Skip to content

Latest commit

 

History

History
230 lines (187 loc) · 9.69 KB

README.md

File metadata and controls

230 lines (187 loc) · 9.69 KB

Nord Juice Shop

Deployment

Prerequisites

Authenticate against Azure

# Log in to Azure CLI with your Bouvet account
# A new tab will open in your browser, asking you to authenticate
az login

# Set the subscription in which you wish to deploy Multi-Juicer
az account set -s <subscription_id | subscription_name>

Using the script manage-multijuicer.sh

Modify the environment variables in .env to your liking

Modify the values in the YAML files as per your needs

Make sure that you've followed the steps in Authenticate against Azure first

NB: Make sure to source the .env file prior to running!

To create a brand new cluster with all services, including an Azure Container Registry, run:

./manage-multijuicer.sh new

To update an existing cluster, or redeploy one that was previously taken down using ./manage-multijuicer.sh down, run:

./manage-multijuicer.sh up

To stop a running cluster, run:

./manage-multijuicer.sh down

To perform a full wipe (deletes all services, incl. the container registry), run:

./manage-multijuicer.sh wipe

Help

./manage-multijuicer.sh -h
Usage: ./manage-multijuicer.sh COMMAND

    Commands:
        new         Deploy a brand new cluster
        down       Stop all running containers
        up            Spin it back up
        wipe        Wipe it, deleting all services including the cluster

Manual (Azure Kubernetes Service)

Make sure that you've installed Azure CLI first

These steps are based on this guide

Make sure that you've authenticated against Azure first. See Authenticate against Azure

  1. Create the Kubernetes cluster

    # Determine the resource group in which the resources should be deployed.
    # If you wish to create a new resource group, run
    az group create --location norway-east --name MultiJuicer
    
    # Create an AKS cluster in the resource group determined above
    az aks create --resource-group MultiJuicer --name juicy-k8s --node-count 2
    
    # Retrieve the credentials for the new cluster
    az aks get-credentials --resource-group MultiJuicer --name juicy-k8s
    
    # Verify that you've authenticated against the new cluster - should display 'juicy-k8s'
    kubectl config current-context
  2. Set up multi-juicer

    # Add the helm repository for multi-juicer
    helm repo add multi-juicer https://juice-shop.github.io/multi-juicer/
    
    # Use helm to deploy the multi-juicer chart, overriding the values (see juicer.yaml)
    helm upgrade --install multi-juicer multi-juicer/multi-juicer --values juicer.yaml
    
    # Kubernetes will now spin up the pods
    # Verify that everything is starting
    kubectl get pods
    # Wait until both pods are ready
    
    # Retrieve the password for the admin UI
    kubectl get secrets juice-balancer-secret -o=jsonpath='{.data.adminPassword}' | base64 --decode
    # To log in to the admin dashboard, visit /balancer and log in as the team 'admin'
  1. Configure Ingress and TLS

    1. Create a Container Registry for the NGINX and cert-manager images

      # Create the Container Registry
      az acr create --name bvtmultijuicer --resource-group MultiJuicer --sku Basic
      
      # Attach the Container Registry to the Kubernetes cluster
      # NB: Requires Owner permissions on the Azure subscription
      az aks update --name juicy-k8s --resource-group MultiJuicer --attach-acr bvtmultijuicer
    2. Import the NGINX and cert-manager images

      REGISTRY_NAME=bvtmultijuicer
      SOURCE_REGISTRY=registry.k8s.io
      CONTROLLER_IMAGE=ingress-nginx/controller
      CONTROLLER_TAG=v1.0.4
      PATCH_IMAGE=ingress-nginx/kube-webhook-certgen
      PATCH_TAG=v1.1.1
      DEFAULTBACKEND_IMAGE=defaultbackend-amd64
      DEFAULTBACKEND_TAG=1.5
      CERT_MANAGER_REGISTRY=quay.io
      CERT_MANAGER_TAG=v1.5.4
      CERT_MANAGER_IMAGE_CONTROLLER=jetstack/cert-manager-controller
      CERT_MANAGER_IMAGE_WEBHOOK=jetstack/cert-manager-webhook
      CERT_MANAGER_IMAGE_CAINJECTOR=jetstack/cert-manager-cainjector
      
      az acr import --name $REGISTRY_NAME --source $SOURCE_REGISTRY/$CONTROLLER_IMAGE:$CONTROLLER_TAG --image $CONTROLLER_IMAGE:$CONTROLLER_TAG
      az acr import --name $REGISTRY_NAME --source $SOURCE_REGISTRY/$PATCH_IMAGE:$PATCH_TAG --image $PATCH_IMAGE:$PATCH_TAG
      az acr import --name $REGISTRY_NAME --source $SOURCE_REGISTRY/$DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG --image $DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG
      az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG
      az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG
      az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG
    3. Set up an NGINX Ingress controller

      # Add the helm repository for ingress-nginx
      helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
      
      # Set the URL of the ACR we created in step 4.1
      ACR_URL=bvtmultijuicer.azurecr.io
      
      # Use helm to deploy the NGINX ingress controller
      helm install nginx-ingress ingress-nginx/ingress-nginx \
          --version 4.0.13 \
          --namespace default --create-namespace \
          --set controller.replicaCount=2 \
          --set controller.nodeSelector."kubernetes\.io/os"=linux \
          --set controller.image.registry=$ACR_URL \
          --set controller.image.image=$CONTROLLER_IMAGE \
          --set controller.image.tag=$CONTROLLER_TAG \
          --set controller.image.digest="" \
          --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux \
          --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \
          --set controller.admissionWebhooks.patch.image.registry=$ACR_URL \
          --set controller.admissionWebhooks.patch.image.image=$PATCH_IMAGE \
          --set controller.admissionWebhooks.patch.image.tag=$PATCH_TAG \
          --set controller.admissionWebhooks.patch.image.digest="" \
          --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
          --set defaultBackend.image.registry=$ACR_URL \
          --set defaultBackend.image.image=$DEFAULTBACKEND_IMAGE \
          --set defaultBackend.image.tag=$DEFAULTBACKEND_TAG \
          --set defaultBackend.image.digest=""
    4. Configure a domain name (FQDN)

      # Get the public IP of the NGINX ingress controller
      PUBLIC_IP=$(kubectl --namespace default get services -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' nginx-ingress-ingress-nginx-controller)
      
      # Define a hostname
      DNS_NAME="bvt-juice"
      
      # Get the resource ID of the Public IP resource
      PUBLIC_IP_ID=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$PUBLIC_IP')].[id]" --output tsv)
      
      # Add the hostname <DNS_NAME> to the Public IP resource 
      az network public-ip update --ids $PUBLIC_IP_ID --dns-name $DNS_NAME
    5. Set up cert-manager

      # Add a label to the default namespace, to disable resource validation
      kubectl label namespace default cert-manager.io/disable-validation=true
      
      # Add the helm repository for Jetstack
      helm repo add jetstack https://charts.jetstack.io
      
      # Update the local helm chart repository cache
      helm repo update
      
      # Use helm to deploy the cert-manager service
      helm install cert-manager jetstack/cert-manager \
          --namespace default \
          --version $CERT_MANAGER_TAG \
          --set installCRDs=true \
          --set nodeSelector."kubernetes\.io/os"=linux \
          --set image.repository=$ACR_URL/$CERT_MANAGER_IMAGE_CONTROLLER \
          --set image.tag=$CERT_MANAGER_TAG \
          --set webhook.image.repository=$ACR_URL/$CERT_MANAGER_IMAGE_WEBHOOK \
          --set webhook.image.tag=$CERT_MANAGER_TAG \
          --set cainjector.image.repository=$ACR_URL/$CERT_MANAGER_IMAGE_CAINJECTOR \
          --set cainjector.image.tag=$CERT_MANAGER_TAG
    6. Create a cluster issuer

      kubectl apply -f cluster-issuer.yaml
    7. Create an ingress route

      kubectl apply -f ingress.yaml --namespace default
  2. All done! To get the domain name of your instance, execute the following:

    az network public-ip show --ids $PUBLIC_IP_ID --query "[dnsSettings.fqdn]" --output tsv