added

HoussemDellai · Dec 5, 2024 · 83c4a44 · 83c4a44
1 parent 586b401
commit 83c4a44
Show file tree

Hide file tree

Showing 11 changed files with 299 additions and 11 deletions.
diff --git a/250_aks_service_connector/terraform/aks.tf b/250_aks_service_connector/terraform/aks.tf
@@ -3,7 +3,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
   location                  = azurerm_resource_group.rg.location
   resource_group_name       = azurerm_resource_group.rg.name
   dns_prefix                = "aks"
-  kubernetes_version        = "1.31.1"
+  kubernetes_version        = "1.30.5"
   oidc_issuer_enabled       = true
   workload_identity_enabled = true
 
@@ -13,11 +13,11 @@ resource "azurerm_kubernetes_cluster" "aks" {
   }
 
   default_node_pool {
-    name           = "mainpool"
-    node_count     = 2
-    vm_size        = "standard_d2pds_v6"
-    os_sku         = "AzureLinux"
-    vnet_subnet_id = azurerm_subnet.snet-aks.id
+    name                        = "mainpool"
+    node_count                  = 2
+    vm_size                     = "standard_d2pds_v6"
+    os_sku                      = "Ubuntu"
+    vnet_subnet_id              = azurerm_subnet.snet-aks.id
   }
 
   identity {

diff --git a/250_aks_service_connector/terraform/container_apps.tf b/250_aks_service_connector/terraform/container_apps.tf
@@ -0,0 +1,61 @@
+resource "azurerm_container_app" "app-dedicated" {
+  name                         = "nginx-dedicated"
+  container_app_environment_id = azurerm_container_app_environment.env.id
+  resource_group_name          = azurerm_container_app_environment.env.resource_group_name
+  revision_mode                = "Single"
+  workload_profile_name        = "profile-D4"
+
+  template {
+    min_replicas = 1
+    max_replicas = 3
+    container {
+      name   = "nginx"
+      image  = "nginx"
+      cpu    = 0.25
+      memory = "0.5Gi"
+    }
+  }
+
+  ingress {
+    allow_insecure_connections = true
+    external_enabled           = true
+    target_port                = 80
+    transport                  = "auto"
+
+    traffic_weight {
+      latest_revision = true
+      percentage      = 100
+    }
+  }
+}
+
+resource "azurerm_container_app" "app-consumption" {
+  name                         = "nginx-consumption"
+  container_app_environment_id = azurerm_container_app_environment.env.id
+  resource_group_name          = azurerm_container_app_environment.env.resource_group_name
+  revision_mode                = "Single"
+  workload_profile_name        = "Consumption"
+
+  template {
+    min_replicas = 1
+    max_replicas = 3
+    container {
+      name   = "nginx"
+      image  = "nginx"
+      cpu    = 0.25
+      memory = "0.5Gi"
+    }
+  }
+
+  ingress {
+    allow_insecure_connections = true
+    external_enabled           = true
+    target_port                = 80
+    transport                  = "auto"
+
+    traffic_weight {
+      latest_revision = true
+      percentage      = 100
+    }
+  }
+}
diff --git a/250_aks_service_connector/terraform/container_apps_environment.tf b/250_aks_service_connector/terraform/container_apps_environment.tf
@@ -0,0 +1,16 @@
+resource "azurerm_container_app_environment" "env" {
+  name                           = "aca-environment"
+  location                       = azurerm_resource_group.rg.location
+  resource_group_name            = azurerm_resource_group.rg.name
+  log_analytics_workspace_id     = null
+  # zone_redundancy_enabled        = true
+  # internal_load_balancer_enabled = true
+  # infrastructure_subnet_id       = azurerm_subnet.snet-aca.id
+
+  workload_profile {
+    name                  = "profile-D4"
+    workload_profile_type = "D4" # D4, D8, D16, D32, E4, E8, E16 and E32.
+    minimum_count         = 1
+    maximum_count         = 2
+  }
+}
diff --git a/250_aks_service_connector/terraform/identity-aks-app.tf b/250_aks_service_connector/terraform/identity-aks-app.tf
@@ -10,7 +10,7 @@ resource "azurerm_federated_identity_credential" "federated-cred" {
   audience            = ["api://AzureADTokenExchange"]
   issuer              = azurerm_kubernetes_cluster.aks.oidc_issuer_url
   parent_id           = azurerm_user_assigned_identity.identity-aks-app.id
-  subject             = "system:serviceaccount:default:sacc"
+  subject             = "system:serviceaccount:default:sc-account-01"
 }
 
 resource "azurerm_role_assignment" "storage-blob-data-reader" {

diff --git a/250_aks_service_connector/terraform/providers.tf b/250_aks_service_connector/terraform/providers.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 4.10.0"
+      version = ">= 4.12.0"
     }
 
     azapi = {

diff --git a/250_aks_service_connector/terraform/rg.tf b/250_aks_service_connector/terraform/rg.tf
@@ -1,4 +1,4 @@
 resource "azurerm_resource_group" "rg" {
-  name     = "rg-service-connector-${var.prefix}-aks"
+  name     = "rg-aks-service-connector-${var.prefix}"
   location = "swedencentral"
 }
diff --git a/250_aks_service_connector/terraform/sc.json b/250_aks_service_connector/terraform/sc.json
@@ -0,0 +1,38 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {},
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.ServiceLinker/linkers",
+            "apiVersion": "2024-07-01-preview",
+            "scope": "Microsoft.App/containerApps/nginx-consumption",
+            "name": "storageblob_b2db0",
+            "properties": {
+                "clientType": "python",
+                "targetService": {
+                    "type": "AzureResource",
+                    "id": "/subscriptions/dcef7009-6b94-4382-afdc-17eb160d709a/resourceGroups/rg-service-connector-aks-250/providers/Microsoft.Storage/storageAccounts/storaks250/blobServices/default"
+                },
+                "authInfo": {
+                    "authType": "systemAssignedIdentity",
+                    "roles": [
+                        "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1"
+                    ]
+                },
+                "scope": "nginx",
+                "configurationInfo": {
+                    "customizedKeys": {},
+                    "daprProperties": {
+                        "version": "",
+                        "componentType": "",
+                        "metadata": [],
+                        "scopes": []
+                    }
+                }
+            },
+            "dependsOn": []
+        }
+    ]
+}
diff --git a/250_aks_service_connector/terraform/storage_account.tf b/250_aks_service_connector/terraform/storage_account.tf
@@ -8,7 +8,7 @@ resource "azurerm_storage_account" "sa" {
 
 resource "azurerm_storage_container" "container" {
   name                  = "content"
-  storage_account_name  = azurerm_storage_account.sa.name
+  storage_account_id    = azurerm_storage_account.sa.id
   container_access_type = "private"
 }
 
@@ -18,4 +18,4 @@ resource "azurerm_storage_blob" "blob" {
   storage_container_name = azurerm_storage_container.container.name
   type                   = "Block"
   source                 = "storage_account.tf"
-}
+}
diff --git a/570_ingress_preserve_source_ip/Readme.md b/570_ingress_preserve_source_ip/Readme.md
@@ -0,0 +1,69 @@
+# Preserving the IP address of the client
+
+## Introduction
+
+In this section, you will learn how to preserve the IP address of the client when using an Ingress Controller. This is useful when you need to know the client's IP address in your application.
+By deafault, the LoadBalancer service type uses the Azure Standard Load Balancer, which does not preserve the client's IP address. Instead, it replaces it with the IP address of the Load Balancer. To preserve the client's IP address, you need to apply the following spec to the Nginx Ingress Controller service:
+
+```yaml
+spec.externalTrafficPolicy: Local
+```
+
+This way the original IP address of the client will be carried by the headers: `X-Forwarded-For` and `X-Real-IP`.
+
+Here is a step-by-step guide to demonstrate how to preserve the client's IP address.
+
+```sh
+# create an AKS cluster
+$AKS_RG="rg-aks-cluster"
+$AKS_NAME="aks-cluster"
+
+az group create -n $AKS_RG -l swedencentral
+
+az aks create -g $AKS_RG -n $AKS_NAME --network-plugin azure --network-plugin-mode overlay
+
+az aks get-credentials -n $AKS_NAME -g $AKS_RG --overwrite-existing
+
+# verify connection to the cluster
+kubectl get nodes
+
+# install Nginx ingress controller
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+helm repo update
+
+NAMESPACE_INGRESS="ingress-nginx"
+
+helm install ingress-nginx ingress-nginx/ingress-nginx `
+     --create-namespace `
+     --namespace $NAMESPACE_INGRESS `
+     --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz `
+     --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-port"=80 
+
+kubectl get pods,deployments,services --namespace $NAMESPACE_INGRESS
+
+$INGRESS_PUPLIC_IP=$(kubectl get services ingress-nginx-controller -n $NAMESPACE_INGRESS -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+echo $INGRESS_PUPLIC_IP
+# 20.103.25.154
+
+kubectl apply -f app.yaml
+
+curl $INGRESS_PUPLIC_IP
+
+# check the "X-Forwarded-For" header in the response. It should contain the SNAT'd IP address of the client, which become the IP address of the node/vm.
+
+# Enable "externalTrafficPolicy: Local" in the ingress controller service
+
+kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{\"spec\":{\"externalTrafficPolicy\":\"Local\"}}'
+
+# use the following if using Linux
+# kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{"spec":{"externalTrafficPolicy":"Local"}}'
+
+curl $INGRESS_PUPLIC_IP
+
+# check the "X-Forwarded-For" and "X-Real-IP" headers in the response. They should contain the original client IP address.
+```
+
+## More resources
+
+https://kubernetes.io/docs/tutorials/services/source-ip/
+https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
diff --git a/570_ingress_preserve_source_ip/app.yaml b/570_ingress_preserve_source_ip/app.yaml
@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: webapp
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webapp
+  namespace: webapp
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: webapp
+  template:
+    metadata:
+      labels:
+        app: webapp
+    spec:
+      containers:
+        - name: webapp
+          image: jelledruyts/inspectorgadget
+          ports:
+            - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: webapp
+  namespace: webapp
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 80
+  selector:
+    app: webapp
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: app-ingress
+  namespace: webapp
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    # nginx.ingress.kubernetes.io/use-proxy-protocol: "true"
+    # nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: webapp
+                port:
+                  number: 80
diff --git a/570_ingress_preserve_source_ip/commands.ps1 b/570_ingress_preserve_source_ip/commands.ps1
@@ -0,0 +1,44 @@
+# create an AKS cluster
+$AKS_RG="rg-aks-cluster"
+$AKS_NAME="aks-cluster"
+
+az group create -n $AKS_RG -l swedencentral
+
+az aks create -g $AKS_RG -n $AKS_NAME --network-plugin azure --network-plugin-mode overlay
+
+az aks get-credentials -n $AKS_NAME -g $AKS_RG --overwrite-existing
+
+# verify connection to the cluster
+kubectl get nodes
+
+# install Nginx ingress controller
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+helm repo update
+
+NAMESPACE_INGRESS="ingress-nginx"
+
+helm install ingress-nginx ingress-nginx/ingress-nginx `
+     --create-namespace `
+     --namespace $NAMESPACE_INGRESS `
+     --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz `
+     --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-port"=80 
+
+kubectl get pods,deployments,services --namespace $NAMESPACE_INGRESS
+
+$INGRESS_PUPLIC_IP=$(kubectl get services ingress-nginx-controller -n $NAMESPACE_INGRESS -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+echo $INGRESS_PUPLIC_IP
+# 20.103.25.154
+
+kubectl apply -f app.yaml
+
+curl $INGRESS_PUPLIC_IP
+
+# check the "X-Forwarded-For" header in the response. It should contain the SNAT'd IP address of the client, which become the IP address of the node/vm.
+
+# Enable "externalTrafficPolicy: Local" in the ingress controller service
+
+kubectl patch svc ingress-nginx-controller -n $NAMESPACE_INGRESS -p '{"spec":{"externalTrafficPolicy":"Local"}}'
+
+curl $INGRESS_PUPLIC_IP
+
+# check the "X-Forwarded-For" and "X-Real-IP" headera in the response. They should contain the original client IP address.