Commit 8a808c45 authored by Daniel Scholl's avatar Daniel Scholl
Browse files

Documentation Fixes

parent 528f6f0f
......@@ -19,20 +19,59 @@ Azure environment cost ballpark [estimate](https://tinyurl.com/y4e9s7rf). This i
1. Azure Subscription
1. Terraform and Go are locally installed.
1. Requires the use of [direnv](https://direnv.net/).
1. Install the required common tools (kubectl, helm, and terraform). Currently uses [Terraform 0.12.29](https://releases.hashicorp.com/terraform/0.12.29/) and [GO 1.12.14](https://golang.org/dl/).
1. Install the required common tools (kubectl, helm, and terraform).
### Install the required tooling
This document assumes one is running a current version of Ubuntu. Windows users can install the Ubuntu Terminal from the Microsoft Store. The Ubuntu Terminal enables Linux command-line utilities, including bash, ssh, and git that will be useful for the following deployment. _Note: You will need the Windows Subsystem for Linux installed to use the Ubuntu Terminal on Windows_.
Currently the versions in use are [Terraform 0.12.29](https://releases.hashicorp.com/terraform/0.12.29/) and [GO 1.12.14](https://golang.org/dl/).
> Note: Terraform and Go are recommended to be installed using a [Terraform Version Manager](https://github.com/tfutils/tfenv) and a [Go Version Manager](https://github.com/stefanmaric/g)
### Install the Azure CLI
For information specific to your operating system, see the [Azure CLI install guide](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest). You can also use [this script](https://github.com/microsoft/bedrock/blob/master/tools/prereqs/setup_azure_cli.sh) if running on a Unix based machine.
For information specific to your operating system, see the [Azure CLI install guide](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest). You can also use the single command install if running on a Unix based machine.
```bash
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Login to Azure CLI and ensure subscription is set to desired subscription
az login
az account set --subscription <your_subscription>
```
### Configure and Work with an Azure Devops Project
Configure an Azure Devops Project in your Organization called `osdu-mvp` and set the cli command to use the organization by default.
```bash
export ADO_ORGANIZATION=<organization_name>
export ADO_PROJECT=osdu-mvp
# Ensure the CLI extension is added
az extension add --name azure-devops
# Setup a Project Space in your organization
az devops project create --name $ADO_PROJECT --organization $ADO_ORGANIZATION
# Configure the CLI Defaults to work with the organization and project
az devops configure --defaults organization=https://dev.azure.com/$ADO_ORGANIZATION project=$ADO_PROJECT
```
## Clone the repository
It is recommended to work with this repository in a WSL Ubuntu directory structure.
```bash
git clone git@community.opengroup.org:osdu/platform/deployment-and-operations/infra-azure-provisioning.git
cd infra-azure-provisioning
```
## Create a Flux Manifest Repository
......@@ -42,8 +81,6 @@ For information specific to your operating system, see the [Azure CLI install gu
Flux requires that the git repository have at least one commit. Initialize the repo with an empty commit.
```bash
export ADO_ORGANIZATION=<organization_name> # ie: osdu-demo
export ADO_PROJECT=<project_name> # ie: osdu-mvp
export ADO_REPO=k8-gitops-manifests
# Initialize a Git Repository
......@@ -53,7 +90,7 @@ export ADO_REPO=k8-gitops-manifests
&& git commit --allow-empty -m "Initializing the Flux Manifest Repository")
# Create an ADO Repo
az repos create --name $ADO_REPO --organization https://dev.azure.com/${ADO_ORGANIZATION} --project $ADO_PROJECT -ojson
az repos create --name $ADO_REPO
export GIT_REPO=git@ssh.dev.azure.com:v3/${ADO_ORGANIZATION}/${ADO_PROJECT}/k8-gitops-manifests
# Push the Git Repository
......@@ -71,22 +108,12 @@ The script `common_prepare.sh` script is a _helper_ script designed to help setu
- Ensure you have the access to run az ad commands.
```bash
# Login to Azure CLI and ensure subscription is set to desired subscription
az login
az account set --subscription <your_subscription>
# Execute Script
UNIQUE=demo
./infra/templates/osdu-r3-mvp/common_prepare.sh $(az account show --query id -otsv) $UNIQUE
```
This results in 2 service principals being created that need an AD Admin to `grant admin consent` on.
1. osdu-mvp-{UNIQUE}-terraform
2. osdu-mvp-{UNIQUE}-principal
export UNIQUE=demo
./infra/common_prepare.sh $(az account show --query id -otsv) $UNIQUE
```
> Removal would require deletion of all AD elements `osdu-mvp-{UNIQUE}-*`, the resource group and purging the KV.
__Local Script Output Resources__
......@@ -101,8 +128,9 @@ The script creates some local files to be used.
7. ~/.ssh/osdu_{UNIQUE}/azure-aks-node-ssh-key.pub -- SSH Public Key used by AKS
8. ~/.ssh/osdu_{UNIQUE}/azure-aks-node-ssh-key.passphrase -- SSH Key Passphrase used by AKS
> Ensure environment variables are loaded `direnv allow`
__Installed Common Resources__
__Installed Azure Resources__
1. Resource Group
2. Storage Account
......@@ -112,29 +140,39 @@ __Installed Common Resources__
6. An application to be used for the OSDU environment. _(future)_
7. An application to be used for negative integration testing.
>Note: 2 Users are required to be created manually in AD for integration testing purposes manually and values stored in this Common Key Vault.
> Removal would require deletion of all AD elements `osdu-mvp-{UNIQUE}-*`, unlocking and deleting the resource group then purging the KV.
__Azure AD Admin Consent__
2 service principals have been created that need to have an AD Admin `grant admin consent` on.
1. osdu-mvp-{UNIQUE}-terraform _(Azure AD Application Graph - Application.ReadWrite.OwnedBy)_
2. osdu-mvp-{UNIQUE}-principal _(Microsoft Graph - Directory.Read.All)_
## Elastic Search Setup
Infrastructure assumes bring your own Elastic Search Instance at a version of 6.8.x and access information must be stored in the Common KeyVault.
Infrastructure requires a bring your own Elastic Search Instance of a version of 6.8.x with a valid https endpoint and the access information must now be stored in the Common KeyVault. The recommended method of Elastic Search is to use the [Elastic Cloud Managed Service from the Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/elastic.ec-azure?tab=Overview).
> Note: Elastic Cloud Managed Service requires a Credit Card to be associated to the subscription for billing purposes.
```bash
ENDPOINT=""
USERNAME=""
PASSWORD=""
az keyvault secret set --vault-name $COMMON_VAULT --name "elastic-endpoint-dp1-demo" --value $ENDPOINT
az keyvault secret set --vault-name $COMMON_VAULT --name "elastic-username-dp1-demo" --value $USERNAME
az keyvault secret set --vault-name $COMMON_VAULT --name "elastic-password-dp1-demo" --value $PASSWORD
ES_ENDPOINT=""
ES_USERNAME=""
ES_PASSWORD=""
az keyvault secret set --vault-name $COMMON_VAULT --name "elastic-endpoint-dp1-demo" --value $ES_ENDPOINT
az keyvault secret set --vault-name $COMMON_VAULT --name "elastic-username-dp1-demo" --value $ES_USERNAME
az keyvault secret set --vault-name $COMMON_VAULT --name "elastic-password-dp1-demo" --value $ES_PASSWORD
cat >> .envrc << EOF
# https://cloud.elastic.co
# ------------------------------------------------------------------------------------------------------
export TF_VAR_elasticsearch_endpoint="$(az keyvault secret show --vault-name $COMMON_VAULT --id https://$COMMON_VAULT.vault.azure.net/secrets/elastic-endpoint-dp1-demo --query value -otsv)"
export TF_VAR_elasticsearch_username="$(az keyvault secret show --vault-name $COMMON_VAULT --id https://$COMMON_VAULT.vault.azure.net/secrets/elastic-username-dp1-demo --query value -otsv)"
export TF_VAR_elasticsearch_password="$(az keyvault secret show --vault-name $COMMON_VAULT --id https://$COMMON_VAULT.vault.azure.net/secrets/elastic-password-dp1-demo --query value -otsv)"
export TF_VAR_elasticsearch_endpoint="$(az keyvault secret show --id https://$COMMON_VAULT.vault.azure.net/secrets/elastic-endpoint-dp1-demo --query value -otsv)"
export TF_VAR_elasticsearch_username="$(az keyvault secret show --id https://$COMMON_VAULT.vault.azure.net/secrets/elastic-username-dp1-demo --query value -otsv)"
export TF_VAR_elasticsearch_password="$(az keyvault secret show --id https://$COMMON_VAULT.vault.azure.net/secrets/elastic-password-dp1-demo --query value -otsv)"
EOF
......@@ -149,7 +187,6 @@ The public key of the `azure-aks-gitops-ssh-key` previously created needs to be
```bash
# Retrieve the public key
az keyvault secret show \
--vault-name $COMMON_VAULT \
--id https://$COMMON_VAULT.vault.azure.net/secrets/azure-aks-gitops-ssh-key-pub \
--query value \
-otsv
......@@ -162,9 +199,10 @@ az keyvault secret show \
1. Configure the Pipelines following directions [here](./docs/pipeline-setup.md).
2. Deploy the application helm charts following the directions [here]().
2. Manually configure your DNS_HOST to the IP Address of the environment IP Address.
3. Deploy the application helm charts following the directions [here]().
3. Load the data
## Manual Installation
......@@ -173,9 +211,10 @@ az keyvault secret show \
1. Install the Infrastructure following directions [here](./infra/templates/osdu-r3-mvp/README.md).
2. Deploy the application helm charts following the directions [here](./charts/README.md).
2. Manually configure your DNS_HOST to the IP Address of the environment IP Address.
3. Deploy the application helm charts following the directions [here](./charts/README.md).
3. Load the data
## Developer Activities
......
......@@ -29,6 +29,8 @@ Create the helm chart values file necessary to install charts.
- Edit the newly downloaded [config.yaml](https://community.opengroup.org/osdu/platform/deployment-and-operations/infra-azure-provisioning/-/raw/master/charts/helm-config.yaml) and fill out the required sections `azure`, `ingress` and `istio`.
```bash
# Setup Variables
ISTIO_DASH="<your_dash_login>" # ie: admin
......@@ -99,17 +101,32 @@ git clone https://community.opengroup.org/osdu/platform/system/delivery.git $SRC
```
__Kubernetes API Access__
> Optional
It can often be helpful to be able to retrieve the cluster context and execute queries directly against the Kubernetes API.
```bash
BASE_NAME=$(az group list --query "[?contains(name, '${UNIQUE}sr')].name" -otsv |grep -v MC | rev | cut -c 3- | rev)
az aks get-credentials -n ${BASE_NAME}aks -g ${BASE_NAME}rg
```
__Helm Manifests__
Manually extract the manifests from the helm charts to your Flux Repo Directory.
```bash
SRC_DIR="<ROOT_PATH_TO_SOURCE>" # $HOME/source/osdu/osdu-gitlab
INFRA_SRC="$SRC_DIR/infra-azure-provisioning"
FLUX_SRC="$INFRA_SRC/k8-gitops-manifests"
BRANCH="master"
TAG="latest"
# Setup the Flux Directory
mkdir -p ${FLUX_SRC}/providers/azure/hld-registry
# Extract manifests from the common osdu chart.
helm template osdu-flux ${INFRA_SRC}/charts/osdu-common -f ${INFRA_SRC}/charts/config.yaml > ${FLUX_SRC}/providers/azure/hld-registry/osdu-common.yaml
......@@ -121,48 +138,26 @@ helm template osdu-flux ${INFRA_SRC}/charts/osdu-common -f ${INFRA_SRC}/charts/c
&& git push origin $UNIQUE)
# Extract manifests from the istio osdu chart.
# Extract manifests from the istio charts.
helm template osdu-flux ${INFRA_SRC}/charts/osdu-istio -f ${INFRA_SRC}/charts/config.yaml > ${FLUX_SRC}/providers/azure/hld-registry/osdu-istio.yaml
# Commit and Checkin to Deploy
(cd $FLUX_SRC \
&& git switch $UNIQUE \
&& git add ${FLUX_SRC}/providers/azure/hld-registry/osdu-istio.yaml \
&& git commit -m "Initialize Istio Chart" \
&& git push origin $UNIQUE)
# Extract manifests from the istio osdu chart.
helm template osdu-flux ${INFRA_SRC}/charts/osdu-istio-auth -f ${INFRA_SRC}/charts/config.yaml > ${FLUX_SRC}/providers/azure/hld-registry/osdu-istio-auth.yaml
# Commit and Checkin to Deploy
(cd $FLUX_SRC \
&& git switch $UNIQUE \
&& git add ${FLUX_SRC}/providers/azure/hld-registry/osdu-istio.yaml \
&& git add ${FLUX_SRC}/providers/azure/hld-registry/osdu-istio-auth.yaml \
&& git commit -m "Initialize Istio Auth Chart" \
&& git push origin $UNIQUE)
# Extract manifests from each service chart.
for SERVICE in partition;
for SERVICE in partition entitlements-azure legal storage indexer-queue indexer-service search-service;
do
helm template $SERVICE ${SRC_DIR}/$SERVICE/devops/azure/chart --set image.branch=$BRANCH --set image.tag=$TAG > ${FLUX_SRC}/providers/azure/hld-registry/$SERVICE.yaml
done
# Commit and Checkin to Deploy
(cd $FLUX_SRC \
&& git switch $UNIQUE \
&& git add ${FLUX_SRC}/providers/azure/hld-registry/partition.yaml \
&& git commit -m "Adding Partition Service" \
&& git push origin $UNIQUE)
# Extract manifests from each service chart.
for SERVICE in entitlements-azure legal storage indexer-queue indexer-service search-service delivery;
do
helm template $SERVICE ${SERVICES_DIR}/$SERVICE/devops/azure/chart --set image.branch=$BRANCH --set image.tag=$TAG > ${FLUX_SRC}/providers/azure/hld-registry/$SERVICE.yaml
done
# Commit and Checkin to Deploy
(cd $FLUX_SRC \
&& git switch $UNIQUE \
......
......@@ -23,5 +23,5 @@ tput setaf 2; echo 'Key Vault Dump...' ; tput sgr0
tput setaf 3; echo "------------------------------------" ; tput sgr0
for i in `az keyvault secret list --vault-name $COMMON_VAULT --query [].id -otsv`
do
echo "${i##*/}=\"$(az keyvault secret show --vault-name $COMMON_VAULT --id $i --query value -otsv)\""
echo "${i##*/}=\"$(az keyvault secret show --id $i --query value -otsv)\""
done
......@@ -135,7 +135,7 @@ function CreateTfPrincipal() {
az keyvault set-policy --name $AZURE_VAULT \
--object-id $(az ad sp list --display-name $1 --query [].objectId -otsv) \
--secret-permissions list get \
-ojson
-ojson 2>/dev/null
else
......@@ -259,9 +259,6 @@ function CreateSSHKeysPassphrase() {
AddKeyToVault $AZURE_VAULT "${2}" "~/.ssh/osdu_${UNIQUE}/${2}" "file"
AddKeyToVault $AZURE_VAULT "${2}-pub" "~/.ssh/osdu_${UNIQUE}/${2}.pub" "file"
AddKeyToVault $AZURE_VAULT "${2}-passphrase" $PASSPHRASE
_result=`cat ~/.ssh/osdu_${UNIQUE}/${2}.pub`
echo $_result
}
function CreateSSHKeys() {
# Required Argument $1 = SSH_USER
......@@ -299,9 +296,6 @@ function CreateSSHKeys() {
AddKeyToVault $AZURE_VAULT "${2}" "~/.ssh/osdu_${UNIQUE}/${2}" "file"
AddKeyToVault $AZURE_VAULT "${2}-pub" "~/.ssh/osdu_${UNIQUE}/${2}.pub" "file"
_result=`cat ~/.ssh/osdu_${UNIQUE}/${2}.pub`
echo $_result
}
function CreateKeyVault() {
......@@ -322,7 +316,7 @@ function CreateKeyVault() {
exit 1;
fi
local _vault=$(az keyvault list --resource-group $2 --query [].name -otsv)
local _vault=$(az keyvault list --resource-group $2 --query [].name -otsv 2>/dev/null)
if [ "$_vault" == "" ]
then
OUTPUT=$(az keyvault create --name $1 --resource-group $2 --location $3 --query [].name -otsv)
......@@ -537,11 +531,11 @@ export UNIQUE=${UNIQUE}
export COMMON_VAULT="${AZURE_VAULT}"
export ARM_TENANT_ID="$(az account show -ojson --query tenantId -otsv)"
export ARM_SUBSCRIPTION_ID="${ARM_SUBSCRIPTION_ID}"
export ARM_CLIENT_ID="$(az keyvault secret show --vault-name $AZURE_VAULT --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-terraform-id --query value -otsv)"
export ARM_CLIENT_SECRET="$(az keyvault secret show --vault-name $AZURE_VAULT --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-terraform-key --query value -otsv)"
export ARM_ACCESS_KEY="$(az keyvault secret show --vault-name $AZURE_VAULT --id https://$AZURE_VAULT.vault.azure.net/secrets/osducommon${RANDOM_NUMBER}-storage-key --query value -otsv)"
export ARM_CLIENT_ID="$(az keyvault secret show --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-terraform-id --query value -otsv)"
export ARM_CLIENT_SECRET="$(az keyvault secret show --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-terraform-key --query value -otsv)"
export ARM_ACCESS_KEY="$(az keyvault secret show --id https://$AZURE_VAULT.vault.azure.net/secrets/osducommon${RANDOM_NUMBER}-storage-key --query value -otsv)"
export TF_VAR_remote_state_account="$(az keyvault secret show --vault-name $AZURE_VAULT --id https://$AZURE_VAULT.vault.azure.net/secrets/osducommon${RANDOM_NUMBER}-storage --query value -otsv)"
export TF_VAR_remote_state_account="$(az keyvault secret show --id https://$AZURE_VAULT.vault.azure.net/secrets/osducommon${RANDOM_NUMBER}-storage --query value -otsv)"
export TF_VAR_remote_state_container="remote-state-container"
export TF_VAR_resource_group_location="${AZURE_LOCATION}"
......@@ -549,13 +543,13 @@ export TF_VAR_cosmosdb_replica_location="${AZURE_PAIR_LOCATION}"
export TF_VAR_central_resources_workspace_name="${UNIQUE}-cr"
export TF_VAR_principal_appId="$(az keyvault secret show --vault-name $AZURE_VAULT --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-principal-id --query value -otsv)"
export TF_VAR_principal_appId="$(az keyvault secret show --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-principal-id --query value -otsv)"
export TF_VAR_principal_name="osdu-mvp-${UNIQUE}-principal"
export TF_VAR_principal_password="$(az keyvault secret show --vault-name $AZURE_VAULT --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-principal-key --query value -otsv)"
export TF_VAR_principal_objectId="$(az keyvault secret show --vault-name $AZURE_VAULT --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-principal-oid --query value -otsv)"
export TF_VAR_principal_password="$(az keyvault secret show --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-principal-key --query value -otsv)"
export TF_VAR_principal_objectId="$(az keyvault secret show --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-principal-oid --query value -otsv)"
export TF_VAR_application_clientid="$(az keyvault secret show --vault-name $AZURE_VAULT --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-application-clientid --query value -otsv)"
export TF_VAR_application_secret="$(az keyvault secret show --vault-name $AZURE_VAULT --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-application-secret --query value -otsv)"
export TF_VAR_application_clientid="$(az keyvault secret show --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-application-clientid --query value -otsv)"
export TF_VAR_application_secret="$(az keyvault secret show --id https://$AZURE_VAULT.vault.azure.net/secrets/osdu-mvp-${UNIQUE}-application-secret --query value -otsv)"
export TF_VAR_ssh_public_key_file=~/.ssh/osdu_${UNIQUE}/azure-aks-node-ssh-key.pub
export TF_VAR_gitops_ssh_key_file=~/.ssh/osdu_${UNIQUE}/azure-aks-gitops-ssh-key
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment