WIP

Author: aamini7

scenarios/AksOpenAiTerraform/run.sh

@@ -1,5 +1,31 @@
+export RG_NAME=""
+
 export OPEN_AI_SUBDOMAIN="magic8ball"
 
+# Publish Image
+export ACR_NAME=(terraform output -raw acr_name)
+export IMAGE="azurecr.io/magic8ball:latest"
+
+# Nginx Ingress Controller
+export nginxNamespace="ingress-basic"
+export nginxRepoName="ingress-nginx"
+export nginxRepoUrl="https://kubernetes.github.io/ingress-nginx"
+export nginxChartName="ingress-nginx"
+export nginxReleaseName="nginx-ingress"
+export nginxReplicaCount=3
+
+# Certificate Manager
+export cmNamespace="cert-manager"
+export cmRepoName="jetstack"
+export cmRepoUrl="https://charts.jetstack.io"
+export cmChartName="cert-manager"
+export cmReleaseName="cert-manager"
+
+# Cluster Issuer
+email="[email protected]"
+clusterIssuerName="letsencrypt-nginx"
+clusterIssuerTemplate="cluster-issuer.yml"
+
 # Variables
 acrName="CyanAcr"
 acrResourceGrougName="CyanRG"

scenarios/AksOpenAiTerraform/script/01-push-app-image.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Login
+az acr login --name $ACR_NAME
+ACR_URL=$(az acr show --name $ACR_NAME --query loginServer --output tsv)
+
+# Build + Push
+docker build -t $ACR_URL/$IMAGE ./app --push

scenarios/AksOpenAiTerraform/script/04-create-nginx-ingress-controller.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Use Helm to deploy an NGINX ingress controller
+result=$(helm list -n $nginxNamespace | grep $nginxReleaseName | awk '{print $1}')
+
+if [[ -n $result ]]; then
+  echo "[$nginxReleaseName] ingress controller already exists in the [$nginxNamespace] namespace"
+else
+  # Check if the ingress-nginx repository is not already added
+  result=$(helm repo list | grep $nginxRepoName | awk '{print $1}')
+
+  if [[ -n $result ]]; then
+    echo "[$nginxRepoName] Helm repo already exists"
+  else
+    # Add the ingress-nginx repository
+    echo "Adding [$nginxRepoName] Helm repo..."
+    helm repo add $nginxRepoName $nginxRepoUrl
+  fi
+
+  # Update your local Helm chart repository cache
+  echo 'Updating Helm repos...'
+  helm repo update
+
+  # Deploy NGINX ingress controller
+  echo "Deploying [$nginxReleaseName] NGINX ingress controller to the [$nginxNamespace] namespace..."
+  helm install $nginxReleaseName $nginxRepoName/$nginxChartName \
+    --create-namespace \
+    --namespace $nginxNamespace \
+    --set controller.nodeSelector."kubernetes\.io/os"=linux \
+    --set controller.replicaCount=$replicaCount \
+    --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
+    --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz
+fi
+
+# Get values
+helm get values $nginxReleaseName --namespace $nginxNamespace

scenarios/AksOpenAiTerraform/script/05-install-cert-manager.sh

@@ -0,0 +1,31 @@
+#/bin/bash
+
+# Check if the ingress-nginx repository is not already added
+result=$(helm repo list | grep $cmRepoName | awk '{print $1}')
+
+if [[ -n $result ]]; then
+  echo "[$cmRepoName] Helm repo already exists"
+else
+  # Add the Jetstack Helm repository
+  echo "Adding [$cmRepoName] Helm repo..."
+  helm repo add $cmRepoName $cmRepoUrl
+fi
+
+# Update your local Helm chart repository cache
+echo 'Updating Helm repos...'
+helm repo update
+
+# Install cert-manager Helm chart
+result=$(helm list -n $cmNamespace | grep $cmReleaseName | awk '{print $1}')
+
+if [[ -n $result ]]; then
+  echo "[$cmReleaseName] cert-manager already exists in the $cmNamespace namespace"
+else
+  # Install the cert-manager Helm chart
+  echo "Deploying [$cmReleaseName] cert-manager to the $cmNamespace namespace..."
+  helm install $cmReleaseName $cmRepoName/$cmChartName \
+    --create-namespace \
+    --namespace $cmNamespace \
+    --set installCRDs=true \
+    --set nodeSelector."kubernetes\.io/os"=linux
+fi

scenarios/AksOpenAiTerraform/script/06-create-cluster-issuer.sh

@@ -0,0 +1,16 @@
+#/bin/bash
+
+# Check if the cluster issuer already exists
+result=$(kubectl get ClusterIssuer -o json | jq -r '.items[].metadata.name | select(. == "'$clusterIssuerName'")')
+
+if [[ -n $result ]]; then
+  echo "[$clusterIssuerName] cluster issuer already exists"
+  exit
+else
+  # Create the cluster issuer
+  echo "[$clusterIssuerName] cluster issuer does not exist"
+  echo "Creating [$clusterIssuerName] cluster issuer..."
+  cat $clusterIssuerTemplate |
+    yq "(.spec.acme.email)|="\""$email"\" |
+    kubectl apply -f -
+fi

scenarios/AksOpenAiTerraform/script/07-create-workload-managed-identity.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+
+# Variables
+source ./00-variables.sh
+
+# Check if the user-assigned managed identity already exists
+echo "Checking if [$managedIdentityName] user-assigned managed identity actually exists in the [$aksResourceGroupName] resource group..."
+
+az identity show \
+  --name $managedIdentityName \
+  --resource-group $aksResourceGroupName &>/dev/null
+
+if [[ $? != 0 ]]; then
+  echo "No [$managedIdentityName] user-assigned managed identity actually exists in the [$aksResourceGroupName] resource group"
+  echo "Creating [$managedIdentityName] user-assigned managed identity in the [$aksResourceGroupName] resource group..."
+
+  # Create the user-assigned managed identity
+  az identity create \
+    --name $managedIdentityName \
+    --resource-group $aksResourceGroupName \
+    --location $location \
+    --subscription $subscriptionId 1>/dev/null
+
+  if [[ $? == 0 ]]; then
+    echo "[$managedIdentityName] user-assigned managed identity successfully created in the [$aksResourceGroupName] resource group"
+  else
+    echo "Failed to create [$managedIdentityName] user-assigned managed identity in the [$aksResourceGroupName] resource group"
+    exit
+  fi
+else
+  echo "[$managedIdentityName] user-assigned managed identity already exists in the [$aksResourceGroupName] resource group"
+fi
+
+# Retrieve the clientId of the user-assigned managed identity
+echo "Retrieving clientId for [$managedIdentityName] managed identity..."
+clientId=$(az identity show \
+  --name $managedIdentityName \
+  --resource-group $aksResourceGroupName \
+  --query clientId \
+  --output tsv)
+
+if [[ -n $clientId ]]; then
+  echo "[$clientId] clientId  for the [$managedIdentityName] managed identity successfully retrieved"
+else
+  echo "Failed to retrieve clientId for the [$managedIdentityName] managed identity"
+  exit
+fi
+
+# Retrieve the principalId of the user-assigned managed identity
+echo "Retrieving principalId for [$managedIdentityName] managed identity..."
+principalId=$(az identity show \
+  --name $managedIdentityName \
+  --resource-group $aksResourceGroupName \
+  --query principalId \
+  --output tsv)
+
+if [[ -n $principalId ]]; then
+  echo "[$principalId] principalId  for the [$managedIdentityName] managed identity successfully retrieved"
+else
+  echo "Failed to retrieve principalId for the [$managedIdentityName] managed identity"
+  exit
+fi
+
+# Get the resource id of the Azure OpenAI resource
+openAiId=$(az cognitiveservices account show \
+  --name $openAiName \
+  --resource-group $openAiResourceGroupName \
+  --query id \
+  --output tsv)
+
+if [[ -n $openAiId ]]; then
+  echo "Resource id for the [$openAiName] Azure OpenAI resource successfully retrieved"
+else
+  echo "Failed to the resource id for the [$openAiName] Azure OpenAI resource"
+  exit -1
+fi
+
+# Assign the Cognitive Services User role on the Azure OpenAI resource to the managed identity
+role="Cognitive Services User"
+echo "Checking if the [$managedIdentityName] managed identity has been assigned to [$role] role with [$openAiName] Azure OpenAI resource as a scope..."
+current=$(az role assignment list \
+  --assignee $principalId \
+  --scope $openAiId \
+  --query "[?roleDefinitionName=='$role'].roleDefinitionName" \
+  --output tsv 2>/dev/null)
+
+if [[ $current == $role ]]; then
+  echo "[$managedIdentityName] managed identity is already assigned to the ["$current"] role with [$openAiName] Azure OpenAI resource as a scope"
+else
+  echo "[$managedIdentityName] managed identity is not assigned to the [$role] role with [$openAiName] Azure OpenAI resource as a scope"
+  echo "Assigning the [$role] role to the [$managedIdentityName] managed identity with [$openAiName] Azure OpenAI resource as a scope..."
+
+  az role assignment create \
+    --assignee $principalId \
+    --role "$role" \
+    --scope $openAiId 1>/dev/null
+
+  if [[ $? == 0 ]]; then
+    echo "[$managedIdentityName] managed identity successfully assigned to the [$role] role with [$openAiName] Azure OpenAI resource as a scope"
+  else
+    echo "Failed to assign the [$managedIdentityName] managed identity to the [$role] role with [$openAiName] Azure OpenAI resource as a scope"
+    exit
+  fi
+fi

scenarios/AksOpenAiTerraform/script/08-create-service-account.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+# Variables for the user-assigned managed identity
+source ./00-variables.sh
+
+# Check if the namespace already exists
+result=$(kubectl get namespace -o 'jsonpath={.items[?(@.metadata.name=="'$namespace'")].metadata.name'})
+
+if [[ -n $result ]]; then
+  echo "[$namespace] namespace already exists"
+else
+  # Create the namespace for your ingress resources
+  echo "[$namespace] namespace does not exist"
+  echo "Creating [$namespace] namespace..."
+  kubectl create namespace $namespace
+fi
+
+# Check if the service account already exists
+result=$(kubectl get sa -n $namespace -o 'jsonpath={.items[?(@.metadata.name=="'$serviceAccountName'")].metadata.name'})
+
+if [[ -n $result ]]; then
+  echo "[$serviceAccountName] service account already exists"
+else
+  # Retrieve the resource id of the user-assigned managed identity
+  echo "Retrieving clientId for [$managedIdentityName] managed identity..."
+  managedIdentityClientId=$(az identity show \
+    --name $managedIdentityName \
+    --resource-group $aksResourceGroupName \
+    --query clientId \
+    --output tsv)
+
+  if [[ -n $managedIdentityClientId ]]; then
+    echo "[$managedIdentityClientId] clientId  for the [$managedIdentityName] managed identity successfully retrieved"
+  else
+    echo "Failed to retrieve clientId for the [$managedIdentityName] managed identity"
+    exit
+  fi
+
+  # Create the service account
+  echo "[$serviceAccountName] service account does not exist"
+  echo "Creating [$serviceAccountName] service account..."
+  cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    azure.workload.identity/client-id: $managedIdentityClientId
+    azure.workload.identity/tenant-id: $tenantId
+  labels:
+    azure.workload.identity/use: "true"
+  name: $serviceAccountName
+  namespace: $namespace
+EOF
+fi
+
+# Show service account YAML manifest
+echo "Service Account YAML manifest"
+echo "-----------------------------"
+kubectl get sa $serviceAccountName -n $namespace -o yaml
+
+# Check if the federated identity credential already exists
+echo "Checking if [$federatedIdentityName] federated identity credential actually exists in the [$aksResourceGroupName] resource group..."
+
+az identity federated-credential show \
+  --name $federatedIdentityName \
+  --resource-group $aksResourceGroupName \
+  --identity-name $managedIdentityName &>/dev/null
+
+if [[ $? != 0 ]]; then
+  echo "No [$federatedIdentityName] federated identity credential actually exists in the [$aksResourceGroupName] resource group"
+
+  # Get the OIDC Issuer URL
+  aksOidcIssuerUrl="$(az aks show \
+    --only-show-errors \
+    --name $aksClusterName \
+    --resource-group $aksResourceGroupName \
+    --query oidcIssuerProfile.issuerUrl \
+    --output tsv)"
+
+  # Show OIDC Issuer URL
+  if [[ -n $aksOidcIssuerUrl ]]; then
+    echo "The OIDC Issuer URL of the $aksClusterName cluster is $aksOidcIssuerUrl"
+  fi
+
+  echo "Creating [$federatedIdentityName] federated identity credential in the [$aksResourceGroupName] resource group..."
+
+  # Establish the federated identity credential between the managed identity, the service account issuer, and the subject.
+  az identity federated-credential create \
+    --name $federatedIdentityName \
+    --identity-name $managedIdentityName \
+    --resource-group $aksResourceGroupName \
+    --issuer $aksOidcIssuerUrl \
+    --subject system:serviceaccount:$namespace:$serviceAccountName
+
+  if [[ $? == 0 ]]; then
+    echo "[$federatedIdentityName] federated identity credential successfully created in the [$aksResourceGroupName] resource group"
+  else
+    echo "Failed to create [$federatedIdentityName] federated identity credential in the [$aksResourceGroupName] resource group"
+    exit
+  fi
+else
+  echo "[$federatedIdentityName] federated identity credential already exists in the [$aksResourceGroupName] resource group"
+fi

scenarios/AksOpenAiTerraform/script/09-deploy-app.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Variables
+source ./00-variables.sh
+
+# Check if namespace exists in the cluster
+result=$(kubectl get namespace -o jsonpath="{.items[?(@.metadata.name=='$namespace')].metadata.name}")
+
+if [[ -n $result ]]; then
+  echo "$namespace namespace already exists in the cluster"
+else
+  echo "$namespace namespace does not exist in the cluster"
+  echo "creating $namespace namespace in the cluster..."
+  kubectl create namespace $namespace
+fi
+
+# Create config map
+cat $configMapTemplate |
+    yq "(.data.TITLE)|="\""$title"\" |
+    yq "(.data.LABEL)|="\""$label"\" |
+    yq "(.data.TEMPERATURE)|="\""$temperature"\" |
+    yq "(.data.IMAGE_WIDTH)|="\""$imageWidth"\" |
+    yq "(.data.AZURE_OPENAI_TYPE)|="\""$openAiType"\" |
+    yq "(.data.AZURE_OPENAI_BASE)|="\""$openAiBase"\" |
+    yq "(.data.AZURE_OPENAI_MODEL)|="\""$openAiModel"\" |
+    yq "(.data.AZURE_OPENAI_DEPLOYMENT)|="\""$openAiDeployment"\" |
+    kubectl apply -n $namespace -f -
+
+# Create deployment
+cat $deploymentTemplate |
+    yq "(.spec.template.spec.containers[0].image)|="\""$image"\" |
+    yq "(.spec.template.spec.containers[0].imagePullPolicy)|="\""$imagePullPolicy"\" |
+    yq "(.spec.template.spec.serviceAccountName)|="\""$serviceAccountName"\" |
+    kubectl apply -n $namespace -f -
+
+# Create deployment
+kubectl apply -f $serviceTemplate -n $namespace

scenarios/AksOpenAiTerraform/script/10-create-ingress.sh

@@ -0,0 +1,9 @@
+#/bin/bash
+
+# Create the ingress
+echo "[$ingressName] ingress does not exist"
+echo "Creating [$ingressName] ingress..."
+cat $ingressTemplate |
+  yq "(.spec.tls[0].hosts[0])|="\""$host"\" |
+  yq "(.spec.rules[0].host)|="\""$host"\" |
+  kubectl apply -n $namespace -f -