Add ApplicationSet to deploy AKS Cluster with Helm Chart (#56)

Azure-Samples · May 22, 2024 · bb0af98 · bb0af98
1 parent fbf3a67
commit bb0af98
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -41,6 +41,11 @@ az ad sp create-for-rbac --name "<service-principal-name>" --role Contributor --
 
 - Fork the repo
 - Update the files cluster-claim.yaml in [dev](./gitops/clusters/crossplane/clusters/my-app-cluster/dev/cluster-claim.yaml) and [stage](./gitops/clusters/crossplane/clusters/my-app-cluster/stage/cluster-claim.yaml) folders for adminUser value as the objectId of the user/group to be designated as the admin for the cluster.
+- In order to access the workload cluster with a personal SSH key when using the CAPZ control plane option, create an SSH key with the following command. For more information on creating and using SSH keys, follow [this link](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed).
+
+```bash
+ssh-keygen -m PEM -t rsa -b 4096
+```
 
 Run Terraform:
 
@@ -52,9 +57,12 @@ terraform apply -var infrastructure_provider=crossplane \
                 -var gitops_addons_org=git@github.com:Azure-Samples \
                 -var gitops_workload_org=git@github.com:Azure-Samples \
                 -var service_principal_client_id=xxxxxxxx \
-                -var service_principal_client_secret=xxxxxxxxxx
+                -var service_principal_client_secret=xxxxxxxxxx \
+                -var git_public_ssh_key="$(cat ~/.ssh/id_rsa.pub)"
 ```
 
+**Note:** Omit the `git_public_ssh_key` variable if SSH key access is not required.
+
 Get the initial admin password and the IP address of the ArgoCD web interface.
 (Wait a few minutes for the LoadBalancer to be created after the Terraform apply)
 

diff --git a/gitops/clusters/capz/.keep b/gitops/clusters/capz/.keep
diff --git a/gitops/clusters/capz/aks-appset.yaml b/gitops/clusters/capz/aks-appset.yaml
@@ -0,0 +1,48 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: aks-appset
+  namespace: argocd
+spec:
+  generators:
+  - clusters:
+      selector:
+        matchExpressions:
+          - key: akuity.io/argo-cd-cluster-name
+            operator: NotIn
+            values: [in-cluster]
+  template:
+    metadata:
+      name: aks0
+      namespace: argocd
+    spec:
+      destination:
+        namespace: default
+        server: https://kubernetes.default.svc
+      project: default
+      source:
+        repoURL: 'https://mboersma.github.io/cluster-api-charts'
+        chart: azure-managed-cluster
+        targetRevision: v0.2.2
+        helm:
+          valuesObject:
+            subscriptionID: '{{metadata.annotations.subscription_id}}'
+            identity:
+              clientID: '{{metadata.annotations.capz_identity_id}}'
+              tenantID: '{{metadata.annotations.tenant_id}}'
+              type: WorkloadIdentity
+            controlplane:
+              ## SSH public key (must be valid)
+              sshPublicKey: '{{metadata.annotations.git_public_ssh_key}}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
+        retry:
+          limit: -1 # number of failed sync attempt retries; unlimited number of attempts if less than 0
+          backoff:
+            duration: 5s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h")
+            factor: 2 # a factor to multiply the base duration after each failed retry
+            maxDuration: 10m # the maximum amount of time allowed for the backoff strategy
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -44,6 +44,7 @@ locals {
   environment_metadata = {
     infrastructure_provider = var.infrastructure_provider
     capz_identity_id        = "${var.infrastructure_provider == "capz" ? azurerm_user_assigned_identity.capz[0].client_id : ""}"
+    git_public_ssh_key      = var.git_public_ssh_key
   }
 
   addons_metadata = {

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -37,11 +37,17 @@ variable "addons" {
 }
 
 variable "git_private_ssh_key" {
-  description = "SSH key path for git access"
+  description = "Filepath to the private SSH key for git access"
   type        = string
   default     = "./private_ssh_deploy_key"
 }
 
+variable "git_public_ssh_key" {
+  description = "A custom ssh key to control access to the AKS workload cluster(s). This should a string containing the key and not a filepath to the key."
+  type        = string
+  default     = ""
+}
+
 # Addons Git
 variable "gitops_addons_org" {
   description = "Specifies the Git repository org/user contains for addons."