Skip to content
This repository has been archived by the owner on Mar 20, 2023. It is now read-only.

Commit

Permalink
some scripts and doc update
Browse files Browse the repository at this point in the history
  • Loading branch information
@eiximenis
eiximenis committed Aug 30, 2019
1 parent 69bf474 commit 8dc8761
Show file tree
Hide file tree
Showing 10 changed files with 167 additions and 64 deletions.
Empty file added Deploy/Deploy-Custom-Tls-Cert.ps1
View file
Empty file.
6 changes: 3 additions & 3 deletions Deploy/Deploy-Images-Aks.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
Param(
[parameter(Mandatory=$false)][string]$name = "my-tt",
[parameter(Mandatory=$false)][string]$name = "tailwindtraders",
[parameter(Mandatory=$false)][string]$aksName,
[parameter(Mandatory=$false)][string]$resourceGroup,
[parameter(Mandatory=$false)][string]$acrName,
Expand All @@ -13,7 +13,7 @@ Param(
[parameter(Mandatory=$false)][string]$namespace = "",
[parameter(Mandatory=$false)][string][ValidateSet('prod','staging','none','custom', IgnoreCase=$false)]$tlsEnv = "none",
[parameter(Mandatory=$false)][string]$tlsHost="",
[parameter(Mandatory=$false)][string]$tlsSecretName="",
[parameter(Mandatory=$false)][string]$tlsSecretName="tt-tls-custom",
[parameter(Mandatory=$false)][bool]$autoscale=$false
)

Expand Down Expand Up @@ -76,7 +76,7 @@ function createHelmCommand([string]$command) {
$newcmd = "$newcmd --namespace $namespace"
}

if (-not [string]::IsNullOrEmpty($tlsSecretName)) {
if (-not [string]::IsNullOrEmpty($tlsSecretNameToUse)) {
$newcmd = "$newcmd --set ingress.tls[0].secretName=$tlsSecretNameToUse --set ingress.tls[0].hosts={$aksHost}"
}

Expand Down
32 changes: 30 additions & 2 deletions Deploy/Enable-Ssl.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
Param (
[parameter(Mandatory=$false)][string][ValidateSet('prod','staging','none', IgnoreCase=$false)]$sslSupport = "none",
[parameter(Mandatory=$false)][string][ValidateSet('prod','staging','none','custom', IgnoreCase=$false)]$sslSupport = "none",
[parameter(Mandatory=$false)][string]$name = "my-tt",
[parameter(Mandatory=$false)][string]$aksName,
[parameter(Mandatory=$false)][string]$resourceGroup
[parameter(Mandatory=$false)][string]$resourceGroup,
[parameter(Mandatory=$false)][string]$tlsCertFile="",
[parameter(Mandatory=$false)][string]$tlsKeyFile="",
[parameter(Mandatory=$false)][string]$domain="",
[parameter(Mandatory=$false)][string]$tlsSecretName="tt-tls-custom"
)

function validate {
Expand All @@ -18,6 +22,25 @@ function validate {
$valid=$false
}

if ($sslSupport -eq "custom") {
if ([string]::IsNullOrEmpty($domain)) {
Write-Host "If sslSupport is 'custom' the domain parameter is mandatory." -ForegroundColor Red
$valid=$false
}
if ([String]::IsNullOrEmpty($tlsCertFile)) {
Write-Host "If sslSupport is 'custom' then need to pass the certificate file in tlsCertFile parameter" -ForegroundColor Red
$valid=$false
}
if ([String]::IsNullOrEmpty($tlsKeyFile)) {
Write-Host "If sslSupport is 'custom' then need to pass the certificate key file in tlsKeyFile parameter" -ForegroundColor Red
$valid=$false
}
if ([String]::IsNullOrEmpty($tlsSecretName)) {
Write-Host "If sslSupport is 'custom' then need to pass the Kubernetes secret name in tlsSecretName parameter" -ForegroundColor Red
$valid=$false
}
}

if ($sslSupport -eq "none") {
Write-Host "sslSupport set to none. Nothing will be done. Use staging or prod to setup SSL/TLS" -ForegroundColor Yellow
$valid=$false
Expand Down Expand Up @@ -59,6 +82,11 @@ if ($sslSupport -eq "prod") {
Write-Host "Adding TLS/SSL support using Let's Encrypt PRODUCTION environment" -ForegroundColor Yellow
cmd /c "helm install --name $name-ssl-prod -f tls-support\values-prod.yaml --set domain=$domain tls-support"
}
if ($sslSupport -eq "custom") {
Write-Host "TLS support is custom bound to domain $domain" -ForegroundColor Yellow
Write-Host "Creating secret $tlsSecretName with TLS certificate from file $tlsCertFile and key from $tlsKeyFile"
kubectl create secret tls $tlsSecretName --key $tlsKeyFile --cert $tlsCertFile
}

Pop-Location

44 changes: 44 additions & 0 deletions Documents/Custom-Domains.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Using custom domain for Tailwind Traders Backend

If you want to use a custom domain for Tailwind Traders Backend two steps need to be performed:

1. Install a ingress controller
2. Assign the custom domain to the public IP of the ingress controller

## Install a ingress controller

If AKS was created with "http application routing" addin, nothing needs to be done. Http application routing is already a ingress controller, and can be used to serve Tailwind Traders Backend using your custom domain name.

If http application routing is not installed, you need to install a specific ingress controller.

* [Enable Http Application Routing](https://docs.microsoft.com/en-us/azure/aks/http-application-routing)
* [Install NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/deploy/)

Once ingress controller is installed you need to find the public IP created. If Http Application routing is used, the ingress controller runs in the namespace `kube-system`. If NGINX controller is installed, the controller is in the namespace `ingress-nginx`. Other controllers could use other namespaces.

Type `kubectl get svc -n namespace_to_view` and you should see a `LoadBalancer` service with a EXTERNAL-IP (this is the public IP):

![Public IP of the ingress controller](Images/kubectl-public-svc-ip.png)

In the Azure portal (in the `MC_*` resource group), this public IP is also visible:

![Public IP in Azure Portal](Images/ingress-ip-portal.png)

You can verify that the ingress controller is working by making a request to this public IP:

![Curl to public IP](Images/curl-public-ip.png)

## Assign the custom domain to the public IP

We don't have any script for that, so you could use the Azure portal. Go to the public IP, Configuration section and press "Create alias record". Following screen will appear:

![Curl to public IP](Images/create-alias-record.png)

**Note**: You need to have the Azure DNS zone created for the base domain.

Once the alias record is created will be listed in the _Configuration_ section of the IP:

![Alias records list](Images/alias-records.png)

Now, you have your custom domain linked to the public IP of the ingress controller.

Binary file added Documents/Images/alias-records.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Documents/Images/create-alias-record.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Documents/Images/curl-public-ip.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Documents/Images/ingress-ip-portal.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added Documents/Images/kubectl-public-svc-ip.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
149 changes: 90 additions & 59 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,66 +244,17 @@ resources:
cpu: "100m"
```
#### Deploying services
#### Enabling SSL/TLS on the cluster (optional BUT highly recommended)
> **Note**: If you want to add SSL/TLS support on the cluster (needed to use https on the web) please read _Enabling SSL/TLS on the cluster_ section **before installing the backend**.
Tailwind Traders can be deployed with TLS (https) support. For this to work a TLS/SSL certificate must be installed on the Kubernetes cluster. Three options are provided:
> **Note**: If the script has problems detecting the AKS host verify that the AKS has http_application_routing enabled.
> [More information](https://docs.microsoft.com/es-es/azure/aks/http-application-routing)
* Use _staging_ certificate from Let's Encrypt. Not valid for production scenarios as _staging_ certificates are not trusted.
* Use _production_ certificate from Let's Encrypt. Valid for production scenarios as _production_ certificates are trusted. Should be used only if you have a custom domain (trying to generate a Let's Encrypt certificate from the url generated by http application routing won't probably work).
* Use a _custom_ certificate provided by you.
To deploy the services from a Bash terminal run the `./deploy-images-aks.sh` script with the following parameters:
If Let's Encrypt is choose, then [cert-manager](https://github.com/jetstack/cert-manager) is used. Cert-manager allows auto-provisioning of TLS certificates using [Let's Encrypt](https://letsencrypt.org/) and [ACME](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment) protocol. The certificate is requested, created and installed on the server without any manual intervention.
- `-n <name>` Name of the deployment. Defaults to `my-tt`
- `--aks-name <name>` Name of the AKS
- `-g <group>` Name of the resource group
- `--acr-name <name>` Name of the ACR
- `--tag <tag>` Docker images tag to use. Defaults to `latest`
- `--charts <charts>` List of comma-separated values with charts to install. Defaults to `*` (all)
- `-f <values-file>`: Values file to use (defaults to `gvalues.yaml`)

If using Powershell, have to run `./Deploy-Images-Aks.ps1` with following parameters:

- `-name <name>` Name of the deployment. Defaults to `my-tt`
- `-aksName <name>` Name of the AKS
- `-resourceGroup <group>` Name of the resource group
- `-acrName <name>` Name of the ACR
- `-tag <tag>` Docker images tag to use. Defaults to `latest`
- `-charts <charts>` List of comma-separated values with charts to install. Defaults to `*` (all)
- `-valuesFile <values-file>`: Values file to use (defaults to `gvalues.yaml`)
- `-useInfraInAks`: Flag needed to check if infrastructure services will be in AKS or not.
- `-tlsEnv prod|staging` If **SSL/TLS support has been installed**, you have to use this parameter to enable https endpoints. Value must be `staging` or `prod` and must be the same value used when you installed SSL/TLS support. If SSL/TLS is not installed, you can omit this parameter.
- `-autoscale <boolean>`: Flag to activate HPA autoscaling. Defaults to `false`.

This script will install all services using Helm and your custom configuration from the configuration file set by `-valuesFile` parameter.

The parameter `charts` allow for a selective installation of charts. Is a list of comma-separated values that mandates the services to deploy in the AKS. Values are:

- `pr` Products API
- `cp` Coupons API
- `pf` Profiles API
- `pp` Popular products API
- `st` Stock API
- `ic` Image classifier API
- `ct` Shopping cart API
- `lg` Login API
- `rr` Rewards Registration
- `mgw` Mobile Api Gateway
- `wgw` Web Api Gateway

So, using `charts pp,st` will only install the popular products and the stock api.

#### Deploying the images on the storage

To deploy the needed images on the Azure Storage account just run the `/Deploy/Deploy-Pictures-Azure.ps1` script, with following parameters:

- `-resourceGroup <name>`: Resource group where storage is created
- `-storageName <name>`: Name of the storage account

Script will create blob containers and copy the images (located in `/Deploy/tt-images` folder) to the storage account.

#### Enabling SSL/TLS on the cluster

SSL/TLS support is provided by [cert-manager](https://github.com/jetstack/cert-manager) that allows auto-provisioning of TLS certificates using [Let's Encrypt](https://letsencrypt.org/) and [ACME](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment) protocol.
**Using Let's Encrypt and Cert manager**
To enable SSL/TLS support you must do it **before deploying your images**. The first step is to add cert-manager to the cluster by running `./add-cert-manager.sh` or `./Add-Cert-Manager.ps1`. Both scripts accept no parameters and they use helm to configure cert-manager in the cluster. **This needs to be done only once.**

Expand All @@ -312,7 +263,7 @@ Then you should run `./Enable-Ssl.ps1` with following parameters:
- `-sslSupport`: Use `staging` or `prod` to use the staging or production environments of Let's Encrypt
- `-aksName`: The name of the AKS to use
- `-resourceGroup`: Name of the resource group where AKS is
- `-domain`: Domain to use for the SSL/TLS certificates. Is **optional** and if not used it defaults to the public domain of the AKS. Only need to use this parameter if using custom domains
- `-domain`: Domain to use for the SSL/TLS certificates. Is **optional** and if not used it defaults to the public domain of the AKS. Note that this public domain exists only if Http Application routing is installed on the AKS. Only need to use this parameter if using custom domains.

Output of the script will be something like following:

Expand Down Expand Up @@ -368,11 +319,11 @@ The SSL/TLS secret names are:
- `letsencrypt-prod`: Secret for the prod _issuer_. This is NOT the SSL/TLS certificate
- `tt-letsencrypt-prod`: Secret for the prod SSL/TLS certificate.
At this point **the support for SSL/TLS is installed, and you can install Tailwind Traders Backend on the repo**.
At this point **the support for SSL/TLS is installed, and you can install Tailwind Traders Backend on the cluster**.
> **Note:** You don't need to do this again, unless you want to change the domain of the SSL/TLS certificate. In this case you need to remove the issuer and certificate objects (using `helm delete my-tt-ssl --purge` and then reinstall again)
> **Note** Staging certificates **are not trust**, so browsers will complain about it, exactly in the same way that they complain about a self-signed certificate. The only purpose is to test all the deployment works, but in any production environment you must use the `prod` environment. In **development/test environments** is recommended to install the staging certificates and then trust those certificates in the developers' machines. You can [download the Let's Encrypt staging certificates from their web](https://letsencrypt.org/docs/staging-environment/).
> **Remember** Staging certificates **are not trusted**, so browsers will complain about it, exactly in the same way that they complain about a self-signed certificate. The only purpose is to test all the deployment works, but in any production environment you must use the `prod` environment. In **development/test environments** is recommended to install the staging certificates and then trust those certificates in the developers' machines. You can [download the Let's Encrypt staging certificates from their web](https://letsencrypt.org/docs/staging-environment/).
Another way to validate your certificate deployment is doing a `kubectl describe cert tt-cert-staging` (or `tt-cert-prod`). In the `Events` section you should see that the certificate has been obtained:
Expand All @@ -387,6 +338,86 @@ Events:
Normal CertIssued 9m cert-manager Certificate issued successfully
```
**Use custom Certificate**
If you already have a TLS certificate from your certificate authority you can deploy it on the server. Using Powershell, run the `Enable-Ssl.ps1` script with following parameters:
- `-sslSupport`: Use `custom`
- `-aksName`: The name of the AKS to use
- `-resourceGroup`: Name of the resource group where AKS is
- `-domain`: Domain bounded to your AKS. It has to be compatible with the domains allowed by your TLS certificate
- `-tlsCertFile`: Certificate file
- `-tlsKeyFile`: Certificate key file
- `-tlsSecretName`: Name of the Kubernetes secret that will store the certificate. Defaults to `tt-tls-custom`
* The _certificate file_ file with the certificate public key. Usually is a `.cert` or `.crt` file.
* The _certificate key file_ is the file with the certificate private key, usually a `.key` file.
If you have a `.pfx` file you need to convert it to the separate `.crt` and `.key` files:
```bash
# Extract encrypted key from pfx file
openssl pkcs12 -in certfile.pfx -nocerts -out keyfile-encrypted.key
# Unencrypt key file
openssl rsa -in keyfile-encrypted.key -out keyfile.key
# Extract certificate file from pfx file
openssl pkcs12 -in certfile.pfx -clcerts -nokeys -out certfile.crt
```

#### Deploying services

> **Note**: If you want to add SSL/TLS support on the cluster (needed to use https on the web) please read _Enabling SSL/TLS on the cluster_ section **before installing the backend**.
You can deploy Tailwind Traders using a custom domain or in the domain created by Http Application Routing (if enabled). If you are using a custom domain be sure to:

* Have the ingress [public IP linked to custom domain](./Documents/Custom-Domains.md)
* Use the parameter `tlsHost` with the value of your custom domain (regardless its name you need to use this parameter even if no TLS is enabled).

If `tlsHost` is not passed, the script will assume that Http Application Routing is installed in the AKS. If the script has problems detecting the host name verify that the AKS has http_application_routing enabled.
> [More information](https://docs.microsoft.com/es-es/azure/aks/http-application-routing)
You need to use Powershell and run `./Deploy-Images-Aks.ps1` with following parameters:

- `-name <name>` Name of the deployment. Defaults to `my-tt`
- `-aksName <name>` Name of the AKS
- `-resourceGroup <group>` Name of the resource group
- `-acrName <name>` Name of the ACR
- `-tag <tag>` Docker images tag to use. Defaults to `latest`
- `-charts <charts>` List of comma-separated values with charts to install. Defaults to `*` (all)
- `-valuesFile <values-file>`: Values file to use (defaults to `gvalues.yaml`)
- `-useInfraInAks`: Flag needed to check if infrastructure services will be in AKS or not.
- `-tlsEnv prod|staging|custom` If **SSL/TLS support has been installed**, you have to use this parameter to enable https endpoints. Value must be `staging`, `prod` or `custom` and must be the same value used when you installed SSL/TLS support. If SSL/TLS is not installed, you can omit this parameter.
- `-tlsSecretName`: Name of the Kubernetes secret that stores the TLS certificate. Only used if `tlsEnv` is `custom` (ignored otherwise) and defaults to `tt-tls-custom`.
- `-tlsHost`: Name of the domain bounded to HTTPS endpoints. That is the same value passed to `
- `-autoscale <boolean>`: Flag to activate HPA autoscaling. Defaults to `$false`.

This script will install all services using Helm and your custom configuration from the configuration file set by `-valuesFile` parameter.

The parameter `charts` allow for a selective installation of charts. Is a list of comma-separated values that mandates the services to deploy in the AKS. Values are:

- `pr` Products API
- `cp` Coupons API
- `pf` Profiles API
- `pp` Popular products API
- `st` Stock API
- `ic` Image classifier API
- `ct` Shopping cart API
- `lg` Login API
- `rr` Rewards Registration
- `mgw` Mobile Api Gateway
- `wgw` Web Api Gateway

So, using `charts pp,st` will only install the popular products and the stock api.

#### Deploying the images on the storage

To deploy the needed images on the Azure Storage account just run the `/Deploy/Deploy-Pictures-Azure.ps1` script, with following parameters:

- `-resourceGroup <name>`: Resource group where storage is created
- `-storageName <name>`: Name of the storage account

Script will create blob containers and copy the images (located in `/Deploy/tt-images` folder) to the storage account.

---

## <a name="deploy-win-linux-containers"></a>Using AKS with Windows and Linux containers
Expand Down

0 comments on commit 8dc8761

Please sign in to comment.