Skip to content

Commit edd9be7

Browse files
Tang8330AnirudhSriram
Tang8330
and
AnirudhSriram
authored
azure init concourse (#5)
* azure init concourse * changes to docker file --------- Co-authored-by: ani <anirudhsriram1995@gmail.com>
1 parent bd498db commit edd9be7

File tree

4 files changed

+114
-2
lines changed

4 files changed

+114
-2
lines changed

Dockerfile

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,11 @@ ARG HELM_PLUGINS_TO_INSTALL="https://github.com/databus23/helm-diff"
1717
ENV PATH $PATH:/usr/local/gcloud/google-cloud-sdk/bin
1818

1919
#install packages
20-
RUN apk add --update --upgrade --no-cache jq bash curl git gettext libintl py-pip aws-cli
20+
RUN apk add --update --upgrade --no-cache jq bash curl git gettext libintl py-pip aws-cli && \
21+
apk add --no-cache --virtual .build-deps gcc musl-dev python3-dev libffi-dev openssl-dev cargo make && \
22+
pip install --break-system-packages --upgrade pip && \
23+
pip install --break-system-packages azure-cli && \
24+
apk del .build-deps
2125

2226
#install kubectl
2327
RUN curl -sL -o /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl; \

README.md

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,17 @@ resource_types:
9393
- `aws.user.role_arn` _Optional._ If this is provided, we will use the user credentials to assume into the role
9494
- `aws.user.external_id` _Optional._ External ID to use when assuming the role (for enhanced security)
9595

96+
## Source options for Azure AKS
97+
98+
- `azure.subscription_id` _Optional._ Azure subscription ID where the AKS cluster is located
99+
- `azure.resource_group` _Optional._ Resource group containing the AKS cluster
100+
- `azure.cluster_name` _Optional._ Name of the AKS cluster
101+
- `azure.service_principal.tenant_id` _Optional._ Azure AD tenant ID for service principal authentication
102+
- `azure.service_principal.client_id` _Optional._ Service principal client ID (application ID)
103+
- `azure.service_principal.client_secret` _Optional._ Service principal client secret
104+
105+
**Note:** If `azure.service_principal` is not provided, the resource will attempt to use managed identity authentication (useful when Concourse workers are running in Azure).
106+
96107
## Behavior
97108

98109
### `check`: Check the release, not happy with dynamic releases.
@@ -237,6 +248,35 @@ resources:
237248
external_id: my-external-id # Optional: required if role requires external_id
238249
```
239250

251+
Azure AKS using service principal
252+
```yaml
253+
resources:
254+
- name: myapp-helm
255+
type: helm
256+
source:
257+
azure:
258+
subscription_id: <azure_subscription_id>
259+
resource_group: <resource_group_name>
260+
cluster_name: <aks_cluster_name>
261+
service_principal:
262+
tenant_id: <azure_ad_tenant_id>
263+
client_id: <service_principal_client_id>
264+
client_secret: <service_principal_client_secret>
265+
```
266+
267+
Azure AKS using managed identity
268+
```yaml
269+
resources:
270+
- name: myapp-helm
271+
type: helm
272+
source:
273+
azure:
274+
subscription_id: <azure_subscription_id>
275+
resource_group: <resource_group_name>
276+
cluster_name: <aks_cluster_name>
277+
# No service_principal block - will use managed identity of the Concourse worker
278+
```
279+
240280
Add to job:
241281

242282
```yaml

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.39.3
1+
1.39.4

assets/common.sh

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,70 @@ setup_aws_kubernetes() {
187187
echo "done setting up kubeconfig for EKS"
188188
}
189189

190+
setup_azure_kubernetes() {
191+
# Need to pass in:
192+
# source.azure.subscription_id
193+
# source.azure.resource_group
194+
# source.azure.cluster_name
195+
# source.azure.service_principal (optional)
196+
payload=$1
197+
source=$2
198+
199+
subscription_id=$(jq -r '.source.azure.subscription_id // ""' < $payload)
200+
resource_group=$(jq -r '.source.azure.resource_group // ""' < $payload)
201+
cluster_name=$(jq -r '.source.azure.cluster_name // ""' < $payload)
202+
203+
if [ -z "$subscription_id" ] || [ -z "$resource_group" ] || [ -z "$cluster_name" ]; then
204+
echo "invalid payload for Azure AKS, please pass all required params (subscription_id, resource_group, cluster_name)"
205+
exit 1
206+
fi
207+
208+
use_service_principal_auth=$(jq -r '.source.azure|has("service_principal")' < $payload)
209+
210+
if [ "${use_service_principal_auth}" = true ]; then
211+
echo "proceed with service principal to set up kubeconfig."
212+
213+
tenant_id=$(jq -r '.source.azure.service_principal.tenant_id // ""' < $payload)
214+
client_id=$(jq -r '.source.azure.service_principal.client_id // ""' < $payload)
215+
client_secret=$(jq -r '.source.azure.service_principal.client_secret // ""' < $payload)
216+
217+
if [ -z "$tenant_id" ] || [ -z "$client_id" ] || [ -z "$client_secret" ]; then
218+
echo "invalid service principal auth payload for Azure AKS, please pass all required params (tenant_id, client_id, client_secret)"
219+
exit 1
220+
fi
221+
222+
echo "tenant_id=${tenant_id} client_id=${client_id}"
223+
224+
# Login using service principal
225+
az login --service-principal \
226+
--username "${client_id}" \
227+
--password "${client_secret}" \
228+
--tenant "${tenant_id}" \
229+
--output none
230+
231+
# Set the subscription
232+
az account set --subscription "${subscription_id}"
233+
234+
else
235+
# defaults to use managed identity
236+
echo "no service principal specified. Fallback to use managed identity of the instance to set up kubeconfig"
237+
238+
# Login using managed identity (for Concourse workers running in Azure)
239+
az login --identity --output none
240+
241+
# Set the subscription
242+
az account set --subscription "${subscription_id}"
243+
fi
244+
245+
# Get AKS credentials and configure kubectl
246+
az aks get-credentials \
247+
--resource-group "${resource_group}" \
248+
--name "${cluster_name}" \
249+
--overwrite-existing
250+
251+
echo "done setting up kubeconfig for AKS"
252+
}
253+
190254
setup_gcp_kubernetes() {
191255
payload=$1
192256
source=$2
@@ -330,6 +394,7 @@ setup_resource() {
330394
do_access_token=$(jq -r '.source.digitalocean.access_token // "false"' < $1)
331395
gcloud_cluster_auth=$(jq -r '.source.gcloud_cluster_auth // "false"' < $1)
332396
aws_cluster_auth=$(jq -r '.source|has("aws")' < $1)
397+
azure_cluster_auth=$(jq -r '.source|has("azure")' < $1)
333398

334399
if [ "$do_cluster_id" != "false" ] && [ "$do_access_token" != "false" ]; then
335400
echo "Initializing digitalocean..."
@@ -340,6 +405,9 @@ setup_resource() {
340405
elif [ "$aws_cluster_auth" = "true" ]; then
341406
echo "Initializing kubectl access using AWS credentials"
342407
setup_aws_kubernetes $1 $2
408+
elif [ "$azure_cluster_auth" = "true" ]; then
409+
echo "Initializing kubectl access using Azure credentials"
410+
setup_azure_kubernetes $1 $2
343411
else
344412
echo "Initializing kubectl using certificates"
345413
setup_kubernetes $1 $2

0 commit comments

Comments
 (0)