Merge pull request #146 from galiacheng/private-vnet-support

"Bring your own vnet" for Application Gateway on AKS offer

Author: mriccell

.github/workflows/testWlsAksWithDependencyCreation.yml

@@ -21,8 +21,8 @@ on:
     types: [aks-integration-test-with-dependency-creation,integration-test-all]
 
 env:
-    refArmttk: 7dc2c2a7822c2825ea3524ac2af72e561847fece
-    refJavaee: 13fe6ec487024eb61355d661ab5700ae90cb0a8f
+    refArmttk: 500a3a612ef51d4421c114183f97b425c9bfaab8
+    refJavaee: f25ab89a2a8848da39b84e5d6c927f4c4cb47200
     azCliVersion: 2.30.0
     azureCredentials: ${{ secrets.AZURE_CREDENTIALS }}
     location: eastus

.github/workflows/testWlsAksWithoutDependencyCreation.yml

@@ -36,8 +36,8 @@ on:
     types: [aks-integration-test-without-dependency-creation,integration-test-all]
 
 env:
-    refArmttk: 7dc2c2a7822c2825ea3524ac2af72e561847fece
-    refJavaee: 13fe6ec487024eb61355d661ab5700ae90cb0a8f
+    refArmttk: 500a3a612ef51d4421c114183f97b425c9bfaab8
+    refJavaee: f25ab89a2a8848da39b84e5d6c927f4c4cb47200
     azCliVersion: 2.30.0
     azureCredentials: ${{ secrets.AZURE_CREDENTIALS }}
     location: eastus

weblogic-azure-aks/pom.xml

@@ -17,7 +17,7 @@
 
   <groupId>com.oracle.weblogic.azure</groupId>
   <artifactId>wls-on-aks-azure-marketplace</artifactId>
-  <version>1.0.37</version>
+  <version>1.0.38</version>
 
   <parent>
     <groupId>com.microsoft.azure.iaas</groupId>

weblogic-azure-aks/src/main/arm/createUiDefinition.json

@@ -1029,7 +1029,7 @@
                                     "text": "Enabling a HTTPS (Secure) port for the Administration Console requires you to obtain a valid TLS/SSL certificate. The offer will look for the certificate and other configuration items in the Azure Key Vault specified here.",
                                     "link": {
                                         "label": "Learn more",
-                                        "uri": "https://aka.ms/arm-oraclelinux-wls-cluster-app-gateway-key-vault"
+                                        "uri": "https://aka.ms/wls-aks-ssl-key-vault"
                                     }
                                 }
                             },
@@ -1394,6 +1394,50 @@
                                     "required": false
                                 }
                             },
+                            {
+                                "name": "vnetForApplicationGateway",
+                                "type": "Microsoft.Network.VirtualNetworkCombo",
+                                "label": {
+                                    "virtualNetwork": "Virtual network",
+                                    "subnets": "Subnets"
+                                },
+                                "toolTip": {
+                                    "virtualNetwork": "Select a virtual network in which to place the Application Gateway.",
+                                    "subnets": "The subnet must be dedicated only for use by the Application Gateway."
+                                },
+                                "defaultValue": {
+                                    "name": "[concat('wlsaks-vnet',take(guid(), 8))]",
+                                    "addressPrefixSize": "/24"
+                                },
+                                "constraints": {
+                                    "minAddressPrefixSize": "/24"
+                                },
+                                "options": {
+                                    "hideExisting": false
+                                },
+                                "subnets": {
+                                    "gatewaySubnet": {
+                                        "label": "Subnet",
+                                        "defaultValue": {
+                                            "name": "wls-aks-gateway-subnet",
+                                            "addressPrefixSize": "/24"
+                                        },
+                                        "constraints": {
+                                            "minAddressPrefixSize": "/24",
+                                            "minAddressCount": 38,
+                                            "requireContiguousAddresses": false
+                                        }
+                                    }
+                                },
+                                "visible": "[steps('section_appGateway').appgwIngress.enableAppGateway]"
+                            },
+                            {
+                                "name": "appgwUsePrivateIP",
+                                "type": "Microsoft.Common.CheckBox",
+                                "label": "Configure frontend IP with private IP address",
+                                "toolTip": "If checked, expose WebLogic Server with private IP address.",
+                                "visible": "[steps('section_appGateway').appgwIngress.enableAppGateway]"
+                            },
                             {
                                 "name": "keyVaultText00",
                                 "type": "Microsoft.Common.TextBlock",
@@ -1426,7 +1470,7 @@
                                     "text": "    ⁃ Generate a self-signed front-end certificate: Generate a self-signed front-end certificate and apply it during deployment.",
                                     "link": {
                                         "label": "Learn more",
-                                        "uri": "https://aka.ms/arm-oraclelinux-wls-cluster-app-gateway-key-vault"
+                                        "uri": "https://aka.ms/wls-aks-application-gateway-ssl-key-vault"
                                     }
                                 }
                             },
@@ -1576,17 +1620,17 @@
                                 "visible": "[steps('section_appGateway').appgwIngress.enableAppGateway]",
                                 "options": {
                                     "icon": "Info",
-                                    "text": "You must input an Active Directory Service Principal that is encoded with base64 to create the Application Gateway Ingress Controller. See this <a href=https://aka.ms/wls-aks-agic-sp-doc target='_blank'>document</a> for more information.</br>You can generate one with command <b>az ad sp create-for-rbac --role Contributor --sdk-auth | base64 -w0</b>. On macOS omit the <b>-w0</b>."
+                                    "text": "You must input an Active Directory Service Principal that is encoded with base64 to create the Application Gateway Ingress Controller. See this <a href=https://aka.ms/wls-aks-agic-sp-doc target='_blank'>document</a> for more information.</br>You can generate one with command <b>az ad sp create-for-rbac --sdk-auth --role Contributor --scopes /subscriptions/&lt;AZURE_SUBSCRIPTION_ID&gt; | base64 -w0</b>. On macOS omit the <b>-w0</b>."
                                 }
                             },
                             {
                                 "name": "servicePrincipal",
                                 "type": "Microsoft.Common.PasswordBox",
                                 "label": {
                                     "password": "Service Principal",
-                                    "confirmPassword": "Confirm password"
+                                    "confirmPassword": "Confirm service principal"
                                 },
-                                "toolTip": "Base64 encoded JSON blob of the service principal. You can generate one with command 'az ad sp create-for-rbac --role Contributor --sdk-auth | base64 -w0' On macOS omit the -w0.",
+                                "toolTip": "Base64 encoded JSON blob of the service principal. You can generate one with command 'az ad sp create-for-rbac --sdk-auth --role Contributor --scopes /subscriptions/&lt;AZURE_SUBSCRIPTION_ID&gt; | base64 -w0' On macOS omit the -w0.",
                                 "constraints": {
                                     "required": true
                                 },
@@ -2066,6 +2110,7 @@
             "appGatewaySSLCertPassword": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertPassword]",
             "appgwForAdminServer": "[steps('section_appGateway').appgwIngress.appgwForAdminServer]",
             "appgwForRemoteConsole": "[steps('section_appGateway').appgwIngress.appgwForAdminRemote]",
+            "appgwUsePrivateIP": "[steps('section_appGateway').appgwIngress.appgwUsePrivateIP]",
             "appPackageUrls": "[steps('section_aks').jeeAppInfo.appPackageUrl]",
             "appReplicas": "[int(steps('section_aks').jeeAppInfo.appReplicas)]",
             "createACR": "[bool(steps('section_aks').imageInfo.oracleCreateACR)]",
@@ -2105,6 +2150,7 @@
             "keyVaultSSLCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertDataSecretName]",
             "keyVaultSSLCertPasswordSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertPasswordSecretName]",
             "managedServerPrefix": "[basics('basicsOptional').managedServerPrefix]",
+            "newOrExistingVnetForApplicationGateway": "[steps('section_appGateway').appgwIngress.vnetForApplicationGateway.newOrExisting]",
             "ocrSSOPSW": "[steps('section_aks').imageInfo.ocrSSOPassword]",
             "ocrSSOUser": "[steps('section_aks').imageInfo.ocrSSOUserName]",
             "servicePrincipal": "[steps('section_appGateway').appgwIngress.servicePrincipal]",
@@ -2132,6 +2178,8 @@
             "userProvidedAcr": "[last(split(steps('section_aks').imageInfo.userProvidedAcrSelector.id, '/'))]",
             "userProvidedImagePath": "[steps('section_aks').imageInfo.userProvidedImagePath]",
             "validateApplications": "[bool(steps('section_aks').jeeAppInfo.validateApplications)]",
+            "vnetForApplicationGateway": "[steps('section_appGateway').appgwIngress.vnetForApplicationGateway]",
+            "vnetRGNameForApplicationGateway": "[steps('section_appGateway').appgwIngress.vnetForApplicationGateway.resourceGroup]",
             "wdtRuntimePassword": "[basics('basicsRequired').wdtRuntimePassword]",
             "wlsClusterSize": "[basics('basicsOptional').wlsClusterSize]",
             "wlsDomainName": "[basics('basicsOptional').wlsDomainName]",

weblogic-azure-aks/src/main/arm/scripts/appgw-helm-config.yaml.template

@@ -15,7 +15,7 @@ appgw:
     subscriptionId: @SUB_ID@
     resourceGroup: @APPGW_RG_NAME@
     name: @APPGW_NAME@
-    usePrivateIP: false
+    usePrivateIP: @USE_PRIVATE_IP@
 
     # Setting appgw.shared to "true" will create an AzureIngressProhibitedTarget CRD.
     # This prohibits AGIC from applying config for any host/path.

weblogic-azure-aks/src/main/arm/scripts/common.sh

@@ -3,10 +3,10 @@
 # This script runs on Azure Container Instance with Alpine Linux that Azure Deployment script creates.
 
 export checkPodStatusInterval=20 # interval of checking pod status.
-export checkPodStatusMaxAttemps=30 # max attempt to check pod status.
+export checkPodStatusMaxAttemps=50 # max attempt to check pod status.
 export checkPVStateInterval=5 # interval of checking pvc status.
 export checkPVStateMaxAttempt=10 # max attempt to check pvc status.
-export checkSVCStateMaxAttempt=10
+export checkSVCStateMaxAttempt=50
 export checkSVCInterval=30 #seconds
 
 export constAdminT3AddressEnvName="T3_TUNNELING_ADMIN_ADDRESS"

weblogic-azure-aks/src/main/arm/scripts/createAppGatewayIngress.sh

@@ -350,31 +350,52 @@ function network_peers_aks_appgw() {
 
     aksNetWorkId=$(az resource list -g ${aksMCRGName} --resource-type Microsoft.Network/virtualNetworks -o tsv --query '[*].id')
     aksNetworkName=$(az resource list -g ${aksMCRGName} --resource-type Microsoft.Network/virtualNetworks -o tsv --query '[*].name')
-    az network vnet peering create \
-        --name aks-appgw-peer \
-        --remote-vnet ${aksNetWorkId} \
-        --resource-group ${curRGName} \
-        --vnet-name ${vnetName} \
-        --allow-vnet-access
-    utility_validate_status "Create network peers for $aksNetWorkId and ${vnetName}."
-
-    appgwNetworkId=$(az resource list -g ${curRGName} --name ${vnetName} -o tsv --query '[*].id')
-    az network vnet peering create \
-        --name aks-appgw-peer \
-        --remote-vnet ${appgwNetworkId} \
-        --resource-group ${aksMCRGName} \
-        --vnet-name ${aksNetworkName} \
-        --allow-vnet-access
-
-    utility_validate_status "Create network peers for $aksNetWorkId and ${vnetName}."
+    appGatewaySubnetId=$(az network application-gateway show -g ${curRGName} --name ${appgwName} -o tsv --query "gatewayIpConfigurations[0].subnet.id")
+    appGatewayVnetResourceGroup=$(az network application-gateway show -g ${curRGName} --name ${appgwName} -o tsv --query "gatewayIpConfigurations[0].subnet.resourceGroup")
+    appGatewaySubnetName=$(az resource show --ids ${appGatewaySubnetId} --query "name" -o tsv)
+    appgwNetworkId=$(echo $appGatewaySubnetId | sed s/"\/subnets\/${appGatewaySubnetName}"//)
+    appgwVnetName=$(az resource show --ids ${appgwNetworkId} --query "name" -o tsv)
+
+    local toPeer=true
+    # if the AKS and App Gateway have the same VNET, need not peer.
+    if [ "${aksNetWorkId}" == "${appgwNetworkId}" ]; then
+        echo_stdout "AKS and Application Gateway are in the same virtual network: ${appgwNetworkId}."
+        toPeer=false
+    fi
+
+    # check if the Vnets have been peered.
+    local ret=$(az network vnet peering list \
+        --resource-group ${appGatewayVnetResourceGroup} \
+        --vnet-name ${appgwVnetName} -o json \
+        | jq ".[] | select(.remoteVirtualNetwork.id==\"${aksNetWorkId}\")")
+    if [ -n "$ret" ]; then
+        echo_stdout "VNET of AKS ${aksNetWorkId} and Application Gateway ${appgwNetworkId} is peering."
+        toPeer=false
+    fi
+
+    if [ "${toPeer}" == "true" ]; then
+        az network vnet peering create \
+            --name aks-appgw-peer \
+            --remote-vnet ${aksNetWorkId} \
+            --resource-group ${appGatewayVnetResourceGroup} \
+            --vnet-name ${appgwVnetName} \
+            --allow-vnet-access
+        utility_validate_status "Create network peers for $aksNetWorkId and ${appgwNetworkId}."
+
+        az network vnet peering create \
+            --name aks-appgw-peer \
+            --remote-vnet ${appgwNetworkId} \
+            --resource-group ${aksMCRGName} \
+            --vnet-name ${aksNetworkName} \
+            --allow-vnet-access
+
+        utility_validate_status "Complete creating network peers for $aksNetWorkId and ${appgwNetworkId}."
+    fi
 
     # For Kbectl network plugin: https://azure.github.io/application-gateway-kubernetes-ingress/how-tos/networking/#with-kubenet
     # find route table used by aks cluster
     routeTableId=$(az network route-table list -g $aksMCRGName --query "[].id | [0]" -o tsv)
 
-    # get the application gateway's subnet
-    appGatewaySubnetId=$(az network application-gateway show -n $appgwName -g $curRGName -o tsv --query "gatewayIpConfigurations[0].subnet.id")
-
     # associate the route table to Application Gateway's subnet
     az network vnet subnet update \
         --ids $appGatewaySubnetId \
@@ -411,6 +432,7 @@ function install_azure_ingress() {
     sed -i -e "s:@APPGW_NAME@:${appgwName}:g" ${customAppgwHelmConfig}
     sed -i -e "s:@WATCH_NAMESPACE@:${wlsDomainNS}:g" ${customAppgwHelmConfig}
     sed -i -e "s:@SP_ENCODING_CREDENTIALS@:${spBase64String}:g" ${customAppgwHelmConfig}
+    sed -i -e "s:@USE_PRIVATE_IP@:${appgwUsePrivateIP,,}:g" ${customAppgwHelmConfig}
 
     helm install ingress-azure \
         -f ${customAppgwHelmConfig} \
@@ -542,7 +564,7 @@ function appgw_ingress_svc_for_admin_server() {
     generate_appgw_admin_config_file
     kubectl apply -f ${adminAppgwIngressYamlPath}
     utility_validate_status "Create appgw ingress svc."
-    utility_waitfor_lb_svc_completed \
+    utility_waitfor_ingress_completed \
         ${adminIngressName} \
         ${wlsDomainNS} \
         ${checkSVCStateMaxAttempt} \
@@ -556,7 +578,7 @@ function appgw_ingress_svc_for_remote_console() {
 
     kubectl apply -f ${adminRemoteAppgwIngressYamlPath}
     utility_validate_status "Create appgw ingress svc."
-    utility_waitfor_lb_svc_completed \
+    utility_waitfor_ingress_completed \
         ${adminRemoteIngressName} \
         ${wlsDomainNS} \
         ${checkSVCStateMaxAttempt} \
@@ -631,7 +653,7 @@ wlsDomainUID=$3
 subID=$4
 curRGName=$5
 appgwName=$6
-vnetName=$7
+appgwUsePrivateIP=$7
 appgwForAdminServer=$8
 enableCustomDNSAlias=$9
 dnsRGName=${10}

weblogic-azure-aks/src/main/arm/scripts/inline-scripts/queryPrivateIPForAppGateway.sh

@@ -0,0 +1,44 @@
+# Copyright (c) 2022, Oracle Corporation and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+# This script runs on Azure Container Instance with Alpine Linux that Azure Deployment script creates.
+#
+# env inputs:
+# SUBNET_ID
+# KNOWN_IP
+
+function query_ip() {
+    echo_stdout "Subnet Id: ${SUBNET_ID}"
+
+    # select a available private IP
+    # azure reserves the first 3 private IPs.
+    local ret=$(az network vnet check-ip-address \
+        --ids ${SUBNET_ID} \
+        --ip-address ${KNOWN_IP})
+    local available=$(echo ${ret} | jq -r .available)
+    if [[ "${available,,}" == "true" ]]; then
+      outputPrivateIP=${KNOWN_IP}
+    else
+      local privateIPAddress=$(echo ${ret} | jq -r .availableIpAddresses[0])
+      if [[ -z "${privateIPAddress}" ]] || [[ "${privateIPAddress}"=="null" ]]; then
+        echo_stderr "ERROR: make sure there is available IP for application gateway in your subnet."
+      fi
+
+      outputPrivateIP=${privateIPAddress}
+    fi
+}
+
+function output_result() {
+  echo "Available Private IP: ${outputPrivateIP}"
+  result=$(jq -n -c \
+    --arg privateIP "$outputPrivateIP" \
+    '{privateIP: $privateIP}')
+  echo "result is: $result"
+  echo $result >$AZ_SCRIPTS_OUTPUT_PATH
+}
+
+# main script
+outputPrivateIP="10.0.0.1"
+
+query_ip
+
+output_result