Doc consistency and minor improvements. (#311)

* Allow communication with API server via udp/1194.

References:
#223
https://docs.microsoft.com/en-us/azure/firewall/protect-azure-kubernetes-service

* Return IP address instead of res. ID (acc  to doc)

* Minimal user feedback: echo variables to console.

* ifconfig.io to return IPv4 addr for access policy

* Notes for macOS users, having BSD sed.

* Improvement to comment.

Co-authored-by: Chad Kittel <[email protected]>

* Comment out firewall rule, but add hints.

* Enable FW rule in bicep; remove warning.

* Update references to 'aks-baseline'.

* Get current branch name and pass as parameter.

* Pass domain name as parameter to curl container.

* Optimize docs for pre-existing AAD group.

- Add bash snippet to set pre-existing group.
- Add hints to skip user creation / member adding group has members.

* Hint for single-tenant deployment.

* Make namespace reader group optional.

* Fix: Print correct variable name.

* Only stage intentionally changed file for commit.

* FIx deployment failures on role lookup

* Add some clarification to docs.

* Make saveenv.sh independent of current directory.

* Append suffix to GITOPS variables...

...making sure they are also written to aks_baseline.env by saveenv.sh.

* export GITOPS variables.

* Revert "FIx deployment failures on role lookup"

This reverts commit 9234b57.

* Revert "Only stage intentionally changed file for commit."

This reverts commit fba516b.

* GITOPS variables are just 'local'.

* Update 01-prerequisites.md

Co-authored-by: Chad Kittel <[email protected]>

* Update 03-aad.md

Co-authored-by: Chad Kittel <[email protected]>

* Update 03-aad.md

Co-authored-by: Chad Kittel <[email protected]>

* Update 03-aad.md

Co-authored-by: Chad Kittel <[email protected]>

* Update 03-aad.md

Co-authored-by: Chad Kittel <[email protected]>

* Update 11-validation.md

Co-authored-by: Chad Kittel <[email protected]>

* Update 03-aad.md

Co-authored-by: Chad Kittel <[email protected]>

* Update 03-aad.md

Co-authored-by: Chad Kittel <[email protected]>

* GITOPS variables are just 'local'.

Co-authored-by: Chad Kittel <[email protected]>

01-prerequisites.md

@@ -53,9 +53,11 @@ This is the starting point for the instructions on deploying the [AKS Baseline r
 
    > :twisted_rightwards_arrows: If you have forked this reference implementation repo, you'll be able to customize some of the files and commands for a more personalized and production-like experience; ensure references to this git repository mentioned throughout the walk-through are updated to use your own fork.
 
+   > Make sure you use HTTPS (and not SSH) to clone the repository. (The remote URL will later be used to configure GitOps using Flux which requires an HTTPS endpoint to work properly.)
+
    ```bash
-   git clone https://github.com/mspnp/aks-secure-baseline.git
-   cd aks-secure-baseline
+   git clone https://github.com/mspnp/aks-baseline.git
+   cd aks-baseline
    ```
 
    > :bulb: The steps shown here and elsewhere in the reference implementation use Bash shell commands. On Windows, you can use the [Windows Subsystem for Linux](https://docs.microsoft.com/windows/wsl/about) to run Bash.

04-networking.md

@@ -94,7 +94,7 @@ The following two resource groups will be created and populated with networking
 
    ```bash
    RESOURCEID_SUBNET_NODEPOOLS=$(az deployment group show -g rg-enterprise-networking-spokes -n spoke-BU0001A0008 --query properties.outputs.nodepoolSubnetResourceIds.value -o json)
-   echo RESOURCEID_VNET_HUB: $RESOURCEID_SUBNET_NODEPOOLS
+   echo RESOURCEID_SUBNET_NODEPOOLS: $RESOURCEID_SUBNET_NODEPOOLS
 
    # [This takes about ten minutes to run.]
    az deployment group create -g rg-enterprise-networking-hubs -f networking/hub-regionA.bicep -p location=eastus2 nodepoolSubnetResourceIds="${RESOURCEID_SUBNET_NODEPOOLS}"

06-aks-cluster.md

@@ -11,6 +11,9 @@ Now that your [ACR instance is deployed and ready to support cluster bootstrappi
    ```bash
    GITOPS_REPOURL=$(git config --get remote.origin.url)
    echo GITOPS_REPOURL: $GITOPS_REPOURL
+
+   GITOPS_CURRENT_BRANCH_NAME=$(git branch --show-current)
+   echo GITOPS_CURRENT_BRANCH_NAME: $GITOPS_CURRENT_BRANCH_NAME
    ```
 
 1. Deploy the cluster ARM template.
@@ -20,7 +23,7 @@ Now that your [ACR instance is deployed and ready to support cluster bootstrappi
 
    ```bash
    # [This takes about 18 minutes.]
-   az deployment group create -g rg-bu0001a0008 -f cluster-stamp.bicep -p targetVnetResourceId=${RESOURCEID_VNET_CLUSTERSPOKE_AKS_BASELINE} clusterAdminAadGroupObjectId=${AADOBJECTID_GROUP_CLUSTERADMIN_AKS_BASELINE} a0008NamespaceReaderAadGroupObjectId=${AADOBJECTID_GROUP_A0008_READER_AKS_BASELINE} k8sControlPlaneAuthorizationTenantId=${TENANTID_K8SRBAC_AKS_BASELINE} appGatewayListenerCertificate=${APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE} aksIngressControllerCertificate=${AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE} domainName=${DOMAIN_NAME_AKS_BASELINE} gitOpsBootstrappingRepoHttpsUrl=${GITOPS_REPOURL}
+   az deployment group create -g rg-bu0001a0008 -f cluster-stamp.bicep -p targetVnetResourceId=${RESOURCEID_VNET_CLUSTERSPOKE_AKS_BASELINE} clusterAdminAadGroupObjectId=${AADOBJECTID_GROUP_CLUSTERADMIN_AKS_BASELINE} a0008NamespaceReaderAadGroupObjectId=${AADOBJECTID_GROUP_A0008_READER_AKS_BASELINE} k8sControlPlaneAuthorizationTenantId=${TENANTID_K8SRBAC_AKS_BASELINE} appGatewayListenerCertificate=${APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE} aksIngressControllerCertificate=${AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE} domainName=${DOMAIN_NAME_AKS_BASELINE} gitOpsBootstrappingRepoHttpsUrl=${GITOPS_REPOURL} gitOpsBootstrappingRepoBranch=${GITOPS_CURRENT_BRANCH_NAME}
    ```
 
    > Alteratively, you could have updated the [`azuredeploy.parameters.prod.json`](./azuredeploy.parameters.prod.json) file and deployed as above, using `-p "@azuredeploy.parameters.prod.json"` instead of providing the individual key-value pairs.

09-secret-management-and-ingress-controller.md

@@ -97,7 +97,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi
    :warning: Deploying the traefik `traefik.yaml` file unmodified from this repo will be deploying your workload to take dependencies on a public container registry. This is generally okay for learning/testing, but not suitable for production. Before going to production, ensure _all_ image references are from _your_ container registry or another that you feel confident relying on.
 
    ```bash
-   kubectl create -f https://raw.githubusercontent.com/mspnp/aks-secure-baseline/main/workload/traefik.yaml
+   kubectl create -f https://raw.githubusercontent.com/mspnp/aks-baseline/main/workload/traefik.yaml
    ```
 
 1. Wait for Traefik to be ready.

10-workload.md

@@ -46,10 +46,9 @@ The cluster now has an [Traefik configured with a TLS certificate](./08-secret-m
    > You should expect a `403` HTTP response from your ingress controller if you attempt to connect to it _without_ going through the App Gateway. Likewise, if any workload other than the ingress controller attempts to reach the workload, the traffic will be denied via network policies.
 
    ```bash
-   kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/azure-cli --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}}]' --override-type json
+   kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/azure-cli --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}}]' --override-type json  --env="DOMAIN_NAME=${DOMAIN_NAME_AKS_BASELINE}"
 
    # From within the open shell now running on a container inside your cluster
-   DOMAIN_NAME="contoso.com" # <-- Change to your custom domain value if a different one was used
    curl -kI https://bu0001a0008-00.aks-ingress.$DOMAIN_NAME -w '%{remote_ip}\n'
    exit
    ```

11-validation.md

@@ -26,7 +26,9 @@ This section will help you to validate the workload is exposed correctly and res
 
 1. Browse to the site (e.g. <https://bicycle.contoso.com>).
 
-   > :bulb: A TLS warning will be present due to using a self-signed certificate. You can ignore it or import the self-signed cert (`appgw.pfx`) to your user's trusted root store.
+   > :bulb: Remember to include the protocol prefix `https://` in the URL you type in the address bar of your browser. A TLS warning will be present due to using a self-signed certificate. You can ignore it or import the self-signed cert (`appgw.pfx`) to your user's trusted root store.
+
+   Refresh the web page a couple of times and observe the value `Host name` displayed at the bottom of the page. As the Traefik Ingress Controller balances the requests between the two pods hosting the web page, the host name will change from one pod name to the other throughtout your queries.
 
 ## Validate reader access to the a0008 namespace. _Optional._
 
@@ -48,7 +50,11 @@ Your workload is placed behind a Web Application Firewall (WAF), which has rules
 
 1. Browse to the site with the following appended to the URL: `?sql=DELETE%20FROM` (e.g. <https://bicycle.contoso.com/?sql=DELETE%20FROM>).
 1. Observe that your request was blocked by Application Gateway's WAF rules and your workload never saw this potentially dangerous request.
-1. Blocked requests (along with other gateway data) will be visible in the attached Log Analytics workspace. Execute the following query to show WAF logs, for example.
+1. Blocked requests (along with other gateway data) will be visible in the attached Log Analytics workspace. 
+
+   Browse to the Application Gateway in the resource group `rg-bu0001-a0008` and navigate to the _Logs_ blade. Execute the following query below to show WAF logs and see that the request was rejected due to a _SQL Injection Attack_ (field _Message_).
+
+   > :warning: Note that it may take a couple of minutes until the logs are transferred from the Application Gateway to the Log Analytics Workspace. So be a little patient if the query does not immediatly return results after sending the https request in the former step. 
 
    ```
    AzureDiagnostics
@@ -77,15 +83,14 @@ Azure Monitor is configured to [scrape Prometheus metrics](https://docs.microsof
 - [Traefik](./workload/traefik.yaml) (in the `a0008` namespace)
 - [Kured](./cluster-baseline-settings/kured.yaml) (in the `cluster-baseline-settings` namespace)
 
+ :bulb: This reference implementation ships with two saved queries (_All collected Prometheus information_ and _Nodes reboot required by kured_) as an example of how you can write your own and manage them via ARM templates. 
+
 ### Steps
 
 1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
-1. Select your Log Analytic Workspace resource.
-1. Click _Saved Searches_.
-
-   :bulb: This reference implementation ships with some saved queries as an example of how you can write your own and manage them via ARM templates.
-
-1. Type _Prometheus_ in the filter.
+1. Select your Log Analytic Workspace resource and open the _Logs_ blade.
+1. In the popup _Queries_ select _Legacy category_ in the drop down field in the upper left corner. 
+1. Select _Prometheus_ in the section list on the left.
 1. You are able to select and execute the saved query over the scraped metrics.
 
 ## Validate Workload Logs
@@ -95,7 +100,7 @@ The example workload uses the standard dotnet logger interface, which are captur
 ### Steps
 
 1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
-1. Select your Log Analytic Workspace resource.
+1. Select your Log Analytic Workspace resource and open the _Logs_ blade.
 1. Execute the following query
 
    ```
@@ -121,13 +126,13 @@ Azure will generate alerts on the health of your cluster and adjacent resources.
 An alert based on [Azure Monitor for containers information using a Kusto query](https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-alerts) was configured in this reference implementation.
 
 1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
-1. Select _Alerts_, then _Manage Rule Alerts_.
-1. There is an alert called "PodFailedScheduledQuery" that will be triggered based on the custom query response.
+1. Select _Alerts_, then _Alert Rules_.
+1. There is an alert titled "[your cluster name] Scheduled Query for Pod Failed Alert" that will be triggered based on the custom query response.
 
 An [Azure Advisor Alert](https://docs.microsoft.com/azure/advisor/advisor-overview) was configured as well in this reference implementation.
 
 1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
-1. Select _Alerts_, then _Manage Rule Alerts_.
+1. Select _Alerts_, then _Alert Rules_.
 1. There is an alert called "AllAzureAdvisorAlert" that will be triggered based on new Azure Advisor alerts.
 
 A series of metric alerts were configured as well in this reference implementation.
@@ -151,7 +156,7 @@ If you configured your third-party images to be pulled from your Azure Container
    | where OperationName == 'Pull'
    ```
 
-1. You should see logs for CSI, kured, memcached, and traefik. You'll see multiple for some as the image was pulled to multiple nodes to satisfy ReplicaSet/DaemonSet placement.
+1. You should see logs for kured. You'll see multiple for some as the image was pulled to multiple nodes to satisfy ReplicaSet/DaemonSet placement.
 
 ## Next step
 

CONTRIBUTING.md

@@ -43,13 +43,13 @@ If your issue appears to be a bug, and hasn't been reported, open a new issue. H
 * **Related Issues** - has a similar issue been reported before?
 * **Suggest a Fix** - if you can't fix the bug yourself, perhaps you can point to what might be causing the problem (line of code or commit)
 
-You can file new issues by providing the above information at the corresponding repository's issues link: https://github.com/mspnp/aks-secure-baseline/issues/new].
+You can file new issues by providing the above information at the corresponding repository's issues link: https://github.com/mspnp/aks-baseline/issues/new].
 
 ### <a name="submit-pr"></a> Submitting a Pull Request (PR)
 
 Before you submit your Pull Request (PR) consider the following guidelines:
 
-* Search the repository (<https://github.com/mspnp/aks-secure-baseline/pulls>) for an open or closed PR
+* Search the repository (<https://github.com/mspnp/aks-baseline/pulls>) for an open or closed PR
   that relates to your submission. You don't want to duplicate effort.
 
 * Make your changes in a new git fork:

cluster-stamp.bicep

@@ -1495,7 +1495,7 @@ resource mcAadAdminGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authori
   dependsOn: []
 }
 
-resource maAadA0008ReaderGroupClusterReaderRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
+resource maAadA0008ReaderGroupClusterReaderRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && !(empty(a0008NamespaceReaderAadGroupObjectId)) && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
   scope: nsA0008
   name: guid('aad-a0008-reader-group', mc.id, a0008NamespaceReaderAadGroupObjectId)
   properties: {
@@ -1507,7 +1507,7 @@ resource maAadA0008ReaderGroupClusterReaderRole_roleAssignment 'Microsoft.Author
   dependsOn: []
 }
 
-resource maAadA0008ReaderGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
+resource maAadA0008ReaderGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && !(empty(a0008NamespaceReaderAadGroupObjectId)) && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
   scope: mc
   name: guid('aad-a0008-reader-group-sc', mc.id, a0008NamespaceReaderAadGroupObjectId)
   properties: {

inner-loop-scripts/shell/1-cluster-stamp.sh

@@ -43,7 +43,7 @@ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
         -subj "/CN=*.aks-ingress.contoso.com/O=Contoso Aks Ingress"
 AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64=$(cat traefik-ingress-internal-aks-ingress-tls.crt | base64 | tr -d '\n')
 
-# WARNING: Below hasn't yet been updated for Azure Key Vault RBAC support that came in https://github.com/mspnp/aks-secure-baseline/releases/tag/v1.21.2.2
+# WARNING: Below hasn't yet been updated for Azure Key Vault RBAC support that came in https://github.com/mspnp/aks-baseline/releases/tag/v1.21.2.2
 
 # AKS Cluster Creation. Advance Networking. AAD identity integration. This might take about 10 minutes
 # Note: By default, this deployment will allow unrestricted access to your cluster's API Server.
@@ -82,7 +82,7 @@ echo ""
 echo "# Creating AAD Groups and users for the created cluster"
 echo ""
 
-# unset errexit as per https://github.com/mspnp/aks-secure-baseline/issues/69
+# unset errexit as per https://github.com/mspnp/aks-baseline/issues/69
 set +e
 echo $'Ensure Flux has created the following namespace and then press Ctrl-C'
 kubectl get ns a0008 --watch

saveenv.sh

@@ -4,10 +4,12 @@
 # the page they are created on. Then a user can source this file to restore those environment 
 # variables if their shell session is reset for some reason.
 
-cat > aks_baseline.env << EOF
+DIR_NAME=$(dirname "$0")
+
+cat > $DIR_NAME/aks_baseline.env << EOF
 #!/bin/bash
 
 $(env | sed -n "s/\(.*_AKS_BASELINE=\)\(.*\)/export \1'\2'/p" | sort)
 EOF
 
-cat aks_baseline.env
+cat $DIR_NAME/aks_baseline.env