Droid Basement

In this article we will setup the Azure CLI to interact with AWS AKS (Azure Kubernetes Service) and Azure ACR (Azure Container Registry)).

–>
UI Console -> Azure Active Directory
App registrations -> New registration -> * Name: container-admin -> Supported account types: Accounts in this organizational directory only -> Register

container-admin -> Certificates & secrets -> New client secret -> Description: azure-cli ; Expires: In 1 year -> Add -> Take note of the <Client secret value>

Search for (top left): Subscriptions -> Click your subscription -> Access control (IAM) -> Add -> Add role assignment -> Role: Azure Kubernetes Service Cluster Admin Role -> Assign access to: Azure AD user, group, or service principal -> Select: (search for) container-admin -> Save

Azure Active Directory -> App registrations -> container-admin -> Overview -> Take note of the <Application (client) ID> and <Directory (tenant) ID>

 $ [[ ! -d ~/.azure ]] && mkdir ~/.azure

(Replace <Application (client) ID>, <Client secret value> and <Directory (tenant) ID> below):

$ cat << "EOF" > ~/.azure/credentials
> [container-admin]
> application_id=<Application (client) ID>
> client_secret=<Client secret value>
> directory_id=<Directory (tenant) ID>
> EOF
$ chmod o-rw,g-w ~/.azure/credentials

Add a function in to your startup to parse the above file for pertinent login information as a servicePrincipal and run az login in a sub-shell when you execute it (ensure you get pertinent output regarding the Subscription):

$ cat << 'EOF' >> ~/.bashrc
>
> function az-login-sp() {
>         (export $(grep -v '^\[' $HOME/.azure/credentials | xargs) && az login --service-principal -u $application_id -p $client_secret --tenant $directory_id)
> }
> EOF
$ . ~/.bashrc
$ az-login-sp

Ensure you get appropriate output (the value will be []):

$ az aks list

Ensure you get appropriate output (the value will be []):

$ az acr list

<–

References:

In this article we will setup the AWS CLI to interact with AWS EKS (Elastic Kubernetes Service) and AWS ECR (Elastic Container Registry)).

–>
UI Console -> Find Services -> IAM (Manage User Access and Encryption Keys)

Users -> Add User -> aws-cli -> Access type* -> Select Programmatic Access -> Next: Permissions -> Set Permissions: Add user to group -> Create group -> Group name: container-admin -> Create group-> Next: Tags -> Key: Name ; Value: Container Admin -> Next: Review -> Create user -> Download .csv or take note of the Access key ID and Secret access key (click Show to uncover) -> Close

Policies -> Create policy -> JSON (tab) -> Copy and paste the below in to the provided box (replace <AWS ACCOUNT ID> in the Resource arn with your Account’s ID (shown under the top right drop-down (of your name) within the My Account page next to the Account Id: under Account Settings)):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
                "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/eksctl-*",
                "arn:aws:iam::<AWS ACCOUNT ID>:role/eksctl-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "cloudformation:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "eks:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:CreateAutoScalingGroup"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DeleteInternetGateway",
            "Resource": "arn:aws:ec2:*:*:internet-gateway/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:CreateNatGateway",
                "ec2:CreateVpc",
                "ec2:AttachInternetGateway",
                "ec2:DescribeVpcAttribute",
                "ec2:DeleteRouteTable",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateSecurityGroup",
                "ec2:ModifyVpcAttribute",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeRouteTables",
                "ec2:ReleaseAddress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:DeleteRoute",
                "ec2:CreateRouteTable",
                "ec2:DetachInternetGateway",
                "ec2:DescribeNatGateways",
                "ec2:DisassociateRouteTable",
                "ec2:AllocateAddress",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteNatGateway",
                "ec2:DeleteVpc",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:describeAddresses",
                "ec2:DescribeVpcs",
                "ec2:CreateLaunchTemplate",
                "ec2:DescribeLaunchTemplates",
                "ec2:RunInstances",
                "ec2:DeleteLaunchTemplate",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeKeyPairs",
                "ec2:ImportKeyPair"
            ],
            "Resource": "*"
        }
    ]
} 

Review policy -> Name*: AllowEKS -> Description: Allows access to EKS and related. -> Create policy

Create policy -> JSON (tab) -> Copy and paste the below in to the provided box:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:CreateRepository",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy"
            ]
        }
    ]
}

Review policy -> Name*: AllowECR -> Description: Allows access to ECR. -> Create policy

Groups -> Click on container-admin -> Permissions (tab)
Attach Policy -> Search for AllowEKS in Filter: -> Select -> Attach Policy
Attach Policy -> Search for AllowECR in Filter: -> Select -> Attach Policy

$ mkdir ~/.aws

(Replace <AWS ACCESS KEY>/<AWS SECRET KEY> with the values given after the username creation and <AWS DEFAULT REGION> with your default region that you would like to execute in (i.e. us-east-1, us-west-2, etc.), where applicable):

$ cat << EOF > ~/.aws/credentials
> [default]
> aws_access_key_id=<AWS ACCESS KEY>
> aws_secret_access_key=<AWS SECRET KEY>
> EOF
$ chmod o-rw,g-w ~/.aws/credentials

$ cat << EOF > ~/.aws/config
> [default]
> region=<AWS DEFAULT REGION>
> EOF
$ chmod og-w ~/.aws/config

Ensure you get appropriate output (the value will be [] for “clusters”:):

$ aws eks list-clusters

Ensure you get appropriate output (the value will be [] for “repositories”:):

$ aws ecr describe-repositories

<–

References:

In this article we will setup our development environment to utilize containerization technology in future series/demos.

Technology that we will work with are Kubernetes (AWS EKS (Elastic Kubernetes Service)/Azure AKS (Azure Kubernetes Service) ) and Docker (AWS ECR (Elastic Container Registry)/Azure ACR (Azure Container Registry) ).

Kubernetes (https://kubernetes NULL.io/) allows for management of containers to provide scalability, high availability and fault tolerance among others. Containers (https://www NULL.docker NULL.com/) are isolated packages/images, that contain all that is needed to run an application. They are lightweight, portable and ensures runtime is consistent.

–>
The below was written using Ubuntu 18.04.2-LTS (http://releases NULL.ubuntu NULL.com/18 NULL.04/) Desktop (minimal) and Windows Subsystem (Windows 10 Insider (https://insider NULL.windows NULL.com/en-us/) Preview; 18950.1000 (Fast Ring); 18362.267 (May 2019 Update (https://support NULL.microsoft NULL.com/en-us/help/4505903/windows-10-update-kb4505903))) for Linux (WSL2 and WSL1; Ubuntu). It should be applicable to Debian, Ubuntu Docker (lsb-release package has been left in to accommodate) and will be applicable to any Fast Ring Windows 10 build >= 18917.

Note: Any build lower then 18917, should use Docker Desktop and use the .exe commands in WSL via named pipes.

If you are using Windows 10 Home or any non Windows based 10 build, then please use Vagrant (https://www NULL.vagrantup NULL.com) (non-Windows 10) to spin up a Virtual Machine or Docker Toolbox (https://docs NULL.docker NULL.com/toolbox/) (Windows 10 Home in conjunction with WSL).
<–

–>
Windows 10:
Start -> Control Panel -> Programs and Features -> Turn Windows features on or off -> Select Windows Subsystem for Linux -> ok -> Restart now.

Open a Browser -> WSL Store (https://aka NULL.ms/wslstore) -> Open Microsoft Store -> Ubuntu -> Get -> Launch or Start -> Search for programs and files -> Ubuntu (with the colored circular icon and hit enter) -> Installing, this may take a few minutes… -> Enter new UNIX username: -> Enter new UNIX password: -> Retype new UNIX password: -> Right click the command window (on the toolbar) -> Options -> Quick Edit Mode -> ok
<–

–>
Not for Windows 10 builds < 18917

$ logout

Start -> Search for powershell -> right click -> Run as administrator and select Yes to the Elevated UAC prompt)
PS > Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform

Select Reboot (default) when prompted.

Convert Ubuntu to WSL2:
Start -> Run: powershell

To see what Distros are installed, state and version:

> wsl -l -v 

Set WSL2 on the distribution:

> wsl --set-version Ubuntu 2 

Note: This will take a while.

After it is finished, run the command, 2 lines above (which was used to list) to see that it is now Version 2.

Start -> Search for programs and files -> Ubuntu (with the colored circular icon and hit enter)
<–

Install some prerequisites:
Note: software-properties-common isn’t needed if not installing docker (Windows 10 (WSL) builds < 18917).

$ sudo apt update
$ sudo apt install -y python3-pip apt-transport-https ca-certificates curl gnupg2 lsb-release software-properties-common

–>
Restart services during package upgrades without asking? -> Tab to <Yes> and hit Enter.
<–

Install AWS CLI:

$ pip3 install awscli --upgrade --user && chmod 754 ~/.local/bin/aws

Install EKSCTL (weaveworks):

$ curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/latest_release/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C ~/.local/bin && chmod 754 ~/.local/bin/eksctl

Install KUBECTL:

$ curl -o ~/.local/bin/kubectl --silent -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod 754 ~/.local/bin/kubectl

Install Docker:

–>
Not for Windows 10 (WSL) < 18917.

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
$ sudo apt update
$ sudo apt install -y docker-ce

Show the status of docker (it should be enabled and running; if not then perform an ‘enable’ and ‘start’ (without the ‘| grep …’):

–>
Not for Windows 10 (WSL).

$ systemctl status docker | grep -i "loaded\|active"

<–

–>
For Windows 10 (WSL (>=18917)).

Start and show the status of docker:

$ sudo service docker start
$ sudo service docker status

It should come up in to a running state.

Note: This will stay running as a background task when WSL is closed, however when the host is rebooted/user session is logged out of, it will need to be launched again once opening WSL. This section will be updated on how to have this start when the host boots at a later time.
<–

Install Docker Compose:

–>
Not for Windows 10 (WSL) < 18917.

$ pip3 install docker-compose --upgrade --user && chmod 754 ~/.local/bin/docker-compose

Allow your user the right to execute docker without sudo:

$ sudo usermod -aG docker $USER
$ logout

Log back in to a shell.

Create a work folder, inside your home directory:

$ mkdir -p dev/docker

<–

–>
For Windows 10 builds < 18917

Start -> Control Panel -> Programs and Features -> Turn Windows features on or off -> Select Hyper-V and Containers -> ok -> Restart now.

Install Docker Desktop (https://download NULL.docker NULL.com/win/stable/Docker%20for%20Windows%20Installer NULL.exe) -> Leave Defaults -> Log out and back in -> System Tray should show it Launching to a Run state.

Click System Tray -> Settings -> Shared Drives -> Select C -> Apply -> Type in your Windows user’s password to confirm -> close out of settings

Launch the WSL shell.

Create a work folder inside the Windows mount, symbolic link it within your home directory inside WSL and alias the .exe with the bare commands for docker/docker-compose and add for permanence:

$ mkdir -p /mnt/c/dev/docker
$ ln -s /mnt/c/dev dev
$ cat << EOF >> ~/.bashrc
>
> alias docker=docker.exe
> alias docker-compose=docker-compose.exe
> EOF
$ alias docker=docker.exe
$ alias docker-compose=docker-compose.exe

<–

Install Azure CLI:

$ curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc.gpg 1>/dev/null
$ echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
$ sudo apt update
$ sudo apt install -y azure-cli

Add .local/bin located in your HOME Directory in to your PATH for permanence:

$ cat << 'EOF' >> ~/.bashrc
>
> export PATH=$PATH:~/.local/bin
> EOF
$ export PATH=$PATH:~/.local/bin 

Ensure version output is shown:

$ aws --version
$ eksctl version
$ kubectl version 2>/dev/null
$ docker --version
$ docker-compose --version
$ az --version

References:

Source:
home_pershoot (https://github NULL.com/pershoot/home_pershoot)

DEVOPS?!

While not a new concept, it being labelled as such are recent and the methodologies have been adjusted/updated as well.

Perhaps you have a background such as myself, coming from the old-world where one was performing these responsibilities using custom shell scripts, proprietary Content Management/Versioning Systems, raw shared mounts to promote/copy to stages, deploying templated systems on to server farms by hand, etc. These days, there are a lot of tools and systems available to streamline these processes.

Gone are the days of having rigid compartmentalization and what has risen are Developers performing Operations and Operations performing Development. This creates a cohesive unit to get things prim and proper at an accelerated rate, before landing in to Production. Attaining minimalism is a goal to strive for.

In this section I take you through an up-skill and assimilation in to ‘modern’ Development Operations as it pertains to the Cloud platform/framework.