) password = rando_password.result # Resource Group resource_group = resources.ResourceGroup('rg') ### AKS Cluster Related Resources generated_key_pair = PrivateKey('ssh-key', algorithm='RSA', rsa_bits=4096) ssh_public_key = generated_key_pair.public_key_openssh ad_app = azuread.Application('app', display_name='app') ad_sp = azuread.ServicePrincipal('service-principal', application_id=ad_app.application_id) ad_sp_password = azuread.ServicePrincipalPassword( 'sp-password', service_principal_id=ad_sp.id, value=password, end_date='2099-01-01T00:00:00Z') k8s_cluster = containerservice.ManagedCluster( 'cluster', resource_group_name=resource_group.name, addon_profiles={ 'KubeDashboard': { 'enabled': True, }, }, agent_pool_profiles=[{ 'count': node_count, 'max_pods': 20, 'mode': 'System',
config = pulumi.Config() # Create new resource group resource_group = resources.ResourceGroup("azure-native-py-aks") # Create an AD service principal ad_app = azuread.Application("aks", display_name="aks") ad_sp = azuread.ServicePrincipal("aksSp", application_id=ad_app.application_id) # Generate random password password = random.RandomPassword("password", length=20, special=True) # Create the Service Principal Password ad_sp_password = azuread.ServicePrincipalPassword( "aksSpPassword", service_principal_id=ad_sp.id, value=password.result, end_date="2099-01-01T00:00:00Z") # Generate an SSH key ssh_key = tls.PrivateKey("ssh-key", algorithm="RSA", rsa_bits=4096) # Create cluster managed_cluster_name = config.get("managedClusterName") if managed_cluster_name is None: managed_cluster_name = "azure-native-aks" managed_cluster = containerservice.ManagedCluster( managed_cluster_name, resource_group_name=resource_group.name, agent_pool_profiles=[{
prefix = config.require("prefix") password = config.require("password") ssh_public_key = config.require("sshkey") location = config.get("location") or "east us" subscription_id = authorization.get_client_config().subscription_id # Create Azure AD Application for AKS app = azuread.Application(f"{prefix}-aks-app", display_name=f"{prefix}-aks-app") # Create service principal for the application so AKS can act on behalf of the application sp = azuread.ServicePrincipal("aks-sp", application_id=app.application_id) # Create the service principal password sppwd = azuread.ServicePrincipalPassword("aks-sp-pwd", service_principal_id=sp.id, end_date="2099-01-01T00:00:00Z") rg = resources.ResourceGroup(f"{prefix}-rg", location=location) vnet = network.VirtualNetwork(f"{prefix}-vnet", location=rg.location, resource_group_name=rg.name, address_space={ "address_prefixes": ["10.0.0.0/16"], }) subnet = network.Subnet(f"{prefix}-subnet", resource_group_name=rg.name, address_prefix="10.0.0.0/24", virtual_network_name=vnet.name)
resource_group_name=rg.name, admin_enabled=not use_sp_auth, sku='Basic') # Get registry info (creds and endpoint). image_name = registry.login_server.apply(lambda s: f'{s}/myapp') if use_sp_auth: sp = azuread.ServicePrincipal( 'mysp', application_id=azuread.Application('myspapp').application_id, ) sp_password = azuread.ServicePrincipalPassword( 'mysp-pass', service_principal_id=sp.id, value=random.RandomPassword( 'mypass', length=32, opts=pulumi.ResourceOptions( additional_secret_outputs=['result'])).result, end_date_relative='8760h', ) sp_auth = azure.authorization.Assignment( 'myauth', scope=registry.id, role_definition_name='acrpush', principal_id=sp.id, ) registry_info = docker.ImageRegistry( server=registry.login_server, username=sp.application_id, password=sp_auth.id.apply(lambda _: sp_password.value), )
def __init__(self, name: str, args: ClusterArgs, opts: ResourceOptions = None): # Leave this line. You can modify 'customer:resoure:Cluster' if you want super().__init__('custom:resource:Cluster', name, {}, opts) # Create the resources. # Be sure to set a ResourceOption(parent=self) and prefix anything you want to return as an output with "self." # Example: # resource_group = resources.ResourceGroup('rg', opts=ResourceOptions(parent=self)) # self.rg_name = resource_group.name ### AKS Cluster Related Resources generated_key_pair = PrivateKey(f'{name}-ssh-key', algorithm='RSA', rsa_bits=4096, opts=ResourceOptions(parent=self)) ssh_public_key = generated_key_pair.public_key_openssh ad_app = azuread.Application('app', display_name='app', opts=ResourceOptions(parent=self)) ad_sp = azuread.ServicePrincipal('service-principal', application_id=ad_app.application_id, opts=ResourceOptions(parent=self)) ad_sp_password = azuread.ServicePrincipalPassword( 'sp-pwd', service_principal_id=ad_sp.id, value=args.password, end_date='2099-01-01T00:00:00Z', opts=ResourceOptions(parent=self)) k8s_cluster = containerservice.ManagedCluster( f'{name}-k8s', resource_group_name=args.resource_group_name, addon_profiles={ 'KubeDashboard': { 'enabled': True, }, }, agent_pool_profiles=[{ 'count': args.node_count, 'max_pods': 20, 'mode': 'System', 'name': 'agentpool', 'node_labels': {}, 'os_disk_size_gb': 30, 'os_type': 'Linux', 'type': 'VirtualMachineScaleSets', 'vm_size': args.node_size, }], dns_prefix=args.resource_group_name, enable_rbac=True, kubernetes_version=args.k8s_version, linux_profile={ 'admin_username': args.admin_username, 'ssh': { 'publicKeys': [{ 'keyData': ssh_public_key, }], }, }, node_resource_group='node-resource-group', service_principal_profile={ 'client_id': ad_app.application_id, 'secret': ad_sp_password.value, }, opts=ResourceOptions(parent=self)) # Obtaining the kubeconfig from an Azure K8s cluster requires using the "list_managed_clsuter_user_credentials" # function. # That function requires passing values that are not be known until the resources are created. # Thus, the use of "apply()" to wait for those values before calling the function. creds = pulumi.Output.all( args.resource_group_name, k8s_cluster.name).apply( lambda args: containerservice. list_managed_cluster_user_credentials( resource_group_name=args[0], resource_name=args[1])) # The "list_managed_cluster_user_credentials" function returns an array of base64 encoded kubeconfigs. # So decode the kubeconfig for our cluster but mark it as a secret so Pulumi treats it accordingly. self.kubeconfig = pulumi.Output.secret( creds.kubeconfigs[0].value.apply( lambda enc: base64.b64decode(enc).decode())) ### End of Cluster Related Resources # End with this. It is used for display purposes. self.register_outputs({})