docs: add AKS cluster module

Author: lentidas

antora-playbook.yml

@@ -55,6 +55,13 @@ content:
     - "!v1.0.0"
     - "!v1.0.0-alpha.*"
     - "!v{3..4}.{0..1}.{0..2}"
+  - url: https://github.com/camptocamp/devops-stack-module-cluster-aks.git
+    start_path: docs
+    branches: []
+    tags:
+    - "v@({1..9})*({0..9}).+({0..9}).*"
+    # Exclude versions without proper folder structure or with generation errors
+    - "!v1.0.0-alpha.*"
   - url: https://github.com/camptocamp/devops-stack-module-cluster-eks.git
     start_path: docs
     branches: []

docs/modules/ROOT/nav.adoc

@@ -22,27 +22,26 @@
 ** xref:ROOT:contributing/project_board.adoc[Project Board]
 
 .*Cluster Modules*
+* xref:aks:ROOT:README.adoc[Azure AKS]
 * xref:eks:ROOT:README.adoc[Amazon EKS]
 * xref:sks:ROOT:README.adoc[Exoscale SKS]
 * xref:kind:ROOT:README.adoc[KinD]
 
 .*Chart Modules*
-* xref:aad-pod-identity:ROOT:README.adoc[AAD Pod Identity]
 * xref:application:ROOT:README.adoc[Application]
 * xref:applicationset:ROOT:README.adoc[ApplicationSet]
 * xref:argocd:ROOT:README.adoc[Argo CD]
-* xref:azure-workload-identity:ROOT:README.adoc[Azure Workload Identity]
 * xref:oidc-aws-cognito:ROOT:README.adoc[AWS Cognito OIDC]
 * xref:cert-manager:ROOT:README.adoc[cert-manager]
 * xref:dex:ROOT:README.adoc[Dex]
 * xref:ebs-csi-driver:ROOT:README.adoc[EBS CSI Driver]
 * xref:efs-csi-driver:ROOT:README.adoc[EFS CSI Driver]
-* xref:grafana:ROOT:README.adoc[Grafana]
 * xref:keycloak:ROOT:README.adoc[Keycloak]
 * xref:kube-prometheus-stack:ROOT:README.adoc[kube-prometheus-stack]
 * xref:loki:ROOT:README.adoc[Loki]
 * xref:longhorn:ROOT:README.adoc[Longhorn]
 * xref:metallb:ROOT:README.adoc[MetalLB]
+* xref:metrics-server:ROOT:README.adoc[Metrics Server]
 * xref:minio:ROOT:README.adoc[MinIO]
 * xref:rclone:ROOT:README.adoc[Rclone]
 * xref:thanos:ROOT:README.adoc[Thanos]

docs/modules/ROOT/pages/index.adoc

@@ -11,7 +11,7 @@ image::devops-stack-logo_large.png[DevOps Stack]
 
 The DevOps Stack provides a standardized deployment Kubernetes Platform, bringing together automated Provisioning as Code, Continuous Application Deployment, and readily-made configurations for the best Cloud Native tools in the industry.
 
-TIP: The easiest way to get started with the DevOps Stack is to follow the tutorial on the xref:tutorials/deploy_kind.adoc[Deployment on KinD] page. This tutorial you will leave you with a fully operational https://kind.sigs.k8s.io/[KinD] playground on your local machine.
+TIP: The easiest way to get started with the DevOps Stack is to follow the tutorial on the xref:ROOT:tutorials/deploy_kind.adoc[Deployment on KinD] page. This tutorial you will leave you with a fully operational https://kind.sigs.k8s.io/[KinD] playground on your local machine.
 
 == Project Sponsor
 

examples/aks/dns.tf

@@ -1,4 +1,5 @@
-# Use these resources if you are creating the DNS zone using this code.
+# Use these resources if you are creating the DNS zone using this code specifically for this deployment (so we will 
+# deploy the DNS zone on the same resource group).
 
 resource "azurerm_dns_zone" "this" {
   name                = local.base_domain
@@ -11,7 +12,7 @@ resource "azurerm_dns_cname_record" "wildcard" {
 
   zone_name           = resource.azurerm_dns_zone.this.name
   name                = "*.apps"
-  resource_group_name = "default"
+  resource_group_name = resource.azurerm_resource_group.main.name
   ttl                 = 300
   record              = format("%s-%s.%s.cloudapp.azure.com.", module.aks.cluster_name, replace(resource.azurerm_dns_zone.this.name, ".", "-"), resource.azurerm_resource_group.main.location)
 }
@@ -20,7 +21,7 @@ resource "azurerm_dns_cname_record" "wildcard" {
 
 # data "azurerm_dns_zone" "this" {
 #   name                = local.base_domain
-#   resource_group_name = "default"
+#   resource_group_name = local.default_resource_group
 # }
 
 # # This resource should be deactivated if there are multiple development clusters on the same account.
@@ -29,7 +30,7 @@ resource "azurerm_dns_cname_record" "wildcard" {
 
 #   zone_name           = data.azurerm_dns_zone.this.name
 #   name                = "*.apps"
-#   resource_group_name = "default"
+#   resource_group_name = local.default_resource_group
 #   ttl                 = 300
 #   record              = format("%s-%s.%s.cloudapp.azure.com.", module.aks.cluster_name, replace(data.azurerm_dns_zone.this.name, ".", "-"), resource.azurerm_resource_group.main.location)
 # }

examples/aks/locals.tf

@@ -1,8 +1,9 @@
 locals {
   # Parameters for the resources that are created outside this code, but still on the Azure subscription where the DevOps Stack will be deployed.
-  default_resource_group = "YOUR_DEFAULT_RESOURCE_GROUP" # The default resource group where the Key Vault with the Azure AD application credentials is located.
-  default_key_vault      = "YOUR_KEY_VAULT_NAME"         # The name of the Key Vault with the Azure AD application credentials.
-  oidc_application_name  = "YOUR_APPLICATION_NAME"       # The name of the Azure AD application that will be used for OIDC authentication.
+  default_resource_group         = "YOUR_DEFAULT_RESOURCE_GROUP" # The default resource group where the Key Vault with the Azure AD application credentials is located.
+  default_key_vault              = "YOUR_KEY_VAULT_NAME"         # The name of the Key Vault with the Azure AD application credentials.
+  oidc_application_name          = "YOUR_APPLICATION_NAME"       # The name of the Azure AD application that will be used for OIDC authentication.  cluster_admins_group_object_id = "38a1908d-0ccd-4acc-99d5-7f0228289752"
+  cluster_admins_group_object_id = "YOUR_CLUSTER_ADMINS_GROUP_OBJECT_ID"
 
   # Parameters used for this deployment of the DevOps Stack.
   common_resource_group    = "YOUR_COMMON_RESOURCE_GROUP" # The resource group where the common resources will reside. Must be unique for each DevOps Stack deployment in a single Azure subscription. 

examples/aks/main.tf

@@ -2,8 +2,8 @@ data "azuread_client_config" "current" {}
 
 data "azurerm_client_config" "current" {}
 
-data "azuread_group" "YOUR_GROUP_NAME" {
-  object_id = "YOUR_GROUP_OBJECT_ID"
+data "azuread_group" "cluster_admins" {
+  object_id = local.cluster_admins_group_object_id
 }
 
 resource "azurerm_resource_group" "main" {
@@ -31,19 +31,8 @@ module "aks" {
   kubernetes_version = local.kubernetes_version
   sku_tier           = local.sku_tier
 
-  automatic_channel_upgrade = "patch"
-  maintenance_window = {
-    allowed = [
-      {
-        day   = "Sunday",
-        hours = [22, 23]
-      },
-    ]
-    not_allowed = []
-  }
-
   rbac_aad_admin_group_object_ids = [
-    data.azuread_group.YOUR_GROUP_NAME.object_id
+    data.azuread_group.cluster_admins.object_id
   ]
 
   # Extra node pools
@@ -236,7 +225,7 @@ module "argocd" {
   rbac = {
     policy_csv = <<-EOT
       g, pipeline, role:admin
-      g, ${data.azuread_group.YOUR_GROUP_NAME.object_id}, role:admin
+      g, ${data.azuread_group.cluster_admins.object_id}, role:admin
     EOT
   }
 

examples/aks/requirements/application.tf

@@ -1,11 +1,13 @@
 locals {
+  # You can add here any user that should be owner of the Enterprise Application. The key can be anything an is used for
+  # identification on the for each below, the value must be a valid object ID on your Azure tenant.
   application_owners = {
-    "YOUR_GROUP_NAME" = "YOUR_GROUP_OBJECT_ID",
+    "${trimspace(data.azuread_group.admins.display_name)}" = data.azuread_group.admins.object_id,
   }
 }
 
 resource "azuread_application_registration" "default" {
-  display_name = "YOUR_APPLICATION_NAME"
+  display_name = local.oidc_application_name
 
   group_membership_claims = ["SecurityGroup"]
 }

examples/aks/requirements/dns.tf

@@ -1,4 +1,4 @@
 resource "azurerm_dns_zone" "this" {
-  name                = "your.domain.here"
+  name                = local.base_domain
   resource_group_name = resource.azurerm_resource_group.default.name
 }

examples/aks/requirements/locals.tf

@@ -0,0 +1,8 @@
+locals {
+  location               = "YOUR_LOCATION"
+  base_domain            = "your.domain.here"
+  default_key_vault      = "YOUR_KEY_VAULT_NAME"         # The name of the Key Vault with the Azure AD application credentials.
+  default_resource_group = "YOUR_DEFAULT_RESOURCE_GROUP" # The default resource group where the Key Vault with the Azure AD application credentials will reside.
+  oidc_application_name  = "YOUR_APPLICATION_NAME"       # The name of the Azure AD application that will be used for OIDC authentication.
+  admins_group_object_id = "YOUR_CLUSTER_ADMINS_GROUP_OBJECT_ID"
+}

examples/aks/requirements/main.tf

@@ -3,12 +3,12 @@ data "azuread_client_config" "current" {}
 data "azurerm_client_config" "current" {}
 
 resource "azurerm_resource_group" "default" {
-  name     = "default"
-  location = "YOUR_LOCATION"
+  name     = local.default_resource_group
+  location = local.location
 }
 
 resource "azurerm_key_vault" "main" {
-  name                = "YOUR_KEY_VAULT_NAME"
+  name                = local.default_key_vault
   location            = resource.azurerm_resource_group.default.location
   resource_group_name = resource.azurerm_resource_group.default.name
   sku_name            = "standard"
@@ -25,16 +25,16 @@ resource "azurerm_key_vault" "main" {
   ]
 }
 
-data "azuread_group" "YOUR_GROUP_NAME" {
-  object_id = "YOUR_GROUP_OBJECT_ID"
+data "azuread_group" "admins" {
+  object_id = local.admins_group_object_id
 }
 
-resource "azurerm_role_assignment" "YOUR_GROUP_NAME" {
+resource "azurerm_role_assignment" "admins" {
   for_each = toset([
     "Key Vault Reader",       # Permissions required to read Key Vault secrets
     "Key Vault Secrets User", # Permissions required to read contents of Key Vault secrets
   ])
-  principal_id         = data.azuread_group.YOUR_GROUP_NAME.object_id
+  principal_id         = data.azuread_group.admins.object_id
   role_definition_name = each.value
   scope                = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
 }