redhat-sap · mjiao · Aug 14, 2024 · Aug 7, 2024 · Aug 7, 2024 · Aug 7, 2024
diff --git a/Makefile b/Makefile
@@ -21,8 +21,14 @@ YEAR=$$(date +%Y)
 
 include bicep.makefile
 
+.DEFAULT_GOAL := help
+.PHONY: help
+help: ## Show this help
+	@echo Makefile how to use
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
+
 .PHONY: .venv/bin/activate
-.venv/bin/activate:  # Create python virtual environment
+.venv/bin/activate:  ## Create python virtual environment
 	$(PYTHON) -m venv .venv
 	. .venv/bin/activate && \
 	$(PYTHON) -m pip install -r requirements-dev.txt
@@ -59,3 +65,4 @@ reuse-annotate: .venv/bin/activate  ## Run reuse annotate
 lint-bicep:  ## Run bicep lint
 	az bicep lint --file bicep/aro.bicep
 	az bicep lint --file bicep/empty.bicep
+	az bicep lint --file bicep/domain-records.bicep
diff --git a/bicep.makefile b/bicep.makefile
@@ -1,5 +1,72 @@
 ARO_RESOURCE_GROUP?=aro-sapeic
+ARO_LOCATION?=northeurope
+
+ARO_CLUSTER_NAME?=aro-sapeic
+ARO_DOMAIN?=saponrhel.org
+ARO_VERSION?=4.14.16
 
 .PHONY: aro-remove
-aro-remove:  # Remove ARO
+aro-remove:  ## Remove ARO
 	az deployment group create --resource-group ${ARO_RESOURCE_GROUP} --template-file bicep/empty.bicep --mode Complete
+
+.PHONY: aro-deploy
+aro-deploy: domain-zone-exists network-deploy  ## Deploy ARO
+	@az deployment group create --resource-group ${ARO_RESOURCE_GROUP} \
+		--template-file bicep/aro.bicep \
+		--parameters \
+		clusterName=${ARO_CLUSTER_NAME} \
+		pullSecret=${PULL_SECRET} \
+		domain=${ARO_DOMAIN} \
+		version=${ARO_VERSION} \
+		servicePrincipalClientId=${CLIENT_ID} \
+		servicePrincipalClientSecret=${CLIENT_SECRET}
+
+.PHONY: domain-records
+.ONESHELL:
+domain-records:  ## Create domain records for ARO
+	hack/domain-records.sh \
+		--domain ${ARO_DOMAIN} \
+		--aro-name ${ARO_CLUSTER_NAME} \
+		--aro-resource-group ${ARO_RESOURCE_GROUP}
+
+.PHONY: network-deploy
+network-deploy:  ## Deploy network
+	az deployment group create --resource-group ${ARO_RESOURCE_GROUP} \
+		--template-file bicep/network.bicep
+
+.PNONY: resource-group
+resource-group:  ## Create resource group
+	az group create --name ${ARO_RESOURCE_GROUP} --location ${ARO_LOCATION} --query name -o tsv
+
+.PHONY: service-principal
+.ONESHELL:
+service-principal:  ## Create sevice principal for ARO deployment
+	az ad sp create-for-rbac \
+		--name "aro-service-principal" \
+		--role Contributor \
+		--scopes \
+		"/subscriptions/$$(az account show --query id -o tsv)/resourceGroups/${ARO_RESOURCE_GROUP}"
+
+
+.PHONY: arorp-service-principal
+.ONESHELL:
+arorp-service-principal:  ## Assign required roles to "Azure Red Hat Openshift" RP service principal
+	az role assignment create --assignee $$(az ad sp list --display-name "Azure Red Hat OpenShift RP" --query "[0].id" -o tsv) \
+	--role Contributor \
+	--scope "/subscriptions/$$(az account show --query id -o tsv)/resourceGroups/${ARO_RESOURCE_GROUP}"
+
+aro-credentials:  ## Get ARO credentials
+	@az aro list-credentials --name ${ARO_CLUSTER_NAME} --resource-group ${ARO_RESOURCE_GROUP}
+
+aro-url:  ## Get ARO URL
+	@az aro show --name ${ARO_CLUSTER_NAME} --resource-group ${ARO_RESOURCE_GROUP} --query "apiserverProfile.url" -o tsv
+
+.PHONY: domain-zone-exists
+domain-zone-exists:  ## Fail if DNS domain zone does not exists
+	ARO_DOMAIN=${ARO_DOMAIN} hack/domain-zone-exists.sh
+
+.PHONY: oc-login
+oc-login:  ## Login with oc to existing ARO cluster
+	oc login "$(shell az aro show --name ${ARO_CLUSTER_NAME} --resource-group ${ARO_RESOURCE_GROUP} --query "apiserverProfile.url" -o tsv)" \
+		-u "$(shell az aro list-credentials --name ${ARO_CLUSTER_NAME} --resource-group ${ARO_RESOURCE_GROUP} --query 'kubeadminUsername' -o tsv)" \
+		-p "$(shell az aro list-credentials --name ${ARO_CLUSTER_NAME} --resource-group ${ARO_RESOURCE_GROUP} --query 'kubeadminPassword' -o tsv)"
diff --git a/bicep/aro.bicep b/bicep/aro.bicep
@@ -0,0 +1,91 @@
+// SPDX-FileCopyrightText: 2024 SAP edge team
+// SPDX-FileContributor: Kirill Satarin (@kksat)
+// SPDX-FileContributor: Manjun Jiao (@mjiao)
+//
+// SPDX-License-Identifier: Apache-2.0
+
+param clusterName string
+param domain string
+@secure()
+param pullSecret string = ''
+@allowed([
+  '4.14.16'
+  '4.13.40'
+  '4.12.25'
+])
+param version string
+param servicePrincipalClientId string
+@secure()
+param servicePrincipalClientSecret string
+param aroResourceGroup string = '${resourceGroup().name}-resources'
+
+param vnetName string = '${resourceGroup().name}-vnet'
+param masterSubnetName string = 'master'
+param workerSubnetName string = 'worker'
+param masterVmSize string = 'Standard_D8s_v3'
+param workerVmSize string = 'Standard_D4s_v3'
+param workerDiskSizeGB int = 128
+@minValue(3)
+param workerCount int = 3
+
+param location string = resourceGroup().location
+
+resource aroCluster 'Microsoft.RedHatOpenShift/openShiftClusters@2023-11-22' = {
+  name: clusterName
+  location: location
+  properties: {
+    clusterProfile: {
+      pullSecret: !empty(pullSecret) ? pullSecret : null
+      domain: domain
+      version: version
+      fipsValidatedModules: 'Disabled'
+      resourceGroupId: '/subscriptions/${subscription().subscriptionId}/resourceGroups/${aroResourceGroup}'
+    }
+    networkProfile: {
+      podCidr: '10.128.0.0/14'
+      serviceCidr: '172.30.0.0/16'
+    }
+    servicePrincipalProfile: {
+      clientId: servicePrincipalClientId
+      clientSecret: servicePrincipalClientSecret
+    }
+    masterProfile: {
+      vmSize: masterVmSize
+      subnetId: masterSubnet.id
+      encryptionAtHost: 'Disabled'
+    }
+    workerProfiles: [
+      {
+        name: 'worker'
+        vmSize: workerVmSize
+        diskSizeGB: workerDiskSizeGB
+        subnetId: workerSubnet.id
+        count: workerCount
+        encryptionAtHost: 'Disabled'
+      }
+    ]
+    apiserverProfile: {
+      visibility: 'Public'
+    }
+    ingressProfiles: [
+      {
+        name: 'default'
+        visibility: 'Public'
+      }
+    ]
+  }
+}
+
+resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' existing = {
+  name: vnetName
+}
+
+resource masterSubnet 'Microsoft.Network/virtualNetworks/subnets@2024-01-01' existing = {
+  name: masterSubnetName
+  parent: vnet
+}
+
+resource workerSubnet 'Microsoft.Network/virtualNetworks/subnets@2024-01-01' existing = {
+  name: workerSubnetName
+  parent: vnet
+}
diff --git a/bicep/domain-records.bicep b/bicep/domain-records.bicep
@@ -0,0 +1,34 @@
+// SPDX-FileCopyrightText: 2024 SAP edge team
+// SPDX-FileContributor: Kirill Satarin (@kksat)
+// SPDX-FileContributor: Manjun Jiao (@mjiao)
+//
+// SPDX-License-Identifier: Apache-2.0
+
+@description('The name of the DNS zone where A records will be created, must already exist')
+param domainZoneName string
+
+@description('The name of the DNS A record to be created. The name is relative to the zone, not the FQDN.')
+param recordName string
+
+@description('ipv4 address to be associated with the A record')
+param ipv4Address string
+
+@description('A record time to live (TTL)')
+param TTL int = 3600
+
+resource domainZone 'Microsoft.Network/dnsZones@2018-05-01' existing = {
+  name: domainZoneName
+}
+
+resource record 'Microsoft.Network/dnsZones/A@2018-05-01' = {
+  parent: domainZone
+  name: recordName
+  properties: {
+    TTL: TTL
+    ARecords: [
+      {
+        ipv4Address: ipv4Address
+      }
+    ]
+  }
+}
diff --git a/bicep/network.bicep b/bicep/network.bicep
@@ -0,0 +1,33 @@
+// SPDX-FileCopyrightText: 2024 SAP edge team
+// SPDX-FileContributor: Kirill Satarin (@kksat)
+// SPDX-FileContributor: Manjun Jiao (@mjiao)
+//
+// SPDX-License-Identifier: Apache-2.0
+
+param vnetName string = 'aro-sapeic-vnet'
+param masterSubnetName string = 'master'
+param workerSubnetName string = 'worker'
+
+resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' = {
+  name: vnetName
+  location: resourceGroup().location
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.1.0.0/23'
+      ]
+    }
+  }
+  resource masterSubnet 'subnets@2024-01-01' = {
+    name: masterSubnetName
+    properties: {
+      addressPrefix: '10.1.0.0/27'
+    }
+  }
+  resource workerSubnet 'subnets@2024-01-01' = {
+    name: workerSubnetName
+    properties: {
+      addressPrefix: '10.1.0.128/25'
+    }
+  }
+}
diff --git a/hack/domain-records.sh b/hack/domain-records.sh
@@ -0,0 +1,79 @@
+#! /usr/bin/env bash
+
+# SPDX-FileCopyrightText: 2024 SAP edge team
+# SPDX-FileContributor: Kirill Satarin (@kksat)
+# SPDX-FileContributor: Manjun Jiao (@mjiao)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+DOMAIN=""
+ARO_NAME=""
+ARO_RESOURCE_GROUP=""
+
+print_help() {
+  echo "Usage: $0 --domain DOMAIN --aro-name NAME --aro-resource-group GROUP"
+  echo
+  echo "Options:"
+  echo "  --domain DOMAIN             Specify the domain"
+  echo "  --aro-name NAME             Specify the ARO cluster name"
+  echo "  --aro-resource-group GROUP  Specify the ARO resource group"
+  exit 1
+}
+
+# Process command-line arguments
+while (( "$#" )); do
+  case "$1" in
+    --domain)
+      DOMAIN="$2"
+      shift 2
+      ;;
+    --aro-name)
+      ARO_NAME="$2"
+      shift 2
+      ;;
+    --aro-resource-group)
+      ARO_RESOURCE_GROUP="$2"
+      shift 2
+      ;;
+    *)
+      echo "Error: Invalid argument"
+      print_help
+  esac
+done
+
+if [ -z "$DOMAIN" ] || [ -z "$ARO_NAME" ] || [ -z "$ARO_RESOURCE_GROUP" ]; then
+  echo "Error: Missing argument"
+  print_help
+fi
+
+if ! [ "$(az resource show --name "${ARO_CLUSTER_NAME}" \
+  --resource-group "${ARO_RESOURCE_GROUP}" \
+  --resource-type 'Microsoft.RedHatOpenShift/openShiftClusters' \
+  --query "id" -o tsv)" ]; then
+    echo "ARO does not exists"
+fi
+
+API_IP=$(az aro show --name "${ARO_CLUSTER_NAME}" --resource-group "${ARO_RESOURCE_GROUP}" \
+  --query 'apiserverProfile.ip' -o tsv)
+
+INGRESS_IP=$(az aro show --name "${ARO_CLUSTER_NAME}" --resource-group "${ARO_RESOURCE_GROUP}" \
+  --query 'ingressProfiles[0].ip' -o tsv)
+
+echo Create domain records for existing OpenShift cluster
+
+az deployment group create \
+  --resource-group "$(az network dns zone list --query "[?name=='saponrhel.org'].resourceGroup" -o tsv)" \
+  --template-file bicep/domain-records.bicep \
+  --parameters \
+  domainZoneName="${DOMAIN}" \
+  recordName='api' \
+  ipv4Address="${API_IP}"
+
+az deployment group create \
+  --resource-group "$(az network dns zone list --query "[?name=='saponrhel.org'].resourceGroup" -o tsv)" \
+  --template-file bicep/domain-records.bicep \
+  --parameters \
+  domainZoneName="${DOMAIN}" \
+  recordName='*.apps' \
+  ipv4Address="${INGRESS_IP}"
+
diff --git a/hack/domain-zone-exists.sh b/hack/domain-zone-exists.sh
@@ -0,0 +1,15 @@
+#! /usr/bin/env bash
+
+# SPDX-FileCopyrightText: 2024 SAP edge team
+# SPDX-FileContributor: Kirill Satarin (@kksat)
+# SPDX-FileContributor: Manjun Jiao (@mjiao)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+NAME=$(az network dns zone list --query "[?name=='${ARO_DOMAIN}'].name" -o tsv)
+if [ "${NAME}" == "${ARO_DOMAIN}" ]; then
+  echo "Domain zone ${ARO_DOMAIN} exists"
+else
+  echo "Domain zone ${ARO_DOMAIN} does not exist"
+  exit 1
+fi