diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 7413d13d..b193561e 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -1,39 +1,16 @@ # This is a basic workflow to help you get started with Actions -name: Bundle building and pushing +name: Building and Pushing to GHCR # Controls when the action will run. Triggers the workflow on push or pull request # events but only for the main branch on: [workflow_dispatch] -env: - GO_VERSION: '1.16.1' - # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: - lint: + publish: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: Set up Go - uses: actions/setup-go@v2 - with: - go-version: ${{ env.GO_VERSION }} - - name: Linter - uses: golangci/golangci-lint-action@v2 - with: - version: latest - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Set up Go - uses: actions/setup-go@v2 - with: - go-version: ${{ env.GO_VERSION }} - - name: Download modules - run: go mod download - - name: Build project - run: go build ./cmd/aks-periscope - name: Get Changelog Entry id: changelog_reader uses: mindsers/changelog-reader-action@v2 @@ -43,6 +20,7 @@ jobs: - name: Display output run: | echo "Version: ${{ steps.changelog_reader.outputs.version }}" + echo "Changes: ${{ steps.changelog_reader.outputs.changes }}" # Lowercase my github ownername. - name: Set Environment Variables run: | @@ -59,6 +37,5 @@ jobs: # Note the below automatically sets the registry to the local GH registry of the org name. # Currently, for pure gitops reconstructing this runtime setting will require looking at the repository owner of the commit run: | - docker build -f ./builder/Dockerfile -t aks/periscope . - docker tag aks/periscope ghcr.io/${{ env.REPO-OWNER }}/aks/periscope:${{ steps.changelog_reader.outputs.version }} + docker build -f ./builder/Dockerfile -t ghcr.io/${{ env.REPO-OWNER }}/aks/periscope:${{ steps.changelog_reader.outputs.version }} . docker push ghcr.io/${{ env.REPO-OWNER }}/aks/periscope:${{ steps.changelog_reader.outputs.version }} diff --git a/.github/workflows/build-publish-mcr.yml b/.github/workflows/build-publish-mcr.yml index 8287a1ea..3b312f74 100644 --- a/.github/workflows/build-publish-mcr.yml +++ b/.github/workflows/build-publish-mcr.yml @@ -1,26 +1,15 @@ -name: Building and pushing mcr +name: Building and Pushing to MCR on: [workflow_dispatch] permissions: id-token: write contents: read -env: - GO_VERSION: '1.16.1' - jobs: - build-and-deploy: + publish: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: Set up Go - uses: actions/setup-go@v2 - with: - go-version: ${{ env.GO_VERSION }} - - name: Download modules - run: go mod download - - name: Build project - run: go build ./cmd/aks-periscope - name: Get Changelog Entry id: changelog_reader uses: mindsers/changelog-reader-action@v2 @@ -39,8 +28,7 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: 'Run Azure CLI commands' run: | - docker build -f ./builder/Dockerfile -t public/aks/periscope . - docker tag public/aks/periscope ${{ secrets.AZURE_REGISTRY_SERVER }}/public/aks/periscope:${{ steps.changelog_reader.outputs.version }} + docker build -f ./builder/Dockerfile -t ${{ secrets.AZURE_REGISTRY_SERVER }}/public/aks/periscope:${{ steps.changelog_reader.outputs.version }} . az acr login -n ${{ secrets.AZURE_REGISTRY_SERVER }} docker push ${{ secrets.AZURE_REGISTRY_SERVER }}/public/aks/periscope:${{ steps.changelog_reader.outputs.version }} echo "acr push done" \ No newline at end of file diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 9f496664..94419e49 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -55,8 +55,6 @@ jobs: run: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 chmod +x ./kind - - curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash - name: Start kind run: | docker run -d --restart=always -p "127.0.0.1:5000:5000" --name "registry" registry:2 @@ -106,9 +104,22 @@ jobs: helm repo update helm install happy-panda bitnami/wordpress --namespace default - name: Deploy AKS Periscope + # Deploy using the Kustomize functionality built in to kubectl + # (placing the overlay in a gitignore'd location so this can be run locally + # without editing source-controlled files). run: | - (cd ./deployment && kustomize edit set image mcr.microsoft.com/aks/periscope=localhost:5000/periscope:${{ github.run_id }}) - kubectl apply -f <(kustomize build ./deployment) + # Create Kustomize overlay folder + mkdir -p ./deployment/overlays/temp + touch ./deployment/overlays/temp/.env.config + touch ./deployment/overlays/temp/.env.secret + + # Build kustomization yaml + export IMAGE_NAME=localhost:5000/periscope + export IMAGE_TAG=${{ github.run_id }} + cat ./deployment/overlays/dynamic-image/kustomization.template.yaml | envsubst > ./deployment/overlays/temp/kustomization.yaml + + # Deploy and wait for readiness + kubectl apply -k ./deployment/overlays/temp kubectl -n aks-periscope describe ds aks-periscope kubectl -n aks-periscope wait po --all --for condition=ready --timeout=240s - name: Go tests diff --git a/.gitignore b/.gitignore index 6c20503f..02956036 100644 --- a/.gitignore +++ b/.gitignore @@ -334,3 +334,13 @@ ASALocalRun/ # MFractors (Xamarin productivity tool) working folder .mfractor/ + +# CI files +helm +kind +*.tar.gz +deployment/overlays/temp + +# Local deployment configuration files +**/.env +**/.env.* diff --git a/README.md b/README.md index 4457bb18..eafc7b71 100644 --- a/README.md +++ b/README.md @@ -141,18 +141,36 @@ To locally build this project from the root of this repository: CGO_ENABLED=0 GOOS=linux go build -mod=vendor github.com/Azure/aks-periscope/cmd/aks-periscope ``` -**Tip**: In order to test local changes, user can build the local image via `Dockerfile` and then push it to your local hub. This way, a user should be able to reference this test image in the `deployment\aks-periscope.yaml` `containers` property `image` attribute reference to your published test docker image. +**Tip**: To test local changes, there are instructions for running Periscope in a `Kind` cluster in the ['dev' Kustomize overlay notes](./deployment/overlays/dev/README.md). This allows for altering the configuration without touching any source-controlled files. -For example: - -```sh -docker build -f ./builder/Dockerfile -t / . -docker push / -``` +**Tip**: To test changes in a GitHub branch, there are instructions for running images published to a local GHCR registry in the ['dynamic-image' Kustomize overlay notes](./deployment/overlays/dynamic-image/README.md#ghcr). ## Dependent Consuming Tools and Working Contract -`az-cli` and `vscode` both consume the `aks-periscope.yaml` file. If the `aks-periscope.yaml` file is changed, you will introduce breaking changes to `az-cli` and `vscode`. +Dependent tools need access to an immutable, versioned Periscope resource definition. We provide two ways to obtain this: +1. [Deprecated] Build the `external` overlay using instructions [here](./deployment/overlays/external/README.md) and include the output as a static resource in consuming tools. This will require runtime string substitution to configure appropriately for any given deployment, before being deployed using `kubectl -f`. +2. Build a `Kustomize` overlay at runtime, referencing `https://github.com/azure/aks-periscope//deployment/base?ref={RELEASE_TAG}` as the base, and the appropriate MCR image tags for that release, as well as all configuration and secrets. This can then be deployed using `kubectl -k`. Example: +```yaml +resources: +- https://github.com/azure/aks-periscope//deployment/base?ref={RELEASE_TAG} +images: +- name: periscope + newName: mcr.microsoft.com/aks/periscope + newTag: "{IMAGE_TAG}" +secretGenerator: +- name: azureblob-secret + behavior: replace + literals: + - AZURE_BLOB_ACCOUNT_NAME={STG_ACCOUNT} + - AZURE_BLOB_SAS_KEY=?{STG_SAS} + - AZURE_BLOB_CONTAINER_NAME={STG_CONTAINER} +configMapGenerator: +- name: diagnostic-config + behavior: merge + literals: + # Only specify those which should be overridden + - DIAGNOSTIC_KUBEOBJECTS_LIST={KUBEOBJECTS_OVERRIDE} +``` ## Debugging Guide @@ -160,10 +178,10 @@ This section intends to add some tips for debugging pod logs using aks-periscope Scenario, where `user A` uses **expired** `sas-token` and converts into `base64` to be used in the deployment file. -In the scenario above, the `kubectl apply -f deployment-file.yaml` will show no error but the output which will look like the one below. +In the scenario above, the `kubectl apply -k ./deployment/overlays/dev` will show no error but the output which will look like the one below. ```sh -❯ kubectl apply -f deployment/aks-periscope.yaml +❯ kubectl apply -k ./deployment/overlays/dev namespace/aks-periscope created serviceaccount/aks-periscope-service-account created clusterrole.rbac.authorization.k8s.io/aks-periscope-role unchanged @@ -171,18 +189,16 @@ clusterrolebinding.rbac.authorization.k8s.io/aks-periscope-role-binding unchange clusterrolebinding.rbac.authorization.k8s.io/aks-periscope-role-binding-view unchanged daemonset.apps/aks-periscope created secret/azureblob-secret created -configmap/containerlogs-config created -configmap/kubeobjects-config created -configmap/nodelogs-config created +configmap/diagnostic-config created customresourcedefinition.apiextensions.k8s.io/diagnostics.aks-periscope.azure.github.com unchanged ``` -To debug the `pod` logs in the `aks-periscope` namespace deployed in the cluster: +To debug the `pod` logs in the `aks-periscope-dev` namespace deployed in the cluster: - * To get the pods in `aks-periscope` namespace: - * `kubectl get pods -n aks-periscope` + * To get the pods in `aks-periscope-dev` namespace: + * `kubectl get pods -n aks-periscope-dev` * To check the logs in each of the deployed pods: - * `kubectl logs -n aks-periscope` + * `kubectl logs -n aks-periscope-dev` Feel free to contact aksperiscope@microsoft.com or open an issue with any feedback or questions about AKS Periscope. This is currently a work in progress, but look out for more capabilities to come! diff --git a/deployment/cluster-role-binding.yaml b/deployment/base/cluster-role-binding.yaml similarity index 100% rename from deployment/cluster-role-binding.yaml rename to deployment/base/cluster-role-binding.yaml diff --git a/deployment/cluster-role.yaml b/deployment/base/cluster-role.yaml similarity index 100% rename from deployment/cluster-role.yaml rename to deployment/base/cluster-role.yaml diff --git a/deployment/crd.yaml b/deployment/base/crd.yaml similarity index 100% rename from deployment/crd.yaml rename to deployment/base/crd.yaml diff --git a/deployment/daemon-set.yaml b/deployment/base/daemon-set.yaml similarity index 79% rename from deployment/daemon-set.yaml rename to deployment/base/daemon-set.yaml index c55c431a..9933c6f7 100644 --- a/deployment/daemon-set.yaml +++ b/deployment/base/daemon-set.yaml @@ -16,21 +16,18 @@ spec: serviceAccountName: aks-periscope-service-account hostPID: true nodeSelector: - beta.kubernetes.io/os: linux + kubernetes.io/os: linux containers: - name: aks-periscope - image: mcr.microsoft.com/aks/periscope + image: periscope securityContext: privileged: true imagePullPolicy: Always - env: [] envFrom: - configMapRef: - name: containerlogs-config - - configMapRef: - name: kubeobjects-config - - configMapRef: - name: nodelogs-config + name: diagnostic-config + - secretRef: + name: azureblob-secret volumeMounts: - name: varlog mountPath: /var/log @@ -54,4 +51,4 @@ spec: path: /run/systemd/resolve - name: etcvmlog hostPath: - path: /etc + path: /etc \ No newline at end of file diff --git a/deployment/base/kustomization.yaml b/deployment/base/kustomization.yaml new file mode 100644 index 00000000..ac39d34e --- /dev/null +++ b/deployment/base/kustomization.yaml @@ -0,0 +1,29 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: aks-periscope + +resources: +- namespace.yaml +- cluster-role.yaml +- cluster-role-binding.yaml +- crd.yaml +- daemon-set.yaml +- service-account.yaml + +configMapGenerator: +- name: diagnostic-config + literals: + - DIAGNOSTIC_CONTAINERLOGS_LIST=kube-system + - DIAGNOSTIC_KUBEOBJECTS_LIST=kube-system/pod kube-system/service kube-system/deployment + - DIAGNOSTIC_NODELOGS_LIST="/var/log/azure/cluster-provision.log /var/log/cloud-init.log" + +secretGenerator: +- name: azureblob-secret + literals: + - AZURE_BLOB_ACCOUNT_NAME= + - AZURE_BLOB_SAS_KEY= + - AZURE_BLOB_CONTAINER_NAME= + +generatorOptions: + disableNameSuffixHash: true diff --git a/deployment/namespace.yaml b/deployment/base/namespace.yaml similarity index 100% rename from deployment/namespace.yaml rename to deployment/base/namespace.yaml diff --git a/deployment/service-account.yaml b/deployment/base/service-account.yaml similarity index 100% rename from deployment/service-account.yaml rename to deployment/base/service-account.yaml diff --git a/deployment/config-map.yaml b/deployment/config-map.yaml deleted file mode 100644 index 1f82a9b1..00000000 --- a/deployment/config-map.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: containerlogs-config -data: - DIAGNOSTIC_CONTAINERLOGS_LIST: kube-system ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: kubeobjects-config -data: - DIAGNOSTIC_KUBEOBJECTS_LIST: kube-system/pod kube-system/service kube-system/deployment ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: nodelogs-config -data: - DIAGNOSTIC_NODELOGS_LIST: /var/log/azure/cluster-provision.log /var/log/cloud-init.log diff --git a/deployment/examples/kustomization_storage_account.yaml b/deployment/examples/kustomization_storage_account.yaml deleted file mode 100644 index fc836750..00000000 --- a/deployment/examples/kustomization_storage_account.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# This is an example file to use an Azure Storage Account to export data -# 3 values are required: -# - AZURE_BLOB_SAS_KEY -# - AZURE_BLOB_ACCOUNT_NAME -# - AZURE_BLOB_CONTAINER_NAME: name of the container where the data will be exported -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: aks-periscope - -resources: -- https://github.com/Azure/aks-periscope/deployment// - -secretGenerator: -- name: azureblob-secret - literals: - - AZURE_BLOB_SAS_KEY= - -patches: -- target: - group: apps - kind: DaemonSet - name: aks-periscope - version: v1 - patch: |- - - op: add - path: '/spec/template/spec/containers/0/env' - value: - - name: AZURE_BLOB_ACCOUNT_NAME - value: - - name: AZURE_BLOB_CONTAINER_NAME - value: -- target: - group: apps - kind: DaemonSet - name: aks-periscope - version: v1 - patch: |- - - op: add - path: '/spec/template/spec/containers/0/envFrom/-' - value: - secretRef: - name: azureblob-secret diff --git a/deployment/kustomization.yaml b/deployment/kustomization.yaml deleted file mode 100644 index ae8a1e54..00000000 --- a/deployment/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: aks-periscope - -resources: -- namespace.yaml -- cluster-role.yaml -- cluster-role-binding.yaml -- config-map.yaml -- crd.yaml -- daemon-set.yaml -- service-account.yaml - -images: - - name: mcr.microsoft.com/aks/periscope - newTag: v0.6 diff --git a/deployment/overlays/dev/README.md b/deployment/overlays/dev/README.md new file mode 100644 index 00000000..a35ef950 --- /dev/null +++ b/deployment/overlays/dev/README.md @@ -0,0 +1,56 @@ +# Dev Overlay + +This can be used for running a locally-built Periscope image in a `Kind` cluster. + +It will deploy to its own namespace, `aks-periscope-dev` to avoid conflicts with any existing Periscope deployment. + +## Building a Local Image + +First, build the image and make sure it's loaded in `Kind`. If it's not, the pod will fail trying to pull the image (because it's local). + +```sh +docker build -f ./builder/Dockerfile -t periscope-local . +# Include a --name argument here if not using the default kind cluster. +kind load docker-image periscope-local +``` + +## Setting up Configuration Data + +To run correctly, Periscope requires some storage account configuration that is different for each user. It also has some optional 'diagnostic' configuration (node log locations, etc.). + +We need to make sure this doesn't get into source control, so it is stored in `gitignore`d `.env` files. + +```sh +# Create a SAS +sub_id=... +stg_account=... +blob_container=... +sas_expiry=`date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'` +sas=$(az storage account generate-sas \ + --account-name $stg_account \ + --subscription $sub_id \ + --permissions rwdlacup \ + --services b \ + --resource-types sco \ + --expiry $sas_expiry \ + -o tsv) +# Set up configuration data for Kustomize +# (for further customization, the variables in the .env.config file can be configured to override the defaults) +touch ./deployment/overlays/dev/.env.config +cat < ./deployment/overlays/dev/.env.secret +AZURE_BLOB_ACCOUNT_NAME=${stg_account} +AZURE_BLOB_SAS_KEY=?${sas} +AZURE_BLOB_CONTAINER_NAME=${blob_container} +EOF +``` + +## Deploying to Kind + +Once the `.env` files are in place, `Kustomize` has all the information it needs to generate the `yaml` resource specification for Periscope. + +```sh +# Ensure kubectl has the right cluster context +export KUBECONFIG=... +# Deploy +kubectl apply -k ./deployment/overlays/dev +``` diff --git a/deployment/overlays/dev/kustomization.yaml b/deployment/overlays/dev/kustomization.yaml new file mode 100644 index 00000000..e38bdab3 --- /dev/null +++ b/deployment/overlays/dev/kustomization.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: aks-periscope-dev + +bases: +- ../../base + +patches: +- target: + group: apps + kind: DaemonSet + name: aks-periscope + version: v1 + patch: |- + - op: replace + path: '/spec/template/spec/containers/0/imagePullPolicy' + value: Never +images: +- name: periscope + newName: periscope-local + newTag: latest + +secretGenerator: +- name: azureblob-secret + behavior: replace + envs: + - .env.secret + +configMapGenerator: +- name: diagnostic-config + behavior: merge + envs: + - .env.config diff --git a/deployment/overlays/dynamic-image/README.md b/deployment/overlays/dynamic-image/README.md new file mode 100644 index 00000000..4cf22a12 --- /dev/null +++ b/deployment/overlays/dynamic-image/README.md @@ -0,0 +1,85 @@ +# Dynamic Image Overlay Template + +This is a template for an overlay, rather than an overlay itself, because although `Kustomize` supports dynamic configuration for `ConfigMap` and `Secret` resources via `.env` files, it does not allow dynamically specifying image names/tags. + +This allows us to specify image/tag identifiers as well as runtime configuration, generating an overlay in the `overlays/temp` folder. This overlay can then be deployed to any cluster (including `Kind` and AKS). + +## Image Sources + +Some uses for this template are listed below. + +### CI Build + +The [CI Pipeline](../../../.github/workflows/ci-pipeline.yaml) builds an image accessible only to a local `Kind` cluster. The generated overlay deploys Periscope resources that reference this image. + +### GHCR + +It can be useful to test a particular GitHub branch. We can generate an overlay for deploying the image generated from that branch. + +To make both the Docker image available to the cluster, it must be published to a container registry that allows anonymous pull access. To do this: +1. Push the branch you want to deploy to your local fork of the Periscope repository. +2. Run the [Building and Pushing to GHCR](../../../.github/workflows/build-and-publish.yml) workflow in GitHub Actions (making sure to select the correct branch). +3. Take note of the published image tag (e.g. '0.0.8'). +4. [First time only] Under Package Settings in GitHub, set the package visibility to 'public'. + +## Setting up Configuration Data + +Like the `dev` overlay, we need to put storage account configuration into an `.env.secret` file before running `Kustomize`. + +```sh +# Create a SAS +sub_id=... +stg_account=... +blob_container=... +sas_expiry=`date -u -d "30 minutes" '+%Y-%m-%dT%H:%MZ'` +sas=$(az storage account generate-sas \ + --account-name $stg_account \ + --subscription $sub_id \ + --permissions rwdlacup \ + --services b \ + --resource-types sco \ + --expiry $sas_expiry \ + -o tsv) + +# Create a clean overlay folder +rm -rf ./deployment/overlays/temp && mkdir ./deployment/overlays/temp + +# Set up storage configuration data for Kustomize +cat < ./deployment/overlays/temp/.env.secret +AZURE_BLOB_ACCOUNT_NAME=${stg_account} +AZURE_BLOB_SAS_KEY=?${sas} +AZURE_BLOB_CONTAINER_NAME=${blob_container} +EOF +``` + +We can also override diagnostic configuration variables: + +```sh +echo "DIAGNOSTIC_KUBEOBJECTS_LIST=kube-system default" > ./deployment/overlays/temp/.env.config +``` + +## Deploying Periscope + +We first need to specify environment variables for image name and tag. For example, for GHCR: + +```sh +REPO_USERNAME=... +export IMAGE_TAG=... +export IMAGE_NAME=ghcr.io/${REPO_USERNAME}/aks/periscope +``` + +We then generate the `kustomization.yaml` and dependencies in `overlays/temp`: + +```sh +touch ./deployment/overlays/temp/.env.config # In case it doesn't exist already +cat ./deployment/overlays/dynamic-image/kustomization.template.yaml | envsubst > ./deployment/overlays/temp/kustomization.yaml +``` + +And finally deploy the resources: + +```sh +# Ensure kubectl has the right cluster context +export KUBECONFIG=... +# Deploy +kubectl apply -k ./deployment/overlays/temp +``` diff --git a/deployment/overlays/dynamic-image/kustomization.template.yaml b/deployment/overlays/dynamic-image/kustomization.template.yaml new file mode 100644 index 00000000..a8106338 --- /dev/null +++ b/deployment/overlays/dynamic-image/kustomization.template.yaml @@ -0,0 +1,22 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ../../base + +images: +- name: periscope + newName: ${IMAGE_NAME} + newTag: "${IMAGE_TAG}" + +secretGenerator: +- name: azureblob-secret + behavior: replace + envs: + - .env.secret + +configMapGenerator: +- name: diagnostic-config + behavior: merge + envs: + - .env.config diff --git a/deployment/overlays/external/README.md b/deployment/overlays/external/README.md new file mode 100644 index 00000000..90fcd59a --- /dev/null +++ b/deployment/overlays/external/README.md @@ -0,0 +1,19 @@ +# External Overlay (Deprecated) + +This overlay produces the Periscope resource specification for the production images in MCR. The output of this can be consumed by external tools, like VS Code and AZ CLI. + +**NOTE**: The preferred approach for consuming tools is to use `Kustomize` directly. See [main notes](../../../README.md#dependent-consuming-tools-and-working-contract). + +The storage account data is not known at this time. The consuming tools are responsible for substituting all configuration data into the output, so this ensures we produce well-known placeholders for the various settings. + +```sh +# Important: set the desired MCR version tag +export IMAGE_TAG=... +export SAS_KEY_PLACEHOLDER="# " +export ACCOUNT_NAME_PLACEHOLDER="# " +export CONTAINER_NAME_PLACEHOLDER="# " +# In the kustomize output, the placeholder will be base-64 encoded. +# Work out what it will be, so we can replace it with our desired placeholder. +sas_key_env_var_b64=$(echo -n '${SAS_KEY_PLACEHOLDER}' | base64) +kubectl kustomize ./deployment/overlays/external | sed -e "s/$sas_key_env_var_b64/$SAS_KEY_PLACEHOLDER/g" | envsubst +``` \ No newline at end of file diff --git a/deployment/overlays/external/kustomization.yaml b/deployment/overlays/external/kustomization.yaml new file mode 100644 index 00000000..5fda0f90 --- /dev/null +++ b/deployment/overlays/external/kustomization.yaml @@ -0,0 +1,42 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: aks-periscope + +bases: +- ../../base + +images: +- name: periscope + newName: mcr.microsoft.com/aks/periscope + newTag: "${IMAGE_TAG}" + +secretGenerator: +- name: azureblob-secret + behavior: replace + literals: + - AZURE_BLOB_SAS_KEY=${SAS_KEY_PLACEHOLDER} + +# Consuming applications perform substitutions for account/container in unencoded text. +# For compatibility, use a ConfigMap. +configMapGenerator: +- name: storage-config + literals: + - AZURE_BLOB_ACCOUNT_NAME=${ACCOUNT_NAME_PLACEHOLDER} + - AZURE_BLOB_CONTAINER_NAME=${CONTAINER_NAME_PLACEHOLDER} + +patches: +- target: + group: apps + kind: DaemonSet + name: aks-periscope + version: v1 + patch: |- + - op: add + path: '/spec/template/spec/containers/0/envFrom/-' + value: + configMapRef: + name: storage-config + +generatorOptions: + disableNameSuffixHash: true \ No newline at end of file