Azure
/
aks-baseline-automation
зеркало из https://github.com/Azure/aks-baseline-automation.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updated docs and links and removed some obsolete files

This commit is contained in:
Bahram Rushenas 2022-09-13 14:19:59 -07:00
Родитель 59a4aa2a70
Коммит 48a18c432f
16 изменённых файлов: 179 добавлений и 473 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
.github/workflows/App-AzureVote-BuildOnACR.yml поставляемый
Просмотреть файл

@ -160,6 +160,8 @@ jobs:
workloads/azure-vote/back-service.yml
workloads/azure-vote/front-deployment.yml
workloads/azure-vote/front-service.yml
workloads/azure-vote/ingress.yml
workloads/azure-vote/networkpolicy.yml
images: |
${{ env.ACRNAME }}.azurecr.io/azure-vote-front:${{ github.sha }}
namespace: ${{ inputs.NAMESPACE }}

166
.github/workflows/App-AzureVote-DockerBuild.yml поставляемый
Просмотреть файл

@ -1,166 +0,0 @@
# This workflow demonstrates building a container image, pushing to an Azure Container Registry and deploying to Kubernetes
# It is split into separate jobs for readability but could be squashed into a single job if that best suits your scenario
name: AppDeploy - Azure Vote - Docker Build
on:
workflow_call:
inputs:
RG:
description: 'The Resource Group where your resources are deployed'
required: true
type: string
AKSNAME:
description: 'The Name of the AKS resource'
required: true
type: string
ACRNAME:
description: 'The Name of the ACR resource'
required: true
type: string
APPNAME:
description: 'The Name of the Application to deploy'
required: true
type: string
NAMESPACE:
description: 'The Kubernetes Namespace to deploy the Application to'
default: "default"
required: false
type: string
APPREPO:
description: 'The GitHub App code repo'
default: "azure-samples/azure-voting-app-redis"
required: false
type: string
APPREPOREF:
description: 'The GitHub REF to use when referencing the App code repo'
default: "129888"
required: false
type: string
APPREPOPATH:
description: 'The directory in the repo containing the Dockerfile'
default: "./azure-vote"
required: false
type: string
ENVIRONMENT:
description: 'A GitHub Environment to pull action secrets from'
required: true
type: string
secrets:
AZURE_CLIENT_ID:
required: true
AZURE_TENANT_ID:
required: true
AZURE_SUBSCRIPTION_ID:
required: true
permissions:
id-token: write
contents: read
jobs:
BuildPush:
runs-on: ubuntu-latest
environment: ${{ inputs.ENVIRONMENT }}
env:
ACRNAME: "${{ inputs.ACRNAME}}"
steps:
- name: Get application code from repo
uses: actions/checkout@v2
with:
repository: ${{ inputs.APPREPO}}
ref: ${{ inputs.APPREPOREF}}
- name: Job parameter inspection
run: |
echo "RG is ${{ inputs.RG }}"
echo "AKS name is ${{ inputs.AKSNAME }}"
echo "ACR name is ${{ inputs.ACRNAME }}"
- name: Azure Login
uses: Azure/login@v1.4.3
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Connect to Azure Container Registry (ACR)
id: acrconnect
run: |
echo "Retrieving access token from $ACRNAME"
TOKEN=$(az acr login -n $ACRNAME --expose-token)
if [ -z "$TOKEN" ]
then
echo "ACR Token was not retrieved successfully"
exit 1
fi
ACRTOKEN=$(echo $TOKEN | jq -r ".accessToken")
LOGINSERVER=$(echo $TOKEN | jq -r ".loginServer")
echo "ACR Login Server: $LOGINSERVER"
echo "::set-output name=loginServer::$LOGINSERVER"
echo "Passing token as stdin to docker login"
echo $ACRTOKEN | docker login $LOGINSERVER -u 00000000-0000-0000-0000-000000000000 --password-stdin
- name: Container build and push to a Azure Container Registry (ACR)
env:
APPREPOPATH: "${{ inputs.APPREPOPATH}}"
ACRSERVER: "${{ steps.acrconnect.outputs.loginServer }}"
APPNAME: "${{ inputs.APPNAME }}"
run: |
cd $APPREPOPATH
docker build . -t $ACRSERVER/$APPNAME:${{ github.sha }}
docker push $ACRSERVER/$APPNAME:${{ github.sha }}
Deploy:
runs-on: ubuntu-latest
environment: ${{ inputs.ENVIRONMENT }}
needs: [BuildPush]
steps:
- name: Get application k8s manifests from repo
uses: actions/checkout@v2
- name: Azure Login
uses: Azure/login@v1.4.3
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Install Kubectl
uses: azure/setup-kubectl@v2.0
with:
version: 'latest'
- name: Set the target Azure Kubernetes Service (AKS) cluster.
uses: azure/aks-set-context@v2.0
with:
cluster-name: ${{ inputs.AKSNAME }}
resource-group: ${{ inputs.RG }}
- name: Kubelogin
env:
kubeloginversion: 'v0.0.11'
run: |
wget https://github.com/Azure/kubelogin/releases/download/${{ env.kubeloginversion }}/kubelogin-linux-amd64.zip
unzip kubelogin-linux-amd64.zip
sudo mv bin/linux_amd64/kubelogin /usr/bin
kubelogin convert-kubeconfig -l azurecli
- name: Deploy app to AKS
uses: azure/k8s-deploy@v1.5
env:
ACRNAME: "${{ inputs.ACRNAME}}"
with:
manifests: |
workloads/azure-vote/back-deployment.yml
workloads/azure-vote/back-service.yml
workloads/azure-vote/front-deployment.yml
workloads/azure-vote/front-service.yml
images: |
${{ env.ACRNAME }}.azurecr.io/azure-vote-front:${{ github.sha }}
namespace: ${{ inputs.NAMESPACE }}

158
.github/workflows/App-AzureVote-GitOps.yml поставляемый
Просмотреть файл

@ -1,158 +0,0 @@
## ------------------------------------------------------------------------------------------------------------------------
## Pull-Based GitOps Deployment
## This workflow takes in an EXISTING ACR and AKS cluster and updates the AKS manifest files for GitOps to deploy the app.
## Assumptions:
## Existing ACR
## Existing AKS cluster
## ACR is attached to AKS cluster (no image pull secret required)
## -------------------------------------------------------------------------------------------------------------------------
# This workflow demonstrates building and pushing a container image to an Azure Container Registry.
# The workflow then updates the necessary Kubernetes manifest deployment file so a GitOps operator can sync from the manifest file deploying the application to an Azure Kubernetes Service cluster.
# It is split into separate jobs for readability but could be squashed into a single job if that best suits your scenario.
name: AppDeploy - Azure Vote - GitOps
on:
workflow_dispatch:
inputs:
ResourceGroupName:
description: 'The Resource Group where your resources are deployed'
required: true
default: "gitops-example"
type: string
AKSName:
description: 'The Name of the AKS resource'
required: true
default: "mygitopsappaks1"
type: string
ACRName:
description: 'The Name of the ACR resource'
required: true
default: "mygitopsappacr1"
type: string
AppName:
description: 'The Name of the Application to deploy'
required: false
default: "azure-vote"
type: string
Namespace:
description: 'The Kubernetes Namespace to deploy the Application to'
default: "default"
required: false
type: string
AppRepo:
description: 'The GitHub App code repo'
default: "azure-samples/azure-voting-app-redis"
required: false
type: string
AppRepoRef:
description: 'The GitHub REF to use when referencing the App code repo'
default: "129888"
required: false
type: string
AppRepoPath:
description: 'The directory in the repo containing the Dockerfile'
default: "./azure-vote"
required: false
type: string
Environment:
description: 'A GitHub Environment to pull action secrets from'
required: false
default: prod
type: environment
Region:
description: 'Location where the resources need to be deployed'
required: false
default: "eastus2"
type: string
permissions:
id-token: write
contents: write
jobs:
BuildPush:
runs-on: ubuntu-latest
environment: ${{ inputs.Environment }}
steps:
# Get application code from repo
- name: Get application code from repo
uses: actions/checkout@main
with:
repository: ${{ inputs.AppRepo}}
ref: ${{ inputs.AppRepoRef}}
# Logs into your Azure subscription
- uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
- name: Connect to Azure Container Registry (ACR)
id: acrconnect
run: |
echo "Retrieving access token from ${{ inputs.ACRName}}"
TOKEN=$(az acr login -n ${{ inputs.ACRName}} --expose-token)
if [ -z "$TOKEN" ]
then
echo "ACR Token was not retrieved successfully"
exit 1
fi
ACRTOKEN=$(echo $TOKEN | jq -r ".accessToken")
LOGINSERVER=$(echo $TOKEN | jq -r ".loginServer")
echo "ACR Login Server: $LOGINSERVER"
echo "::set-output name=loginServer::$LOGINSERVER"
echo "Passing token as stdin to docker login"
echo $ACRTOKEN | docker login $LOGINSERVER -u 00000000-0000-0000-0000-000000000000 --password-stdin
# Builds and Pushes the container image to the Azure Container Registry (ACR)
- name: Container build and push to a Azure Container Registry (ACR)
env:
AppRepoPath: "${{ inputs.AppRepoPath}}"
AppName: "${{ inputs.AppName }}"
run: |
cd $AppRepoPath
docker build "$GITHUB_WORKSPACE/" -f "Dockerfile" -t ${{ inputs.ACRName }}.azurecr.io/${{ inputs.AppName }}:${{ github.run_number }} --label dockerfile-path=Dockerfile
docker push ${{ inputs.ACRName }}.azurecr.io/${{ inputs.AppName }}:${{ github.run_number }}
Update-K8s-Manifests:
name: Update K8s Deployment Manifest with Image Version
needs: BuildPush
environment: ${{ inputs.Environment }}
runs-on: ubuntu-latest
steps:
# Checks out the baseline repository
- uses: actions/checkout@v2
# Logs into your Azure subscription
- uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
- name: Update image name in manifest file
uses: azure/powershell@v1
with:
inlineScript: |
$line = Get-Content workloads/azure-vote/front-deployment.yml | Select-String image: | Select-Object -ExpandProperty Line
$content = Get-Content workloads/azure-vote/front-deployment.yml
$content | ForEach-Object {$_ -replace $line," image: ${{ inputs.ACRName }}.azurecr.io/${{ inputs.AppName }}:${{ github.run_number }}"} | Set-Content workloads/azure-vote/front-deployment.yml
azPSVersion: "latest"
- name: Commit changes in manifest to repo
run: |
git config user.name "GitHub Actions Bot"
git config user.email ""
git add workloads/azure-vote/front-deployment.yml
git commit -m "Update image version in K8s Deployment manifests file"
git push origin

55
.github/workflows/App-GitOps-ParentWorkflow.yml поставляемый
Просмотреть файл

@ -1,55 +0,0 @@
# This is a basic workflow to help you get started with Actions
name: AppGitOps
on:
workflow_dispatch:
inputs:
Environment:
description: 'A GitHub Environment to pull action secrets from'
type: environment
required: false
ResourceGroup:
description: 'Resource Group Name'
type: string
required: true
jobs:
ReusableWF:
runs-on: ubuntu-latest
outputs:
ENVIRONMENT: ${{ github.event.inputs.Environment }}
RG: ${{ github.event.inputs.ResourceGroup }}
steps:
- name: Dummy step
run: echo "Resuable workflows can't be directly reference ENV/INPUTS (yet)"
Deploy:
#EDIT THIS CONFIG HERE: https://azure.github.io/AKS-Construction/?deploy.clusterAdminRole=false&deploy.clusterIPWhitelist=false&deploy.kvCertSecretRole=false&deploy.acrPushRole=false&cluster.agentCount=1&cluster.maxCount=3&cluster.upgradeChannel=node-image&cluster.apisecurity=none&addons.registry=Standard&addons.ingress=none&addons.networkPolicy=azure&addons.csisecret=none&net.vnet_opt=default&net.aksOutboundTrafficType=managedNATGateway&net.natGwIpCount=2
needs: [ReusableWF]
uses: Azure/AKS-Construction/.github/workflows/AKSC_Deploy.yml@main
with:
environment: ${{ needs.ReusableWF.outputs.ENVIRONMENT }}
templateVersion: 0.8.8
rg: az-k8s-cv8j-rg
resourceName: az-k8s-cv8j
templateParams: resourceName=az-k8s-cv8j agentCount=1 upgradeChannel=node-image agentCountMax=3 enable_aad=true AksDisableLocalAccounts=true enableAzureRBAC=true registries_sku=Standard omsagent=true retentionInDays=30 networkPolicy=azure azurepolicy=audit aksOutboundTrafficType=managedNATGateway
secrets:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
DockerBuildPushACR:
needs: [ReusableWF, Deploy]
uses: ./.github/workflows/App-AzureVote-DockerBuild.yml
with:
ENVIRONMENT: ${{ needs.ReusableWF.outputs.ENVIRONMENT }}
RG: ${{ needs.ReusableWF.outputs.RG }}
AKSNAME: ${{ needs.Deploy.outputs.AKSNAME}}
ACRNAME: ${{ needs.Deploy.outputs.ACRNAME}}
APPNAME: basevote2
secrets:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

40
.github/workflows/App-Test-All.yml поставляемый
Просмотреть файл

@ -35,33 +35,19 @@ jobs:
- name: Dummy step
run: echo "Resuable workflows can't be directly reference ENV/INPUTS (yet)"
# BuildOnACR:
# needs: [ReusableWF]
# uses: ./.github/workflows/App-AzureVote-BuildOnACRs.yml
# with:
# ENVIRONMENT: ${{ needs.ReusableWF.outputs.ENVIRONMENT }}
# RG: ${{ needs.ReusableWF.outputs.RG }}
# AKSNAME: ${{ needs.ReusableWF.outputs.AKSNAME }}
# ACRNAME: ${{ needs.ReusableWF.outputs.ACRNAME }}
# APPNAME: basevote1
# secrets:
# AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
# AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
# AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# DockerBuild:
# needs: [ReusableWF]
# uses: ./.github/workflows/App-AzureVote-DockerBuild.yml
# with:
# ENVIRONMENT: ${{ needs.ReusableWF.outputs.ENVIRONMENT }}
# RG: ${{ needs.ReusableWF.outputs.RG }}
# AKSNAME: ${{ needs.ReusableWF.outputs.AKSNAME }}
# ACRNAME: ${{ needs.ReusableWF.outputs.ACRNAME }}
# APPNAME: basevote2
# secrets:
# AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
# AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
# AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
BuildOnACR:
needs: [ReusableWF]
uses: ./.github/workflows/App-AzureVote-BuildOnACRs.yml
with:
ENVIRONMENT: ${{ needs.ReusableWF.outputs.ENVIRONMENT }}
RG: ${{ needs.ReusableWF.outputs.RG }}
AKSNAME: ${{ needs.ReusableWF.outputs.AKSNAME }}
ACRNAME: ${{ needs.ReusableWF.outputs.ACRNAME }}
APPNAME: basevote1
secrets:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
HelmRunCmd:
needs: [ReusableWF]

4
README.md
Просмотреть файл

@ -73,14 +73,14 @@ Multiple GitHub action workflows are used to demonstrate the deployment of sampl
Sample App | Scenario | Description | Tags
---------- | -------- | ----------- | ----
Flask Hello World| [Docker Build](./workloads/docs/app-flask-push-dockerbuild.md) | Builds a container image from code on the runner then pushes to ACR. Deployment is done via a push model. Requires the use of self-hosted runners if you deployed a private ACR per the instructions in the [IaC](./IaC/README.md) section of this repo. To setup self-hosted runners, refer to the [Self-hosted GitHub Runners](#Self-hosted-GitHub-Runners) section.
Flask Hello World| [Docker Build](./workloads/docs/README.md) | Builds a container image from code on the runner then pushes to ACR. Deployment is done via a push model. Requires the use of self-hosted runners if you deployed a private ACR per the instructions in the [IaC](./IaC/README.md) section of this repo. To setup self-hosted runners, refer to the [Self-hosted GitHub Runners](#Self-hosted-GitHub-Runners) section.
Azure Vote | [AKS Run Command](./workloads/docs/other-app-scenarios/app-azurevote-helmruncmd.md) |Sample of re-usable workflow called from the workflow [App-Test-All.yml](./.github/workflows/App-Test-All.yml). Deploys the app using a helm chart through the _AKS Command Invoke_. The focus here is to demonstrate how workloads in private clusters can still be managed through cloud hosted GitHub runners (no need to install self-hosted runners as in the other samples). It also shows how to test your application using Playwright.
Azure Vote | [ACR Build](./workloads/docs/other-app-scenarios/app-azurevote-acrbuild.md) |Another Sample of re-usable workflow called from the workflow [App-Test-All.yml](./.github/workflows/App-Test-All.yml). Builds a container image from code directly in Azure Container Registry (ACR). Deployment is done using the Azure Kubernetes GitHub actions. Requires the use of self-hosted runners if you deployed a private ACR per the instructions in the [IaC](./IaC/README.md) section of this repo. To setup self-hosted runners, refer to the [Self-hosted GitHub Runners](#Self-hosted-GitHub-Runners) section.
### Deploy sample applications using GitOps (pull method)
You can use GitOps with flux or ArgoCD (pull method) as an alternative to GitHub action workflows to deploy your applications.
Refer to [these instructions](./workloads/docs/app-flask-pull-gitops.md) for how to setup your environment to deploy a sample application with GitOps using ArgoCD.
Refer to [these instructions](./workloads/docs/README.md) for how to setup your environment to deploy a sample application with GitOps using ArgoCD.
## Lifecycle-Management
Different components of an AKS solution are often owned by different teams and typically follow their own lifecycle management schedule and process, sometimes using different tools. In this section we will cover the following lifecycle management processes:

Двоичные данные
media/repo-structure.jpg
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 1.8 MiB

После

Ширина:  |  Высота:  |  Размер: 1.8 MiB

40
workloads/azure-vote/back-deployment.yml
Просмотреть файл

@ -2,31 +2,37 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: azure-vote-back
labels:
role: backend
app: back
spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-back
role: backend
app: back
template:
metadata:
labels:
app: azure-vote-back
role: backend
app: back
spec:
nodeSelector:
"kubernetes.io/os": linux
containers:
- name: azure-vote-back
image: mcr.microsoft.com/oss/bitnami/redis:6.0.8
env:
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
ports:
- containerPort: 6379
name: redis
- name: back
image: "mcr.microsoft.com/oss/bitnami/redis:6.0.8"
imagePullPolicy: IfNotPresent
env:
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
ports:
- containerPort: 6379
name: redis
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi

10
workloads/azure-vote/back-service.yml
Просмотреть файл

@ -1,10 +1,14 @@
---
apiVersion: v1
kind: Service
metadata:
name: azure-vote-back
labels:
role: backend
app: back
spec:
type: ClusterIP
ports:
- port: 6379
- port: 6379
selector:
app: azure-vote-back
role: backend
app: back

44
workloads/azure-vote/front-deployment.yml
Просмотреть файл

@ -6,26 +6,36 @@ spec:
replicas: 1
selector:
matchLabels:
app: azure-vote-front
role: frontend
app: front
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
minReadySeconds: 5
template:
metadata:
labels:
app: azure-vote-front
role: frontend
app: front
spec:
nodeSelector:
"kubernetes.io/os": linux
"kubernetes.io/os": linux
containers:
- name: azure-vote-front
image: mcr.microsoft.com/azuredocs/azure-vote-front:v1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
ports:
- containerPort: 80
env:
- name: REDIS
value: "azure-vote-back"
- name: front
image: "mcr.microsoft.com/azuredocs/azure-vote-front:v1"
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
env:
- name: REDIS
value: azure-vote-back

16
workloads/azure-vote/front-service.yml
Просмотреть файл

@ -3,10 +3,18 @@ kind: Service
metadata:
name: azure-vote-front
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-load-balancer-internal: "false"
labels:
role: frontend
app: front
spec:
type: LoadBalancer
type: ClusterIP
loadBalancerIP: 10.240.4.4
ports:
- port: 80
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app: azure-vote-front
role: frontend
app: front

34
workloads/azure-vote/ingress.yml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: azure-vote
annotations:
kubernetes.io/ingress.allow-http: "false"
# defines controller implementing this ingress resource: https://docs.microsoft.com/en-us/azure/dev-spaces/how-to/ingress-https-traefik
# ingress.class annotation is being deprecated in Kubernetes 1.18: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
# For backwards compatibility, when this annotation is set, precedence is given over the new field ingressClassName under spec.
kubernetes.io/ingress.class: traefik-internal
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.options: default
traefik.ingress.kubernetes.io/router.middlewares: app-gateway-snet@file, gzip-compress@file
spec:
tls:
- hosts:
- bu0001a0008-00.aks-ingress.contoso.com
# It is possible to opt for certificate management strategy with dedicated
# certificates for each TLS SNI route.
# In this Rereference Implementation for the sake of simplicity we use a
# wildcard default certificate added at Ingress Controller configuration level which is *.example.com
# secretName: <bu0001a0008-00-example-com-tls-secret>
rules:
- host: bu0001a0008-00.aks-ingress.contoso.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: "azure-vote-front"
port:
number: 80

35
workloads/azure-vote/networkpolicy.yml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-vote-front-ingress
spec:
podSelector:
matchLabels:
app: front
ingress:
- {}
egress:
- to:
- podSelector:
matchLabels:
app: back
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: azure-vote-back
spec:
podSelector:
matchLabels:
app: back
role: backend
ingress:
- from:
- podSelector:
matchLabels:
app: front

2
workloads/docs/app-flask-pull-gitops.md
Просмотреть файл

@ -1,6 +1,6 @@
## Option \#2 Pull-based CI/CD(GitOps)
This article outlines deploying with the pull option as described in the [automated build and deploy for container applications article](../app-automated-build-devops-gitops.md). To deploy the **Option \#2 Pull-based CI/CD Architecture** scenario, follow the steps outlined [here](../README.md) (if you haven't already), then perform the following steps:
This article outlines deploying with the pull option as described in the [automated build and deploy for container applications article](../app-automated-build-devops-gitops.md). To deploy the **Option \#2 Pull-based CI/CD Architecture** scenario, follow the steps outlined [here](README.md) (if you haven't already), then perform the following steps:
1. Fork this repo to your GitHub: https://github.com/Azure/aks-baseline-automation. Note: Be sure to uncheck "Copy the main branch only".
1. Go to Actions on the forked repo and enable Workflows as shown: <https://github.com/YOURUSERNAME/aks-baseline-automation/actions>

42
workloads/docs/app-flask-push-dockerbuild.md
Просмотреть файл

@ -1,15 +1,15 @@
## Option \#1 Push-based CI/CD
This article outlines deploying with the push option as described in the [automated build and deploy for container applications article](../app-automated-build-devops-gitops.md). To deploy the **Option \#1 Push-based CI/CD Architecture** scenario, follow the steps outlined [here](../README.md) (if you haven't already), then perform the following steps:
This article outlines deploying with the push option as described in the [automated build and deploy for container applications article](XXX.md). To deploy the **Option \#1 Push-based CI/CD Architecture** scenario, follow the steps outlined [here](README.md) (if you haven't already), then perform the following steps:
1. Fork this repo to your GitHub: https://github.com/Azure/aks-baseline-automation. Note: Be sure to uncheck "Copy the main branch only".
1. Go to Actions on the forked repo and enable Workflows as shown: <https://github.com/YOURUSERNAME/aks-baseline-automation/actions>
2. Go to Actions on the forked repo and enable Workflows as shown: <https://github.com/YOURUSERNAME/aks-baseline-automation/actions>
![](media/c2a38551af1c5f6f86944cedc5fd660a.png)
1. Go to Settings on the forked repo and create a new environment
3. Go to Settings on the forked repo and create a new environment
1. Adding a new environment here: https://github.com/YOUR-REPO/settings/environments/new
1. Click New Environment button: Environments / Add
1. Name it prod
1. Set Azure subscription
2. Click New Environment button: Environments / Add
3. Name it prod
4. Set Azure subscription
1. In Azure cloud shell run
```bash
az account show *\#Shows current subscription*
@ -17,7 +17,7 @@ This article outlines deploying with the push option as described in the [automa
```bash
az account set --subscription "YOURAZURESUBSCRIPTION" *\#Set a subscription to be the current active subscription*
```
1. Create a file called `ghToAzAuth.sh` in your bash working directory and copy the code block in this .md file into it: https://github.com/Azure/aks-baseline-automation/blob/main/docs/oidc-federated-credentials.md. You will need to update the following variable values:
2. Create a file called `ghToAzAuth.sh` in your bash working directory and copy the code block in this .md file into it: https://github.com/Azure/aks-baseline-automation/blob/main/docs/oidc-federated-credentials.md. You will need to update the following variable values:
```bash
APPNAME=myApp
RG=<AKS resource group name>
@ -26,7 +26,7 @@ This article outlines deploying with the push option as described in the [automa
GHBRANCH=main
GHENV=prod
```
1. Save the shell script after you have made the updates to those variables and run the script in your cloud shell
3. Save the shell script after you have made the updates to those variables and run the script in your cloud shell
```bash
bash ghToAzAuth.sh
```
@ -34,14 +34,14 @@ This article outlines deploying with the push option as described in the [automa
You should have the following 3 Federated credentials similar to what is shown *in* the following screenshot:
![](media/0664a3dd619ba6e98b475b29856e6c57.png)
Next you need to create the Environment and GitHub Actions Repository secrets *in* your repo.
1. Create Actions secrets for your Azure subscription in your GitHub Repository *\#Reference: https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux\#use-the-azure-login-action-with-a-service-principal-secret*
5. Create Actions secrets for your Azure subscription in your GitHub Repository *\#Reference: https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux\#use-the-azure-login-action-with-a-service-principal-secret*
1. Navigate to Github Actions Secrets in your browser: From your repo select *Settings* > on the left plane select *Secrets* > select *Actions* in the dropdown
1. Select *New repository secret*
1. Click *Add secret*
1. Review Environment secrets
2. Select *New repository secret*
3. Click *Add secret*
6. Review Environment secrets
1. Navigate to environments in your browser: From your repo select *Settings* > on the left plane select *Environments* > select *New environment* at the top right corner of the resulting screen
1. Enter a name for your environment then click *Configure environment*
1. At the bottom of the resulting screen under Environment secrets click on *Add secret*
2. Enter a name for your environment then click *Configure environment*
3. At the bottom of the resulting screen under Environment secrets click on *Add secret*
```bash
# The values should be in the following format shown in these examples:
AZURE_CLIENT_ID = 1gce4f22-5ca0-873c-54ac-b451d7f73e622
@ -50,17 +50,17 @@ This article outlines deploying with the push option as described in the [automa
```
![](media/a1026d5ff5825e899f2633c2b10177df.png)
1. When *done* you should see the following secrets *in* your GitHub Settings:
4. When *done* you should see the following secrets *in* your GitHub Settings:
![](media/049073d69afee0baddf4396830c99f17.png)
1. Run the GitHub Actions workflow:
7. Run the GitHub Actions workflow:
1. Go to [https://github.com/YOUR REPO/aks-baseline-automation/actions](https://github.com/YOUR%20REPO/aks-baseline-automation/actions)
1. Run the .github/workflows/App-flask-DockerBuild-Actions.yml workflow
1. Enter the needed inputs:
2. Run the .github/workflows/App-flask-DockerBuild-Actions.yml workflow
3. Enter the needed inputs:
![](media/305b724858e713c324483ab24ad3c7cf.png)
1. You will see the workflows start.
4. You will see the workflows start.
![](media/b36378c2d7d40c5d667486b058ea561a.png)
1. When it completes both jobs will green showing the workflow was successful.
5. When it completes both jobs will green showing the workflow was successful.
![](media/60de94d5bde946129fbc11446f956ff3.png)
1. You will be able to see the App was successfully deployed to the default namespace in your AKS cluster as shown in the following screenshots:
6. You will be able to see the App was successfully deployed to the default namespace in your AKS cluster as shown in the following screenshots:
![](media/c540af41853da0467e6d5363ec756c7b.png)
![](media/1a51da1f757ff7e33d9d72ed85bc32f9.png)

4
workloads/docs/other-app-scenarios/app-aspnet-dockerbuildpush.md → workloads/docs/other-app-scenarios/app-aspnet-dockerbuild.md
Просмотреть файл

@ -1,4 +1,4 @@
# Azure Vote - Docker Build and Push Scenario
# ASP.Net - Docker Build and Push Scenario
## Overview
@ -10,7 +10,7 @@ The application is the [ASP.Net Hello World](https://github.com/mspnp/aks-baseli
The Azure Credentials required are that of OpenID Connect (OIDC) based Federated Identity Credentials, please see [here](/docs/oidc-federated-credentials.md) for more information.
The workflow file is located [here](/.github/workflows/App-AspNet-DockerBuild-Actions.yml).
To create this workflow, just copy the [App-Flask-DockerBuild.yml](/.github/workflows/App-Flask-DockerBuild.yml) file and then update in the last step of the workflow the parameters of the action **k8s-deploy** to list the manifest files for the aspnet application deployment. These file are located under this [folder](../../aspnet/).
## Scenario Components