create 80 backup

HoussemDellai · Oct 20, 2024 · 5fa21cb · 5fa21cb
1 parent 0172171
commit 5fa21cb
Show file tree

Hide file tree

Showing 35 changed files with 715 additions and 77 deletions.
diff --git a/20_app_gateway_ingress/aspnetapp.yaml b/20_app_gateway_ingress/aspnetapp.yaml
@@ -1,50 +1,53 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: webapp
+  name: aspnetapp
+  labels:
+    app: aspnetapp
 spec:
+  replicas: 3
   selector:
     matchLabels:
-      app: webapp
-  replicas: 3
+      app: aspnetapp
   template:
     metadata:
       labels:
-        app: webapp
+        app: aspnetapp
     spec:
       containers:
-        - image: mcr.microsoft.com/dotnet/samples:aspnetapp
-          name: aspnetapp
-          ports:
-          - containerPort: 80
+      - name: aspnetapp
+        image: mcr.microsoft.com/dotnet/samples:aspnetapp
+        ports:
+        - containerPort: 8080
+          protocol: TCP
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: webapp-svc
+  name: aspnetapp
 spec:
-  ports:
-    - port: 80
-      protocol: TCP
-      targetPort: 80
   selector:
-    app: webapp
-  type: ClusterIP
+    app: aspnetapp
+  ports:
+  - protocol: TCP
+    port: 80
+    targetPort: 8080
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: webapp-ingress
+  name: aspnetapp
+  # annotations:
+    # kubernetes.io/ingress.class: azure/application-gateway
 spec:
   ingressClassName: azure-application-gateway
   rules:
-    # - host: webapp.houssem.cloud
-    - http:
-        paths:
-          - path: /
-            pathType: Exact
-            backend:
-              service:
-                name: webapp-svc
-                port:
-                  number: 80
+  - http:
+      paths:
+      - path: /
+        backend:
+          service:
+            name: aspnetapp
+            port:
+              number: 80
+        pathType: Exact
diff --git a/420_pod_topology_spread_constraints/Readme.md b/420_pod_topology_spread_constraints/Readme.md
@@ -0,0 +1,3 @@
+# Pod Topology Spread Constraints
+
+https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
diff --git a/510_ai_ollama_k8s/webui-deployment.yaml b/510_ai_ollama_k8s/webui-deployment.yaml
@@ -38,4 +38,4 @@ spec:
       volumes:
       - name: webui-volume
         persistentVolumeClaim:
-          claimName: open-webui-pvc          
+          claimName: open-webui-pvc
diff --git a/80_aks_backup/cmmands.ps1 b/80_aks_backup/cmmands.ps1
@@ -16,14 +16,14 @@ $AKS_RG_02="rg-aks-2"
 $VAULT_NAME="backup-vault"
 $VAULT_RG="rg-backup-vault"
 
-$SA_NAME="storage4aks1backup13"
+$SA_NAME="storage4aks1backup17"
 $SA_RG="rg-backup-storage"
 $BLOB_CONTAINER_NAME="aks-backup"
 $SUBSCRIPTION_ID=$(az account list --query [?isDefault].id -o tsv)
 
 # 2. Create Backup Vault resource group and Backup Vault
 
-az group create --name $VAULT_RG --location westeurope
+az group create --name $VAULT_RG --location swedencentral
 
 az dataprotection backup-vault create `
    --vault-name $VAULT_NAME `
@@ -32,7 +32,7 @@ az dataprotection backup-vault create `
 
 # 3. Create storage acount and Blob container for storing Backup data
 
-az group create --name $SA_RG --location westeurope
+az group create --name $SA_RG --location swedencentral
 
 az storage account create `
    --name $SA_NAME `
@@ -48,11 +48,11 @@ az storage container create `
 
 # 4. Create first AKS cluster with CSI Disk Driver and Snapshot Controller
 
-az aks get-versions -l westeurope -o table
+az aks get-versions -l swedencentral -o table
 
-az group create --name $AKS_RG_01 --location westeurope
+az group create --name $AKS_RG_01 --location swedencentral
 
-az aks create -g $AKS_RG_01 -n $AKS_NAME_01 -k "1.27.3" --zones 1 2 3 --node-vm-size "Standard_B2als_v2"
+az aks create -g $AKS_RG_01 -n $AKS_NAME_01 -k "1.30.5" --zones 1 2 3 --node-vm-size "Standard_B2als_v2"
 
 # Verify that CSI Disk Driver and Snapshot Controller are installed
 
@@ -63,9 +63,9 @@ az aks show -g $AKS_RG_01 -n $AKS_NAME_01 --query storageProfile
 
 # 5. Create second AKS cluster with CSI Disk Driver and Snapshot Controller
 
-az group create --name $AKS_RG_02 --location westeurope
+az group create --name $AKS_RG_02 --location swedencentral
 
-az aks create -g $AKS_RG_02 -n $AKS_NAME_02 -k "1.27.3" --zones 1 2 3 --node-vm-size "Standard_B2als_v2"
+az aks create -g $AKS_RG_02 -n $AKS_NAME_02 -k "1.30.5" --zones 1 2 3 --node-vm-size "Standard_B2als_v2"
 
 # Verify that CSI Disk Driver and Snapshot Controller are installed
 

diff --git a/80_aks_backup_tf/Readme.md b/80_aks_backup_tf/Readme.md
@@ -1,12 +1,7 @@
-# Private Azure Grafana, Prometheus and Log Analytics with AKS
+# AKS Backup with Terraform and Velero
 
 ## Introduction
 
-With AKS, you can use `Azure Monitor Workspace for Prometheus` and `Azure Managed Grafana` to collect, query and visualize the metrics from AKS.
-And to collect logs, you can use `Azure Log Analytics`.
-
-This lab will provide an implementation for monitoring and logging.
-
 ## Architecture
 
 ![](images/architecture.png)
@@ -37,4 +32,4 @@ terraform destroy
 
 ## More readings
 
-https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/azure-monitor-workspace-manage?tabs=azure-portal
+https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_protection_backup_instance_kubernetes_cluster
diff --git a/80_aks_backup_tf/aks-2.tf b/80_aks_backup_tf/aks-2.tf
@@ -0,0 +1,70 @@
+resource "azurerm_kubernetes_cluster" "aks-2" {
+  name                = "aks-cluster"
+  location            = azurerm_resource_group.rg-2.location
+  resource_group_name = azurerm_resource_group.rg-2.name
+  dns_prefix          = "aks"
+  kubernetes_version  = "1.30.5"
+
+  network_profile {
+    network_plugin      = "azure"
+    network_plugin_mode = "overlay"
+  }
+
+  default_node_pool {
+    name                        = "systempool"
+    temporary_name_for_rotation = "syspool"
+    node_count                  = 3
+    vm_size                     = "standard_b2als_v2"
+    zones                       = [1, 2, 3]
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      default_node_pool.0.upgrade_settings
+    ]
+  }
+}
+
+resource "azurerm_role_assignment" "cluster_2_msi_contributor_on_snap_rg" {
+  scope                = azurerm_resource_group.rg-backup.id
+  role_definition_name = "Contributor"
+  principal_id         = azurerm_kubernetes_cluster.aks-2.identity[0].principal_id
+}
+
+resource "azurerm_kubernetes_cluster_extension" "extension-2" {
+  name              = "backup-extension"
+  cluster_id        = azurerm_kubernetes_cluster.aks-2.id
+  extension_type    = "Microsoft.DataProtection.Kubernetes"
+  release_train     = "stable"
+  release_namespace = "dataprotection-microsoft"
+  configuration_settings = {
+    "configuration.backupStorageLocation.bucket"                = azurerm_storage_container.container.name
+    "configuration.backupStorageLocation.config.storageAccount" = azurerm_storage_account.storage.name
+    "configuration.backupStorageLocation.config.resourceGroup"  = azurerm_storage_account.storage.resource_group_name
+    "configuration.backupStorageLocation.config.subscriptionId" = data.azurerm_client_config.current.subscription_id
+    "credentials.tenantId"                                      = data.azurerm_client_config.current.tenant_id
+  }
+}
+
+resource "azurerm_role_assignment" "extension_2_storage_account_contributor" {
+  scope                = azurerm_storage_account.storage.id
+  role_definition_name = "Storage Account Contributor"
+  principal_id         = azurerm_kubernetes_cluster_extension.extension-2.aks_assigned_identity[0].principal_id
+}
+
+resource "azurerm_kubernetes_cluster_trusted_access_role_binding" "aks_cluster_2_trusted_access" {
+  kubernetes_cluster_id = azurerm_kubernetes_cluster.aks-2.id
+  name                  = "trusted-access"
+  roles                 = ["Microsoft.DataProtection/backupVaults/backup-operator"]
+  source_resource_id    = azurerm_data_protection_backup_vault.backup-vault.id
+}
+
+resource "azurerm_role_assignment" "vault_msi_read_on_cluster_2" {
+  scope                = azurerm_kubernetes_cluster.aks-2.id
+  role_definition_name = "Reader"
+  principal_id         = azurerm_data_protection_backup_vault.backup-vault.identity[0].principal_id
+}
diff --git a/80_aks_backup_tf/aks-backup-extenstion.tf b/80_aks_backup_tf/aks-backup-extenstion.tf
@@ -6,14 +6,14 @@ resource "azurerm_kubernetes_cluster_extension" "extension" {
   release_namespace = "dataprotection-microsoft"
   configuration_settings = {
     "configuration.backupStorageLocation.bucket"                = azurerm_storage_container.container.name
-    "configuration.backupStorageLocation.config.resourceGroup"  = azurerm_storage_account.storage.resource_group_name
     "configuration.backupStorageLocation.config.storageAccount" = azurerm_storage_account.storage.name
+    "configuration.backupStorageLocation.config.resourceGroup"  = azurerm_storage_account.storage.resource_group_name
     "configuration.backupStorageLocation.config.subscriptionId" = data.azurerm_client_config.current.subscription_id
     "credentials.tenantId"                                      = data.azurerm_client_config.current.tenant_id
   }
 }
 
-resource "azurerm_role_assignment" "extension_and_storage_account_permission" {
+resource "azurerm_role_assignment" "extension_storage_account_contributor" {
   scope                = azurerm_storage_account.storage.id
   role_definition_name = "Storage Account Contributor"
   principal_id         = azurerm_kubernetes_cluster_extension.extension.aks_assigned_identity[0].principal_id

diff --git a/80_aks_backup_tf/aks.tf b/80_aks_backup_tf/aks.tf
@@ -3,27 +3,34 @@ resource "azurerm_kubernetes_cluster" "aks" {
   location            = azurerm_resource_group.rg.location
   resource_group_name = azurerm_resource_group.rg.name
   dns_prefix          = "aks"
-  kubernetes_version  = "1.29.0"
+  kubernetes_version  = "1.30.5"
 
   network_profile {
     network_plugin      = "azure"
     network_plugin_mode = "overlay"
-    ebpf_data_plane     = "cilium"
   }
 
   default_node_pool {
-    name           = "systempool"
-    node_count     = 3
-    vm_size        = "standard_b2als_v2"
+    name                        = "systempool"
+    temporary_name_for_rotation = "syspool"
+    node_count                  = 3
+    vm_size                     = "standard_b2als_v2"
+    zones                       = [1, 2, 3]
   }
 
   identity {
     type = "SystemAssigned"
   }
+
+  lifecycle {
+    ignore_changes = [
+      default_node_pool.0.upgrade_settings
+    ]
+  }
 }
 
 resource "azurerm_role_assignment" "cluster_msi_contributor_on_snap_rg" {
   scope                = azurerm_resource_group.rg-backup.id
   role_definition_name = "Contributor"
   principal_id         = azurerm_kubernetes_cluster.aks.identity[0].principal_id
-}
+}
diff --git a/80_aks_backup_tf/backup_instance.tf b/80_aks_backup_tf/backup_instance.tf
@@ -1,22 +1,28 @@
-resource "azurerm_data_protection_backup_instance_kubernetes_cluster" "backup-instance" {
-  name                         = "backup-instance"
+resource "azurerm_data_protection_backup_instance_kubernetes_cluster" "backup_instance_aks" {
+  name                         = "backup-instance-aks"
   location                     = azurerm_resource_group.rg.location
   vault_id                     = azurerm_data_protection_backup_vault.backup-vault.id
   kubernetes_cluster_id        = azurerm_kubernetes_cluster.aks.id
   snapshot_resource_group_name = azurerm_resource_group.rg-backup.name
-  backup_policy_id             = azurerm_data_protection_backup_policy_kubernetes_cluster.backup-policy-aks.id
+  backup_policy_id             = azurerm_data_protection_backup_policy_kubernetes_cluster.backup_policy_aks.id
 
   backup_datasource_parameters {
-    excluded_namespaces              = ["test-excluded-namespaces"]
-    excluded_resource_types          = ["exvolumesnapshotcontents.snapshot.storage.k8s.io"]
+    # excluded_namespaces              = ["ns1"]
+    # excluded_resource_types          = ["exvolumesnapshotcontents.snapshot.storage.k8s.io"]
     cluster_scoped_resources_enabled = true
-    included_namespaces              = ["*"] # ["test-included-namespaces"]
-    included_resource_types          = ["*"] # ["involumesnapshotcontents.snapshot.storage.k8s.io"]
-    label_selectors                  = ["*"] # ["kubernetes.io/metadata.name:test"]
-    volume_snapshot_enabled          = true
+    # included_namespaces              = ["*"] # ["test-included-namespaces"]
+    # included_resource_types          = ["*"] # ["involumesnapshotcontents.snapshot.storage.k8s.io"]
+    # label_selectors                  = ["*"] # ["kubernetes.io/metadata.name:test"]
+    volume_snapshot_enabled = true
   }
 
   depends_on = [
-    azurerm_role_assignment.extension_and_storage_account_permission,
+    azurerm_role_assignment.extension_storage_account_contributor,
+    azurerm_role_assignment.vault_msi_read_on_cluster,
+    azurerm_role_assignment.vault_msi_read_on_snap_rg,
+    azurerm_role_assignment.cluster_msi_contributor_on_snap_rg,
+    azurerm_role_assignment.vault_msi_snapshot_contributor_on_snap_rg,
+    azurerm_role_assignment.vault_msi_data_operator_on_snap_rg,
+    azurerm_role_assignment.vault_msi_data_contributor_on_storage,
   ]
-}
+}
diff --git a/80_aks_backup_tf/backup_policy.tf b/80_aks_backup_tf/backup_policy.tf
@@ -1,4 +1,4 @@
-resource "azurerm_data_protection_backup_policy_kubernetes_cluster" "backup-policy-aks" {
+resource "azurerm_data_protection_backup_policy_kubernetes_cluster" "backup_policy_aks" {
   name                = "backup-policy-aks"
   resource_group_name = azurerm_data_protection_backup_vault.backup-vault.resource_group_name
   vault_name          = azurerm_data_protection_backup_vault.backup-vault.name

diff --git a/80_aks_backup_tf/backup_vault.tf b/80_aks_backup_tf/backup_vault.tf
@@ -1,9 +1,12 @@
 resource "azurerm_data_protection_backup_vault" "backup-vault" {
-  name                = "backup-vault"
-  resource_group_name = azurerm_resource_group.rg.name
-  location            = azurerm_resource_group.rg.location
-  datastore_type      = "VaultStore"
-  redundancy          = "LocallyRedundant"
+  name                         = "backup-vault"
+  resource_group_name          = azurerm_resource_group.rg.name
+  location                     = azurerm_resource_group.rg.location
+  datastore_type               = "VaultStore"
+  redundancy                   = "LocallyRedundant" # `GeoRedundant`
+  # cross_region_restore_enabled = "false" # can only be specified when `redundancy` is specified for `GeoRedundant`
+  soft_delete                  = "Off"
+  retention_duration_in_days   = 14
 
   identity {
     type = "SystemAssigned"
@@ -20,4 +23,22 @@ resource "azurerm_role_assignment" "vault_msi_read_on_snap_rg" {
   scope                = azurerm_resource_group.rg-backup.id
   role_definition_name = "Reader"
   principal_id         = azurerm_data_protection_backup_vault.backup-vault.identity[0].principal_id
-}
+}
+
+resource "azurerm_role_assignment" "vault_msi_snapshot_contributor_on_snap_rg" {
+  scope                = azurerm_resource_group.rg-backup.id
+  role_definition_name = "Disk Snapshot Contributor"
+  principal_id         = azurerm_data_protection_backup_vault.backup-vault.identity[0].principal_id
+}
+
+resource "azurerm_role_assignment" "vault_msi_data_operator_on_snap_rg" {
+  scope                = azurerm_resource_group.rg-backup.id
+  role_definition_name = "Data Operator for Managed Disks"
+  principal_id         = azurerm_data_protection_backup_vault.backup-vault.identity[0].principal_id
+}
+
+resource "azurerm_role_assignment" "vault_msi_data_contributor_on_storage" {
+  scope                = azurerm_storage_account.storage.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azurerm_data_protection_backup_vault.backup-vault.identity[0].principal_id
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Pod Topology Spread Constraints

		https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/