web app routing

220_app_routing/README.md

@@ -1,5 +1,19 @@
 # AKS Web App Routing demystified
 
+When you expose your AKS applications, you typically use ingress. With ingress, you will need to manage:
+
+1) Private and public Ingress Controllers
+2) DNS custom domain names
+3) TLS certificates
+
+You wish if just there were a managed service that make this task easy ?
+Now that service exist. It is called Application Routing.
+Here is how it works.
+
+![](images/architecture.png)
+
+Disclaimer: This video is part of my Udemy course: https://www.udemy.com/course/learn-aks-network-security
+
 ```sh
 az group create -n rg-aks-cluster -l swedencentral
 

220_app_routing/ama-metrics-settings-configmap.yaml

@@ -0,0 +1,58 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: ama-metrics-settings-configmap
+  namespace: kube-system
+data:
+  schema-version:
+    #string.used by agent to parse config. supported versions are {v1}. Configs with other schema versions will be rejected by the agent.
+    v1
+  config-version:
+    #string.used by customer to keep track of this config file's version in their source control/repository (max allowed 10 chars, other chars will be truncated)
+    ver1
+  prometheus-collector-settings: |-
+    cluster_alias = ""
+  default-scrape-settings-enabled: |-
+    kubelet = true
+    coredns = false
+    cadvisor = true
+    kubeproxy = false
+    apiserver = false
+    kubestate = true
+    nodeexporter = true
+    windowsexporter = false
+    windowskubeproxy = false
+    kappiebasic = true
+    prometheuscollectorhealth = false
+  # Regex for which namespaces to scrape through pod annotation based scraping.
+  # This is none by default. Use '.*' to scrape all namespaces of annotated pods.
+  pod-annotation-based-scraping: |-
+    podannotationnamespaceregex = ".*"
+  default-targets-metrics-keep-list: |-
+    kubelet = ""
+    coredns = ""
+    cadvisor = ""
+    kubeproxy = ""
+    apiserver = ""
+    kubestate = ""
+    nodeexporter = ""
+    windowsexporter = ""
+    windowskubeproxy = ""
+    podannotations = ""
+    kappiebasic = ""
+    minimalingestionprofile = true
+  default-targets-scrape-interval-settings: |-
+    kubelet = "30s"
+    coredns = "30s"
+    cadvisor = "30s"
+    kubeproxy = "30s"
+    apiserver = "30s"
+    kubestate = "30s"
+    nodeexporter = "30s"
+    windowsexporter = "30s"
+    windowskubeproxy = "30s"
+    kappiebasic = "30s"
+    prometheuscollectorhealth = "30s"
+    podannotations = "30s"
+  debug-mode: |-
+    enabled = false

220_app_routing/app.yaml

@@ -1,3 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: webapp
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -42,7 +47,6 @@ metadata:
 spec:
   ingressClassName: webapprouting.kubernetes.azure.com
   rules:
-  # - host: <Hostname>
   - http:
       paths:
       - backend:

220_app_routing/ingress-internal.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: aks-helloworld-internal
+  namespace: webapp
+spec:
+  ingressClassName: nginx-internal # webapprouting.kubernetes.azure.com
+  rules:
+  - host: aks.internal # hello.aks.internal
+    http:
+      paths:
+      - backend:
+          service:
+            name: aks-helloworld
+            port:
+              number: 80
+        path: /
+        pathType: Prefix

220_app_routing/ingress-tls.yaml

@@ -2,8 +2,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    kubernetes.azure.com/tls-cert-keyvault-uri: "https://kv4aks220.vault.azure.net/certificates/aks-ingress-tls-01"
-    # kubernetes.azure.com/tls-cert-keyvault-uri: "https://kvakscert01.vault.azure.net/certificates/aks-app-cert"
+    kubernetes.azure.com/tls-cert-keyvault-uri: "https://kv42aks220.vault.azure.net/certificates/aks-ingress-tls-01"
   name: aks-helloworld
   namespace: webapp
 spec:

220_app_routing/terraform/aks.tf

@@ -29,10 +29,15 @@ resource "azurerm_kubernetes_cluster" "aks" {
   }
 
   key_vault_secrets_provider {
-    secret_rotation_enabled = true
+    secret_rotation_enabled  = true
     secret_rotation_interval = "2m"
   }
 
+  monitor_metrics {
+    annotations_allowed = null
+    labels_allowed      = null
+  }
+
   lifecycle {
     ignore_changes = [
       default_node_pool.0.upgrade_settings
@@ -42,9 +47,9 @@ resource "azurerm_kubernetes_cluster" "aks" {
 
 # Required to create internal Load Balancer
 resource "azurerm_role_assignment" "network-contributor" {
-  scope                            = azurerm_subnet.snet-aks.id
-  role_definition_name             = "Network Contributor"
-  principal_id                     = azurerm_kubernetes_cluster.aks.identity.0.principal_id
+  scope                = azurerm_subnet.snet-aks.id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_kubernetes_cluster.aks.identity.0.principal_id
 }
 
 resource "terraform_data" "aks-get-credentials" {
@@ -55,4 +60,4 @@ resource "terraform_data" "aks-get-credentials" {
   provisioner "local-exec" {
     command = "az aks get-credentials -n ${azurerm_kubernetes_cluster.aks.name} -g ${azurerm_kubernetes_cluster.aks.resource_group_name} --overwrite-existing"
   }
-}
+}

220_app_routing/terraform/grafana.tf

@@ -0,0 +1,41 @@
+resource "azurerm_dashboard_grafana" "grafana" {
+  name                              = "azure-grafana-${var.prefix}"
+  resource_group_name               = azurerm_resource_group.rg.name
+  location                          = azurerm_resource_group.rg.location
+  sku                               = "Standard"
+  grafana_major_version             = "10"
+  zone_redundancy_enabled           = false
+  api_key_enabled                   = true
+  deterministic_outbound_ip_enabled = true
+  public_network_access_enabled     = true
+
+  azure_monitor_workspace_integrations {
+    resource_id = azurerm_monitor_workspace.prometheus.id
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+# data "azurerm_client_config" "current" {}
+
+resource "azurerm_role_assignment" "role_grafana_admin" {
+  scope                = azurerm_dashboard_grafana.grafana.id
+  role_definition_name = "Grafana Admin"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
+resource "azurerm_role_assignment" "role_monitoring_data_reader" {
+  scope                = azurerm_monitor_workspace.prometheus.id
+  role_definition_name = "Monitoring Data Reader"
+  principal_id         = azurerm_dashboard_grafana.grafana.identity.0.principal_id
+}
+
+data "azurerm_subscription" "current" {}
+
+resource "azurerm_role_assignment" "role_monitoring_reader" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Monitoring Reader"
+  principal_id         = azurerm_dashboard_grafana.grafana.identity.0.principal_id
+}

220_app_routing/terraform/identity_webapprouting.tf

@@ -1,5 +1,4 @@
 data "azurerm_user_assigned_identity" "webapp_routing" {
-  #   name                = "webapprouting-${azurerm_kubernetes_cluster.aks.name}"
   name                = split("/", azurerm_kubernetes_cluster.aks.web_app_routing.0.web_app_routing_identity.0.user_assigned_identity_id)[8]
   resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group
 }

220_app_routing/terraform/output.tf

@@ -6,6 +6,10 @@ output "custom_domain_name" {
   value = azurerm_dns_zone.dns_zone.name
 }
 
+output "private_domain_name" {
+  value = azurerm_private_dns_zone.private_dns_zone.name
+}
+
 output "keyvault_tls_cert_url" {
   value = azurerm_key_vault_certificate.aks-ingress-tls-01.versionless_id
 }

220_app_routing/terraform/prometheus-dce.tf

@@ -0,0 +1,14 @@
+resource "azurerm_monitor_data_collection_endpoint" "dce-prometheus" {
+  name                          = "dce-prometheus"
+  resource_group_name           = azurerm_resource_group.rg.name
+  location                      = azurerm_resource_group.rg.location
+  kind                          = "Linux"
+  public_network_access_enabled = true
+}
+
+# not required
+resource "azurerm_monitor_data_collection_rule_association" "dcra-dce-prometheus-aks" {
+#   name                        = "configurationAccessEndpoint" # "dcra-dce-prometheus-aks" #  # name is required when data_collection_rule_id is specified. And when data_collection_endpoint_id is specified, the name is populated with configurationAccessEndpoint
+  target_resource_id          = azurerm_kubernetes_cluster.aks.id
+  data_collection_endpoint_id = azurerm_monitor_data_collection_endpoint.dce-prometheus.id
+}

220_app_routing/terraform/prometheus-dcr.tf

@@ -0,0 +1,34 @@
+resource "azurerm_monitor_data_collection_rule" "dcr-prometheus" {
+  name                        = "dcr-prometheus"
+  resource_group_name         = azurerm_resource_group.rg.name
+  location                    = azurerm_resource_group.rg.location
+  data_collection_endpoint_id = azurerm_monitor_data_collection_endpoint.dce-prometheus.id
+  kind                        = "Linux"
+  description                 = "DCR for Azure Monitor Metrics Profile (Managed Prometheus)"
+
+  data_sources {
+    prometheus_forwarder {
+      name    = "PrometheusDataSource"
+      streams = ["Microsoft-PrometheusMetrics"]
+    }
+  }
+
+  destinations {
+    monitor_account {
+      monitor_account_id = azurerm_monitor_workspace.prometheus.id
+      name               = azurerm_monitor_workspace.prometheus.name
+    }
+  }
+
+  data_flow {
+    streams      = ["Microsoft-PrometheusMetrics"]
+    destinations = [azurerm_monitor_workspace.prometheus.name]
+  }
+}
+
+resource "azurerm_monitor_data_collection_rule_association" "dcra-dcr-prometheus-aks" {
+  name                    = "dcra-dcr-prometheus-aks"
+  target_resource_id      = azurerm_kubernetes_cluster.aks.id
+  data_collection_rule_id = azurerm_monitor_data_collection_rule.dcr-prometheus.id
+  description             = "Association of DCR. Deleting this association will break the data collection for this AKS Cluster."
+}