Azure-Samples
diff --git a/‎.gitattributes
+28 b/‎.gitattributes
+28
diff --git a/‎.gitignore
+7 b/‎.gitignore
+7
diff --git a/‎apps/acme-cart/redis_conn.py
+5-1 b/‎apps/acme-cart/redis_conn.py
+5-1
diff --git a/‎azure-kubernetes-service/README.md
+41 b/‎azure-kubernetes-service/README.md
+41
diff --git a/‎azure-kubernetes-service/docs/01-create-kubernetes-service.md
+220 b/‎azure-kubernetes-service/docs/01-create-kubernetes-service.md
+220
@@ -0,0 +1,28 @@
+# Set default behavior to automatically normalize line endings
+* text=auto
+
+# Explicitly declare text files you want to always be normalized and converted to native line endings on checkout.
+*.java text
+*.xml text
+*.properties text
+*.md text
+*.txt text
+
+# Declare files that will always have CRLF line endings on checkout.
+*.bat text eol=crlf
+*.cmd text eol=crlf
+
+# Declare files that will always have LF line endings on checkout.
+*.sh text eol=lf
+
+# Denote all files that are truly binary and should not be modified.
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.gif binary
+*.ico binary
+*.pdf binary
+*.zip binary
+*.jar binary
+*.war binary
+*.ear binary
@@ -58,3 +58,10 @@ hello-world/
 
 # vsCode
 .vscode
+
+**/.gradle
+**/.idea
+**/.vscode
+**/.classpath
+
+**/target
@@ -5,6 +5,7 @@
 from os import environ
 from azure_vault import vault_secret
 from distutils.util import strtobool
+from azure.identity import DefaultAzureCredential
 
 def redis_connection(logger):
 
@@ -17,6 +18,7 @@ def redis_connection(logger):
     redis_port = environ['REDIS_PORT'] if environ.get('REDIS_PORT') not in (None, '') else 6380
 
     redis_password = environ['REDIS_PASSWORD'] if environ.get('REDIS_PASSWORD') not in (None, '') else None
+    user_name = environ['REDIS_USERNAME'] if environ.get('REDIS_USERNAME') not in (None, '') else None
 
     tlsEnabledEnv = auth_url = environ['REDIS_TLS_ENABLED'] if environ.get('REDIS_TLS_ENABLED') not in (None, '') else 'true'
     tlsEnabled = strtobool(tlsEnabledEnv)
@@ -32,7 +34,9 @@ def redis_connection(logger):
             redis_conn = redis.StrictRedis(host=redis_host, port=redis_port, password=redis_password, db=0, ssl=tlsEnabled)
         elif redis_host not in (None, ''):
             logger.info('initiating redis connection with no password')
-            redis_conn = redis.StrictRedis(host=redis_host, port=redis_port, password=None, db=0)
+            cred = DefaultAzureCredential()
+            token = cred.get_token('https://redis.azure.com/.default')
+            redis_conn = redis.StrictRedis(host=redis_host, port=redis_port, ssl=True, decode_responses=True, username=user_name, password=token.token, db=0)
         else:
             logger.info('initiating redis connection with no host or password (using redislite)')
             redis_conn = Redis('redis.db')
 
@@ -0,0 +1,41 @@
+# Azure Kubernetes Service Documentation
+
+This folder contains documentation for setting up and deploying various components on Azure Kubernetes Service (AKS) for the Acme Fitness Store project.
+
+## Table of Contents
+
+1. [01-create-kubernetes-service.md](./docs/01-create-kubernetes-service.md)
+   - Step-by-step guide to create an Azure Kubernetes Service (AKS) cluster, integrate it with Azure Container Registry (ACR), and set up Azure Key Vault and Nginx ingress with a CA certificate.
+
+2. [02-create-eureka-server.md](./docs/02-create-eureka-server.md)
+   - Instructions to create and deploy a Eureka Server on AKS for service discovery.
+
+3. [03-create-config-server.md](./docs/03-create-config-server.md)
+   - Guide to create and deploy a Spring Cloud Config Server on AKS for centralized configuration management.
+
+4. [04-create-spring-boot-admin.md](./docs/04-create-spring-boot-admin.md)
+   - Steps to create and deploy a Spring Boot Admin server on AKS for managing and monitoring Spring Boot applications.
+
+5. [05-create-application-gateway.md](./docs/05-create-application-gateway.md)
+   - Instructions to create and deploy a Spring Cloud Gateway on AKS for API Gateway functionality.
+
+6. [06-create-application-supporting-service.md](./docs/06-create-application-supporting-service.md)
+   - Guide to set up supporting services like PostgreSQL and Redis Cache for your applications on AKS.
+
+7. [08-containerize-application.md](./docs/08-containerize-application.md)
+   - Steps to build and push application images to Azure Container Registry.
+
+8. [09-02-deploy-application-connect-spring-cloud-component.md](./docs/09-02-deploy-application-connect-spring-cloud-component.md)
+   - Instructions to deploy the Acme Payment application on AKS and connect it to Spring Cloud components.
+
+9. [09-03-deploy-spring-boot-application-connect-postgresql.md](./docs/09-03-deploy-spring-boot-application-connect-postgresql.md)
+   - Guide to deploy the Acme Catalog application on AKS and connect it to a PostgreSQL database.
+
+10. [09-04-deploy-dotnet-application-connect-postgresql.md](./docs/09-04-deploy-dotnet-application-connect-postgresql.md)
+    - Steps to deploy the Acme Order application on AKS and connect it to a PostgreSQL database.
+
+11. [09-05-deploy-python-application-connect-with-redis.md](./docs/09-05-deploy-python-application-connect-with-redis.md)
+    - Instructions to deploy the Acme Cart application on AKS and connect it to a Redis cache.
+
+12. [10-get-log-and-metrics.md](./docs/10-get-log-and-metrics.md)
+    - Guide to view logs and metrics for your AKS cluster to monitor containerized applications effectively.
@@ -0,0 +1,220 @@
+## Introduction
+This document provides a step-by-step guide to create an Azure Kubernetes Service (AKS) cluster, integrate it with Azure Container Registry (ACR), and set up Azure Key Vault and Nginx ingress with a CA certificate.
+
+## Prerequisites
+- Azure CLI installed
+- Azure subscription
+- Sufficient permissions to create resources in the Azure subscription:
+    - **Contributor** - Creates resources and all other Azure resources.
+    - **User Access Administrator** - Assign necessary roles.
+
+## Outputs
+- Azure Container Registry (ACR)
+- Azure Kubernetes Service (AKS) connected to ACR
+- Azure Key Vault
+- Nginx ingress with CA certificate
+
+## Steps
+
+### 1. Clone the repo
+Clone the git repo and go to the working folder.
+```bash
+cd acme-fitness-store/azure-kubernetes-service
+```
+
+### 2. Set Variables
+
+Update `resources/var.sh` and set up the variables for your environment.
+```
+source resources/var.sh
+az account set -s ${SUBSCRIPTION}
+
+echo "RESOURCE_GROUP=${RESOURCE_GROUP}"
+echo "AKS_NAME=${AKS_NAME}"
+echo "ACR_NAME=${ACR_NAME}"
+echo "KEYVAULT_NAME=${KEYVAULT_NAME}"
+echo "WORKSPACE_NAME=${WORKSPACE_NAME}"
+```
+
+### 3. Create Resource Group
+1. Create a resource group to host all the Azure resources.
+```bash
+az group create -n ${RESOURCE_GROUP} -l eastus2
+```
+
+### 4. Create Azure Container Registry
+Create Azure Container Registry (ACR). This ACR will be used to:
+- Build application components
+- Store application images built by buildpack
+
+```bash
+az acr create -g ${RESOURCE_GROUP} -n ${ACR_NAME} --sku Premium
+```
+
+### 5. Create AKS
+1. Enable `EncryptionAtHost`, may take 10+ minutes to finish
+```bash
+az feature register --namespace Microsoft.Compute --name EncryptionAtHost
+```
+
+Run `az feature register --namespace Microsoft.Compute --name EncryptionAtHost` to wait for its state to be `Registered`.
+
+1. Create workspace
+```
+az monitor log-analytics workspace create --resource-group ${RESOURCE_GROUP} --workspace-name ${WORKSPACE_NAME}
+```
+
+1. Create AKS. 
+   Below commands guide you to create the AKS. For more information on the features enabled in the AKS cluster, refer to the following documentation:
+
+    - [Attach Azure Container Registry to AKS](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration)
+    - [Enable Workload Identity](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview)
+    - [Azure Load Balancer SKU](https://learn.microsoft.com/en-us/azure/load-balancer/skus)
+    - [Cluster Autoscaler](https://learn.microsoft.com/en-us/azure/aks/cluster-autoscaler)
+    - [Network concepts](https://learn.microsoft.com/en-us/azure/aks/concepts-network)
+    - [Encryption at Host](https://learn.microsoft.com/en-us/azure/aks/enable-host-encryption)
+    - [Outbound Type](https://learn.microsoft.com/en-us/azure/aks/egress-outboundtype)
+    - [Node pools](https://learn.microsoft.com/en-us/azure/aks/create-node-pools)
+    - [Storage concepts](https://learn.microsoft.com/en-us/azure/aks/concepts-storage)
+    - [Monitor AKS](https://learn.microsoft.com/en-us/azure/aks/monitor-aks)
+
+
+    ```
+    WORKSPACE_ID=$(az monitor log-analytics workspace show --resource-group ${RESOURCE_GROUP} --workspace-name ${WORKSPACE_NAME} --query id -o tsv)
+    ```
+
+    ```
+    az aks create \
+        -g  ${RESOURCE_GROUP} \
+        -n ${AKS_NAME} \
+        --attach-acr ${ACR_NAME} \
+        --enable-workload-identity  \
+        --load-balancer-sku standard \
+        --enable-cluster-autoscaler \
+        --max-count 40 \
+        --min-count 1  \
+        --network-plugin azure \
+        --no-ssh-key \
+        --enable-encryption-at-host \
+        --outbound-type loadBalancer  \
+        --enable-oidc-issuer \
+        --enable-aad \
+        --vm-set-type VirtualMachineScaleSets \
+        --os-sku Mariner  \
+        --node-osdisk-size 100 \
+        --node-osdisk-type Ephemeral \
+        --node-vm-size Standard_D4as_v4 \
+        --enable-azure-monitor-metrics \
+        --enable-addons monitoring \
+        --workspace-resource-id ${WORKSPACE_ID}
+    ```
+
+    > Note: After creating the AKS, it may take some time to update. During this time, the following commands will fail.
+
+    ```
+    az aks nodepool add \
+        --cluster-name ${AKS_NAME} \
+        -g ${RESOURCE_GROUP} \
+        -n nodepool2 \
+        --enable-cluster-autoscaler \
+        --enable-encryption-at-host \
+        --max-count 40 \
+        --min-count 1 \
+        --node-osdisk-size 200 \
+        --node-osdisk-type Ephemeral \
+        --node-vm-size Standard_D8as_v4 \
+        --os-sku Mariner \
+        --os-type Linux \
+        --node-count 1
+    az aks nodepool add \
+        --cluster-name ${AKS_NAME} \
+        -g ${RESOURCE_GROUP} \
+        -n nodepool3 \
+        --enable-cluster-autoscaler \
+        --enable-encryption-at-host \
+        --max-count 40 \
+        --min-count 1 \
+        --node-osdisk-size 200 \
+        --node-osdisk-type Ephemeral \
+        --node-vm-size Standard_D16as_v4 \
+        --os-sku Mariner \
+        --os-type Linux \
+        --node-count 1
+    ```
+
+1. Retrieve access token. This command gets the admin access for the AKS cluster. For more access management, see https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal
+
+    ```
+    az aks get-credentials --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME} --overwrite-existing --admin
+    ```
+
+1. Install or update the kubectl CLI
+    ```
+    az aks install-cli
+    ```
+
+1. Verify you can connect to the AKS
+
+    ```
+    kubectl get ns
+    ```
+
+### 6. Create Azure Keyvault and cert
+
+1. Get AKS outbound IPs and record these IPs as `<AKS-outbound-ip>`
+    ```
+    az aks show -g  ${RESOURCE_GROUP} -n ${AKS_NAME} --query networkProfile.loadBalancerProfile.effectiveOutboundIPs[].id
+    az resource show --ids <the ID from previous output> --query properties.ipAddress -o tsv
+    ```
+
+1. Get AKS Vnet IDs
+    ```
+    NODE_RESOURCE_GROUP=$(az aks show --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME} --query nodeResourceGroup -o tsv)
+    az resource list --resource-type microsoft.network/virtualnetworks -g ${NODE_RESOURCE_GROUP} --query "[?starts_with(name, 'aks-vnet')].name" -o tsv
+    ```
+
+    List all subnets under the vnet, record these ids as `<subnet-ids>`
+    ```
+    az network vnet subnet list --resource-group ${NODE_RESOURCE_GROUP} --vnet-name <vnetName> --query "[].id" -o tsv
+    ```
+
+1. Create Azure KeyVault
+`az keyvault create --resource-group ${RESOURCE_GROUP} --name ${KEYVAULT_NAME} --network-acls-ips <AKS-outbound-ip> --network-acls-vnets <subnet-ids>`
+
+1. Assign access to yourself
+    ```
+    # Get your Azure AD user ID
+    USER_ID=$(az ad signed-in-user show --query id --output tsv)
+    KEYVUALT_ID=$(az keyvault show --name ${KEYVAULT_NAME} --query id --output tsv)
+    # Assign yourself the necessary permissions
+    az role assignment create --role "Key Vault Certificates Officer" --assignee ${USER_ID} --scope ${KEYVUALT_ID}
+    ```
+
+1. Create a self-signed certificate or import your CA cert to the Keyvault, ref: https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal
+  > Here suggest to create a wildcard domain cert, like `*.demo.com`.
+
+### 7. Enable Nginx in Kubernetes
+Below steps guide how to enable the Nginx as add-on in the AKS cluster. For more details can view [Managed NGINX ingress with the application routing add-on](https://learn.microsoft.com/en-us/azure/aks/app-routing).
+
+1. Enable Nginx
+    ```
+    az extension add -n aks-preview --upgrade
+    az aks approuting enable --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME}
+
+    KEYVUALT_ID=$(az keyvault show --name ${KEYVAULT_NAME} --query id --output tsv)
+    az aks approuting update --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME} --nginx External --enable-kv --attach-kv ${KEYVUALT_ID}
+    ```
+
+1. Retrieve the Nginx public IP and note the "EXTERNAL-IP"
+
+    ```
+    kubectl get svc nginx -n app-routing-system
+    ```
+
+1. Go to your DNS zone to add record.
+   - Add A record to point the domain in your TLS cert to the external IP you obtained. E.g. `demo.com` points to the IP address.
+   - Add a wildcard CName record to the A record. E.g. `*.demo.com` points to the `demo.com`
+
+## Next Steps
+
+- Follow [02-create-eureka-server](./02-create-eureka-server.md) to create and deploy a Eureka Server on Azure Kubernetes Service.