Adding changes based on testing

AKS-Landing-Zone-Accelerator.sln

@@ -3,45 +3,31 @@ Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 17
 VisualStudioVersion = 17.5.002.0
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Scenarios", "Scenarios", "{26A0F15A-E621-44C1-A5DA-EA0E4E368718}"
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Scenarios", "Scenarios", "{6AECF8CF-34FC-4102-A5AE-F649FDC21692}"
 EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Testing-Scalability", "Testing-Scalability", "{6B4D453A-73F8-48A8-BF50-304B1B4BC52D}"
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Testing-Scalability", "Testing-Scalability", "{379D21B8-24B6-401B-A19F-A9D7D4FD1E02}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SimpleApi", "Scenarios\Testing-Scalability\dotnet\SimpleApi.csproj", "{D418CBFB-FF6E-48F2-8690-F516E6E41CBE}"
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Scenarios", "Scenarios", "{9733CD30-401E-4C44-AFB8-1DEA545B5DAE}"
-EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Testing-Scalability", "Testing-Scalability", "{6493926B-A2F9-49BD-96FE-35AA519863EB}"
-EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SimpleApi", "Scenarios\Testing-Scalability\dotnet\SimpleApi.csproj", "{8810C871-4FAC-405F-8BA4-2D7C11B2FBD8}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SimpleApi", "Scenarios\Testing-Scalability\dotnet\SimpleApi.csproj", "{30694D92-2CDD-4C5E-BA67-6777D8778720}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
 		Release|Any CPU = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{D418CBFB-FF6E-48F2-8690-F516E6E41CBE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{D418CBFB-FF6E-48F2-8690-F516E6E41CBE}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{D418CBFB-FF6E-48F2-8690-F516E6E41CBE}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{D418CBFB-FF6E-48F2-8690-F516E6E41CBE}.Release|Any CPU.Build.0 = Release|Any CPU
-		{8810C871-4FAC-405F-8BA4-2D7C11B2FBD8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{8810C871-4FAC-405F-8BA4-2D7C11B2FBD8}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{8810C871-4FAC-405F-8BA4-2D7C11B2FBD8}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{8810C871-4FAC-405F-8BA4-2D7C11B2FBD8}.Release|Any CPU.Build.0 = Release|Any CPU
+		{30694D92-2CDD-4C5E-BA67-6777D8778720}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{30694D92-2CDD-4C5E-BA67-6777D8778720}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{30694D92-2CDD-4C5E-BA67-6777D8778720}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{30694D92-2CDD-4C5E-BA67-6777D8778720}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
-		{6B4D453A-73F8-48A8-BF50-304B1B4BC52D} = {26A0F15A-E621-44C1-A5DA-EA0E4E368718}
-		{D418CBFB-FF6E-48F2-8690-F516E6E41CBE} = {6B4D453A-73F8-48A8-BF50-304B1B4BC52D}
-	EndGlobalSection
-	GlobalSection(ExtensibilityGlobals) = postSolution
-		SolutionGuid = {A7C74157-FDE1-49D4-942B-A2BCEE59311E}
-		{6493926B-A2F9-49BD-96FE-35AA519863EB} = {9733CD30-401E-4C44-AFB8-1DEA545B5DAE}
-		{8810C871-4FAC-405F-8BA4-2D7C11B2FBD8} = {6493926B-A2F9-49BD-96FE-35AA519863EB}
+		{379D21B8-24B6-401B-A19F-A9D7D4FD1E02} = {6AECF8CF-34FC-4102-A5AE-F649FDC21692}
+		{30694D92-2CDD-4C5E-BA67-6777D8778720} = {379D21B8-24B6-401B-A19F-A9D7D4FD1E02}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
-		SolutionGuid = {1624E49C-0FCF-4216-94EE-B47601C28D73}
+		SolutionGuid = {0E6CEBEF-05C8-4DD6-B1C9-9698F8FB84E5}
 	EndGlobalSection
 EndGlobal

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/1-ratings-api-deployment.yaml

@@ -0,0 +1,56 @@
+# Before this deployment, ensure that MongoDB has been created using Helm.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ratings-api
+spec:
+  selector:
+    matchLabels:
+      app: ratings-api
+  template:
+    metadata:
+      labels:
+        app: ratings-api # the label for the pods and the deployments
+    spec:
+      containers:
+      - name: ratings-api
+        image: eslzacreh7qp4jx57xkw.azurecr.io/ratings-api:v1 # IMPORTANT: update with your own repository, if using Azure Government, also update change the URI to end with *.us instead of *.io
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: secrets-store-inline
+          mountPath: "/mnt/secrets-store"
+          readOnly: true
+        ports:
+        - containerPort: 3000 # the application listens to this port
+        env:
+        - name: MONGODB_URI # the application expects to find the MongoDB connection details in this environment variable
+          valueFrom:
+            secretKeyRef:
+              name: mongodburi # secret name in keyvault and secret provider class
+              key: MONGODBURI # key name in secret provider class
+        resources:
+          requests: # minimum resources required
+            cpu: 250m
+            memory: 64Mi
+          limits: # maximum resources allocated
+            cpu: 250m
+            memory: 256Mi
+        readinessProbe: # is the container ready to receive traffic?
+          initialDelaySeconds: 10
+          httpGet:
+            port: 3000
+            path: /healthz
+        livenessProbe: # is the container healthy?
+          initialDelaySeconds: 2
+          periodSeconds: 5
+          httpGet:
+            port: 3000
+            path: /healthz
+      volumes:
+      - name: secrets-store-inline
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: "mongo-secret-csi"

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/2-ratings-api-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ratings-api
+spec:
+  selector:
+    app: ratings-api
+  ports:
+  - protocol: TCP
+    port: 80
+    targetPort: 3000
+  type: ClusterIP

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/3a-ratings-web-deployment.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ratings-web
+spec:
+  selector:
+    matchLabels:
+      app: ratings-web
+  template:
+    metadata:
+      labels:
+        app: ratings-web # the label for the pods and the deployments
+    spec:
+      containers:
+      - name: ratings-web
+        image: <acr name>.azurecr.io/ratings-web:v1 # IMPORTANT: update with your own repository, if using Azure Government, also update change the URI to end with *.us instead of *.io
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080 # the application listens to this port
+        env:
+        - name: API # the application expects to connect to the API at this endpoint
+          value: http://ratings-api.ratingsapp.svc.cluster.local
+        resources:
+          requests: # minimum resources required
+            cpu: 250m
+            memory: 64Mi
+          limits: # maximum resources allocated
+            cpu: 500m
+            memory: 512Mi

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/3b-ratings-web-deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ratings-web
+spec:
+  selector:
+    matchLabels:
+      app: ratings-web
+  template:
+    metadata:
+      labels:
+        app: ratings-web # the label for the pods and the deployments
+    spec:
+      volumes:
+        - name: aks-tls-akv
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "aks-tls-akv"
+      containers:
+      - name: ratings-web
+        image: <acr name>.azurecr.io/ratings-web:v1 # IMPORTANT: update with your own repository
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080 # the application listens to this port
+        env:
+        - name: API # the application expects to connect to the API at this endpoint
+          value: http://ratings-api.ratingsapp.svc.cluster.local
+        resources:
+          requests: # minimum resources required
+            cpu: 250m
+            memory: 64Mi
+          limits: # maximum resources allocated
+            cpu: 500m
+            memory: 512Mi
+        volumeMounts:
+        - name: aks-tls-akv
+          mountPath: /mnt/secrets-store
+          readOnly: true

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/4-ratings-web-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ratings-web
+spec:
+  selector:
+    app: ratings-web
+  ports:
+  - protocol: TCP
+    port: 80
+    targetPort: 8080
+  type: ClusterIP

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/5-https-ratings-web-ingress.yaml

@@ -0,0 +1,28 @@
+kind: Ingress
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: ratings-web-https
+  namespace: ratingsapp
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+    cert-manager.io/issuer: letsencrypt-staging
+    cert-manager.io/acme-challenge-type: http01
+    # kubernetes.io/ingress.allow-http: 'false'
+    appgw.ingress.kubernetes.io/ssl-redirect: "true"
+    acme.cert-manager.io/http01-edit-in-place: "true" #Adding this to get the staging cert to work
+spec:
+  tls:
+    - hosts:
+      - <fqdn>
+      secretName: aks-tls-akv
+  rules:
+  - host: <fqdn>
+    http:  
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: ratings-web
+            port: 
+              number: 80

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/5a-http-ratings-web-ingress.yaml

@@ -0,0 +1,19 @@
+# NON-TLS - HTTP Only
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ratings-web
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+spec:
+  rules:
+  - http:
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: ratings-web
+            port: 
+              number: 80

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/5b-http-ratings-web-ingress.yaml

@@ -0,0 +1,22 @@
+# NON-TLS - HTTP Only
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ratings-web
+  annotations:
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+spec:
+  ingressClassName: nginx
+  rules:
+  - http:
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: ratings-web
+            port: 
+              number: 80

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/README.md

@@ -0,0 +1,33 @@
+# Deploying the Workload
+
+To deploy this workload, you will need to be able to access the Azure Container Registry that was deployed as part of the supporting infrastructure for AKS.  The container registry was configured to only be accessible from a build agent on the private network. 
+
+If you use the Dev Server for this, the following tools must be installed:
+
+1. Azure CLI
+
+```bash
+curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+```
+
+2. Docker CLI
+
+```bash
+apt install docker.io
+```
+
+You will need to clone the following repos:
+
+1. The public repo for the Fruit Smoothie API.
+
+```bash
+git clone https://github.com/MicrosoftDocs/mslearn-aks-workshop-ratings-api.git
+```
+
+2. The public repo for the Fruit Smoothie Web Frontend:
+
+```bash
+git clone https://github.com/MicrosoftDocs/mslearn-aks-workshop-ratings-web.git
+```
+
+3. This repo, for the application code  - /AKS-Landing-Zone-Accelerator/Scenarios/Secure-Baseline/Apps/RatingsApp

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/api-secret-provider-class.yaml

@@ -0,0 +1,25 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: mongo-secret-csi
+spec:
+  provider: azure
+  secretObjects:
+  - secretName: mongodburi
+    type: Opaque
+    data:
+    - objectName: MONGODBURI
+      key: MONGODBURI
+  parameters:
+    keyvaultName: eslz-kv-eh7qp4jx57xkw
+    useVMManagedIdentity: "true"         
+    userAssignedIdentityID: 7aaf7114-a1a5-4009-8771-a9cf4f7a4a5d # the client ID of the MSI  
+    cloudName: "" #if deploying to Azure Government, specify "AzureUSGovernment" here, otherwise, it will default to "AzurePublicCloud"
+    objects:   |
+      array:
+        - |
+          objectName: MONGODBURI
+          objectType: secret
+          objectVersion: ""
+    tenantId: 8b84e42e-feab-48d5-8b12-507ddfc88de6
+

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/certificateIssuer.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: <your e-mail here>
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: azure/application-gateway 

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/internal-ingress.yaml

@@ -0,0 +1,4 @@
+controller:
+  service:
+    annotations:
+      service.beta.kubernetes.io/azure-load-balancer-internal: "true"

Scenarios/AKS-Secure-Baseline-Private-AVM/Apps/RatingsApp/web-secret-provider-class.yaml

@@ -0,0 +1,29 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: aks-tls-akv
+  namespace: ratingsapp
+spec:
+  provider: azure
+  parameters:
+    keyvaultName: <Key vault>
+    useVMManagedIdentity: "true"         
+    userAssignedIdentityID: <aks identity client ID> # the client ID of the MSI created by the 
+    objects:  |
+      array:
+        - |
+          objectName: aks-ingress-tls
+          objectAlias: aks-ingress-tls
+          objectType: secret 
+  # The objectType above is "secret" even though the aks-ingress-tls Certificate in the keyvault is certificate type.
+  # Also, the appropriate identity will need acces to GET "secrets" from the KV, as well as GET for "certificates"
+    tenantId: <tenant id>
+  secretObjects:
+    - secretName: aks-tls-akv  # k8s secret manifest will be generated and synced after mounting it from pod/deploy
+      type: kubernetes.io/tls
+      data:
+      - objectName: aks-ingress-tls # must match the name of certificate in kv
+        key: tls.crt
+      - objectName: aks-ingress-tls # must match the name of certificate in kv
+        key: tls.key
+