Skip to content

Commit

Permalink
Fix aks
Browse files Browse the repository at this point in the history
  • Loading branch information
aamini7 committed Oct 25, 2024
1 parent 4e9184e commit 7dabbb9
Showing 1 changed file with 71 additions and 166 deletions.
237 changes: 71 additions & 166 deletions scenarios/CreateAKSWebApp/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -149,31 +149,29 @@ az aks create \

## Connect to the cluster

To manage a Kubernetes cluster, use the Kubernetes command-line client, kubectl. kubectl is already installed if you use Azure Cloud Shell.
Install az aks CLI locally using the az aks install-cli command

1. Install az aks CLI locally using the az aks install-cli command

```bash
if ! [ -x "$(command -v kubectl)" ]; then az aks install-cli; fi
```
```bash
if ! [ -x "$(command -v kubectl)" ]; then az aks install-cli; fi
```

2. Configure kubectl to connect to your Kubernetes cluster using the az aks get-credentials command. The following command:
## Configure kubectl to connect to your Kubernetes cluster using the az aks get-credentials command. The following command:

- Downloads credentials and configures the Kubernetes CLI to use them.
- Uses ~/.kube/config, the default location for the Kubernetes configuration file. Specify a different location for your Kubernetes configuration file using --file argument.
- Downloads credentials and configures the Kubernetes CLI to use them.
- Uses ~/.kube/config, the default location for the Kubernetes configuration file. Specify a different location for your Kubernetes configuration file using --file argument.

> [!WARNING]
> This will overwrite any existing credentials with the same entry
> [!WARNING]
> This will overwrite any existing credentials with the same entry
```bash
az aks get-credentials --resource-group $MY_RESOURCE_GROUP_NAME --name $MY_AKS_CLUSTER_NAME --overwrite-existing
```
```bash
az aks get-credentials --resource-group $MY_RESOURCE_GROUP_NAME --name $MY_AKS_CLUSTER_NAME --overwrite-existing
```

3. Verify the connection to your cluster using the kubectl get command. This command returns a list of the cluster nodes.
## Verify the connection to your cluster using the kubectl get command. This command returns a list of the cluster nodes.

```bash
kubectl get nodes
```
```bash
kubectl get nodes
```

## Install NGINX Ingress Controller

Expand Down Expand Up @@ -437,11 +435,7 @@ spec:
app: store-front
type: LoadBalancer
EOF
```
To deploy this app, run the following command

```bash
kubectl apply -f azure-vote-start.yml
```

Expand All @@ -463,48 +457,10 @@ while [[ $(date -u +%s) -le $endtime ]]; do
sleep 10;
fi;
done
```

```bash
curl "http://$FQDN"
```

Results:
<!-- expected_similarity=0.3 -->
```HTML
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="stylesheet" type="text/css" href="/static/default.css">
<title>Azure Voting App</title>
<script language="JavaScript">
function send(form){
}
</script>
</head>
<body>
<div id="container">
<form id="form" name="form" action="/"" method="post"><center>
<div id="logo">Azure Voting App</div>
<div id="space"></div>
<div id="form">
<button name="vote" value="Cats" onclick="send()" class="button button1">Cats</button>
<button name="vote" value="Dogs" onclick="send()" class="button button2">Dogs</button>
<button name="vote" value="reset" onclick="send()" class="button button3">Reset</button>
<div id="space"></div>
<div id="space"></div>
<div id="results"> Cats - 0 | Dogs - 0 </div>
</form>
</div>
</div>
</body>
</html>
```
## Add HTTPS termination to custom domain

At this point in the tutorial you have an AKS web app with NGINX as the Ingress controller and a custom domain you can use to access your application. The next step is to add an SSL certificate to the domain so that users can reach your application securely via HTTPS.
Expand All @@ -515,96 +471,75 @@ In order to add HTTPS we are going to use Cert Manager. Cert Manager is an open

1. In order to install cert-manager, we must first create a namespace to run it in. This tutorial will install cert-manager into the cert-manager namespace. It is possible to run cert-manager in a different namespace, although you will need to make modifications to the deployment manifests.

```bash
kubectl create namespace cert-manager
```
2. We can now install cert-manager. All resources are included in a single YAML manifest file. This can be installed by running the following:
```bash
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.7.0/cert-manager.crds.yaml
```
```bash
kubectl create namespace cert-manager

3. Add the certmanager.k8s.io/disable-validation: "true" label to the cert-manager namespace by running the following. This will allow the system resources that cert-manager requires to bootstrap TLS to be created in its own namespace.
# We can now install cert-manager. All resources are included in a single YAML manifest file. This can be installed by running the following:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.7.0/cert-manager.crds.yaml

#Add the certmanager.k8s.io/disable-validation: "true" label to the cert-manager namespace by running the following. This will allow the system resources that cert-manager requires to bootstrap TLS to be created in its own namespace.

```bash
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
```
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
```

## Obtain certificate via Helm Charts

Helm is a Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters.

Cert-manager provides Helm charts as a first-class method of installation on Kubernetes.

1. Add the Jetstack Helm repository
This repository is the only supported source of cert-manager charts. There are some other mirrors and copies across the internet, but those are entirely unofficial and could present a security risk.
```bash
helm repo add jetstack https://charts.jetstack.io
```
```bash
# Add the Jetstack Helm repository
# This repository is the only supported source of cert-manager charts. There are some other mirrors and copies across the internet, but those are entirely unofficial and could present a security risk.

2. Update local Helm Chart repository cache
helm repo add jetstack https://charts.jetstack.io

```bash
helm repo update
```
# Update local Helm Chart repository cache
helm repo update

3. Install Cert-Manager addon via helm by running the following:
# Install Cert-Manager addon via helm by running the following
helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.7.0

```bash
helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.7.0
```
# ClusterIssuers are Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honor the request.
# The issuer we are using can be found in the `cluster-issuer-prod.yml file`

cat <<EOF > cluster-issuer-prod.yml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: $SSL_EMAIL_ADDRESS
# ACME server URL for Let’s Encrypt’s prod environment.
# The staging environment will not issue trusted certificates but is
# used to ensure that the verification process is working properly
# before moving to production
server: https://acme-v02.api.letsencrypt.org/directory
# Secret resource used to store the account's private key.
privateKeySecretRef:
name: letsencrypt
# Enable the HTTP-01 challenge provider
# you prove ownership of a domain by ensuring that a particular
# file is present at the domain
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux
EOF

4. Apply Certificate Issuer YAML File
cluster_issuer_variables=$(<cluster-issuer-prod.yml)

ClusterIssuers are Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honor the request.
The issuer we are using can be found in the `cluster-issuer-prod.yml file`
```bash
cat <<EOF > cluster-issuer-prod.yml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: $SSL_EMAIL_ADDRESS
# ACME server URL for Let’s Encrypt’s prod environment.
# The staging environment will not issue trusted certificates but is
# used to ensure that the verification process is working properly
# before moving to production
server: https://acme-v02.api.letsencrypt.org/directory
# Secret resource used to store the account's private key.
privateKeySecretRef:
name: letsencrypt
# Enable the HTTP-01 challenge provider
# you prove ownership of a domain by ensuring that a particular
# file is present at the domain
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux
EOF
```

```bash
cluster_issuer_variables=$(<cluster-issuer-prod.yml)
```

5. Upate Voting App Application to use Cert-Manager to obtain an SSL Certificate.

The full YAML file can be found in `azure-vote-nginx-ssl.yml`
# Upate Voting App Application to use Cert-Manager to obtain an SSL Certificate.
# The full YAML file can be found in `azure-vote-nginx-ssl.yml`

```bash
cat << EOF > azure-vote-nginx-ssl.yml
---
# INGRESS WITH SSL PROD
Expand Down Expand Up @@ -635,38 +570,10 @@ spec:
port:
number: 80
EOF
```

```bash
azure_vote_nginx_ssl_variables=$(<azure-vote-nginx-ssl.yml)
echo "${azure_vote_nginx_ssl_variables//\$FQDN/$FQDN}" | kubectl apply -f -
```

<!--## Validate application is working

Wait for the SSL certificate to issue. The following command will query the
status of the SSL certificate for 3 minutes. In rare occasions it may take up to
15 minutes for Lets Encrypt to issue a successful challenge and
the ready state to be 'True'

```bash
runtime="10 minute"; endtime=$(date -ud "$runtime" +%s); while [[ $(date -u +%s) -le $endtime ]]; do STATUS=$(kubectl get certificate --output jsonpath={..status.conditions[0].status}); echo $STATUS; if [ "$STATUS" = 'True' ]; then break; else sleep 10; fi; done
```

Validate SSL certificate is True by running the follow command:

```bash
kubectl get certificate --output jsonpath={..status.conditions[0].status}
```

Results:

<!-- expected_similarity=0.3 -->
<!--
```ASCII
True
azure_vote_nginx_ssl_variables=$(<azure-vote-nginx-ssl.yml)
echo "${azure_vote_nginx_ssl_variables//\$FQDN/$FQDN}" | kubectl apply -f -
```
-->

## Browse your AKS Deployment Secured via HTTPS

Expand All @@ -687,9 +594,7 @@ while [[ $(date -u +%s) -le $endtime ]]; do
sleep 10;
fi;
done
```

```bash
echo "You can now visit your web server at https://$FQDN"
```

Expand Down

0 comments on commit 7dabbb9

Please sign in to comment.