||
metadata: | ||
annotations: | ||
kubernetes.azure.com/static-gateway-configuration: my-static-egress-gateway-private | ||
labels: | ||
app: nginx | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx:latest | ||
ports: | ||
- containerPort: 80 |
Oops, something went wrong.