From 01b666ada3b83f102057b2fb6a9086ba969030fe Mon Sep 17 00:00:00 2001
From: Gordon Byers <gordon.byers@microsoft.com>
Date: Tue, 13 Sep 2022 09:49:47 +0100
Subject: [PATCH] Nginx Ingress Profile (#380)

* initialcut

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* formatting

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* removing externaldns for war

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* reframed war ingress

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* remove dns and reorder

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* reformatted the ingress options

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* fixed param and promoted NatGw out of preview flag

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* postdeploy check ingress on affirmitive

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

Signed-off-by: Gordonby <gordon.byers@microsoft.com>
---
 bicep/main.bicep                   |  7 +++++++
 helper/src/components/addonsTab.js | 14 ++++++--------
 helper/src/components/deployTab.js | 11 +++++++----
 helper/src/config.json             |  1 +
 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/bicep/main.bicep b/bicep/main.bicep
index c3f76f2b..cf568d7f 100644
--- a/bicep/main.bicep
+++ b/bicep/main.bicep
@@ -891,6 +891,8 @@ param oidcIssuer bool = false
 @description('Installs Azure Workload Identity into the cluster')
 param workloadIdentity bool = false
 
+param warIngressNginx bool = false
+
 @description('System Pool presets are derived from the recommended system pool specs')
 var systemPoolPresets = {
   CostOptimised : {
@@ -1096,6 +1098,11 @@ var aksProperties = union({
       enabled: workloadIdentity
     }
   }
+  ingressProfile: {
+    webAppRouting: {
+      enabled: warIngressNginx
+    }
+  }
 },
 aksOutboundTrafficType == 'managedNATGateway' ? managedNATGatewayProfile : {},
 defenderForContainers && createLaw ? azureDefenderSecurityProfile : {}
diff --git a/helper/src/components/addonsTab.js b/helper/src/components/addonsTab.js
index 6b0ead95..526abd7b 100644
--- a/helper/src/components/addonsTab.js
+++ b/helper/src/components/addonsTab.js
@@ -45,17 +45,17 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
 
             <Stack.Item align="start">
                 <Label required={true}>
-                    Securely Expose your applications via Layer 7 HTTP(S) proxies (Ingress Controller)
+                    Ingress Controllers: Securely expose your applications via Layer 7 HTTP(S) proxies
                 </Label>
                 <ChoiceGroup
                     styles={{ root: { marginLeft: '50px' } }}
                     selectedKey={addons.ingress}
                     options={[
-                        { key: 'none', text: 'No, I do not need a Layer7 proxy, or I will configure my own solution' },
-                        { key: 'appgw', text: 'Yes, I want a Azure Managed Application Gateway with WAF protection' },
-                        { key: 'contour', text: 'Yes, deploy contour in the cluster to expose my apps to the internet (https://projectcontour.io/)' },
-                        { key: 'nginx', text: 'Yes, deploy nginx in the cluster to expose my apps to the internet (nginx ingress controller)' }
-
+                        { key: 'none', text: 'Not required' },
+                        { key: 'appgw', text: 'Azure Application Gateway Ingress Controller add-on (https://azure.github.io/application-gateway-kubernetes-ingress)' },
+                        { key: 'warNginx', text: 'AKS Web App Routing Solution, simple Nginx Ingress Controller (https://docs.microsoft.com/en-us/azure/aks/web-app-routing *preview)' },
+                        { key: 'contour', text: 'Contour (https://projectcontour.io/)' },
+                        { key: 'nginx', text: 'Nginx ingress controller' }
                     ]}
                     onChange={(ev, { key }) => updateFn("ingress", key)}
                 />
@@ -165,7 +165,6 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
                                     <MessageBar messageBarType={MessageBarType.warning}>If using a Public DNS Zone, you need to own a custom domain, you can easily purchase a custom domain through Azure <Link target="_t1" href="https://docs.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain"> <b>details here</b></Link></MessageBar>
                                     <TextField value={addons.dnsZoneId} onChange={(ev, v) => updateFn("dnsZoneId", v)} errorMessage={getError(invalidArray, 'dnsZoneId')} required placeholder="Resource Id" label={<Text style={{ fontWeight: 600 }}>Enter your Public or Private Azure DNS Zone ResourceId <Link target="_t2" href="https://ms.portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones">find it here</Link></Text>} />
 
-
                                     <Checkbox inputProps={{ "data-testid": "addons-certMan"}} disabled={hasError(invalidArray, 'dnsZoneId')} checked={addons.certMan} onChange={(ev, v) => updateFn("certMan", v)} label="Automatically Issue Certificates for HTTPS using cert-manager (with Lets Encrypt - requires email" />
                                     {addons.certMan &&
                                         <TextField value={addons.certEmail} onChange={(ev, v) => updateFn("certEmail", v)} errorMessage={getError(invalidArray, 'certEmail') ? "Enter valid email" : ''} label="Enter mail address for certificate notification:" required />
@@ -205,7 +204,6 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
                     <MessageBar messageBarType={MessageBarType.warning}>This will expose your your grafana dashboards to the internet, please login and change the default credentials asap (admin/prom-operator)</MessageBar>
                     <Checkbox styles={{ root: { marginTop: '10px'}}} checked={addons.enableMonitorIngress} onChange={(ev, v) => updateFn("enableMonitorIngress", v)} label={`Enable Public Ingress for Grafana (https://grafana.${addons.dnsZoneId && addons.dnsZoneId.split('/')[8]})`} />
                 </Stack.Item>
-
             }
 
             { addons.monitor === "aci" &&
diff --git a/helper/src/components/deployTab.js b/helper/src/components/deployTab.js
index ddb64b78..372a9614 100644
--- a/helper/src/components/deployTab.js
+++ b/helper/src/components/deployTab.js
@@ -85,6 +85,9 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
         ...(addons.appgwKVIntegration && addons.csisecret === 'akvNew' && { appgwKVIntegration: true })
       })
     }),
+    ...(net.vnet_opt === "byo" && {
+      ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType})
+    }),
     ...(addons.csisecret !== "none" && { keyVaultAksCSI: true }),
     ...(addons.csisecret === 'akvNew' && { keyVaultCreate: true, ...(deploy.kvCertSecretRole && { keyVaultOfficerRolePrincipalId: "$(az ad signed-in-user show --query id --out tsv)"}) }),
     ...(addons.csisecret !== "none" && addons.keyVaultAksCSIPollInterval !== defaults.addons.keyVaultAksCSIPollInterval  && { keyVaultAksCSIPollInterval: addons.keyVaultAksCSIPollInterval }),
@@ -105,15 +108,15 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
       ...(net.natGwIpCount !== defaults.net.natGwIpCount && {natGwIpCount: net.natGwIpCount}),
       ...(net.natGwIdleTimeout !== defaults.net.natGwIdleTimeout && {natGwIdleTimeout: net.natGwIdleTimeout})
     }),
-    ...(net.vnet_opt === "byo" && {
-      ...(net.aksOutboundTrafficType !== defaults.net.aksOutboundTrafficType && {aksOutboundTrafficType: net.aksOutboundTrafficType})
-    }),
     ...(net.vnet_opt === "custom" && net.vnetprivateend && {
       ...(addons.registry !== "none" && {
         ...(addons.acrPrivatePool !== defaults.addons.acrPrivatePool && {acrPrivatePool: addons.acrPrivatePool}),
         ...(addons.acrPrivatePool && defaults.net.acrAgentPoolSubnetAddressPrefix !== net.acrAgentPoolSubnetAddressPrefix && {acrAgentPoolSubnetAddressPrefix: net.acrAgentPoolSubnetAddressPrefix})
       })
     }),
+    ...(addons.ingress === "warNginx" && {
+      ...(addons.ingress !== defaults.addons.ingress && {warIngressNginx: true})
+    }),
     ...(defaults.addons.kedaAddon !== addons.kedaAddon && {kedaAddon: addons.kedaAddon }),
     ...(defaults.addons.workloadIdentity !== addons.workloadIdentity && {workloadIdentity: addons.workloadIdentity }),
     ...(urlParams.getAll('feature').includes('defender') && cluster.DefenderForContainers !== defaults.cluster.DefenderForContainers && { DefenderForContainers: cluster.DefenderForContainers })
@@ -142,7 +145,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
     }),
     ...(addons.monitor === "oss" && {
       monitor: addons.monitor,
-      ...(addons.ingress !== "none" && {
+      ...(addons.ingress === "appgw" || addons.ingress === "contour" || addons.ingress === "nginx" && {
         ingress: addons.ingress,
         ...(addons.enableMonitorIngress && { enableMonitorIngress: addons.enableMonitorIngress})
       })
diff --git a/helper/src/config.json b/helper/src/config.json
index 9e931d06..28b7c3e3 100644
--- a/helper/src/config.json
+++ b/helper/src/config.json
@@ -50,6 +50,7 @@
             "DefenderForContainers" : false
         },
         "addons": {
+            "warIngressNginx": false,
             "daprAddon": false,
             "daprAddonHA": false,
             "fluxGitOpsAddon": false,