mspnp · skabou · Apr 5, 2024 · Apr 1, 2024 · Apr 1, 2024 · Apr 1, 2024
diff --git a/01-prerequisites.md b/01-prerequisites.md
@@ -28,20 +28,6 @@ This is the starting point for the instructions on deploying the [AKS baseline r
 
    [![Launch Azure Cloud Shell](https://learn.microsoft.com/azure/includes/media/cloud-shell-try-it/launchcloudshell.png)](https://shell.azure.com)
 
-1. While the following feature(s) are still in *preview*, enable them in your target subscription.
-
-   1. [Register the ImageCleaner (Earser) preview feature = `EnableImageCleanerPreview`](https://learn.microsoft.com/azure/aks/image-cleaner#prerequisites)
-
-   ```bash
-   az feature register --namespace "Microsoft.ContainerService" -n "EnableImageCleanerPreview"
-
-   # Keep running until all say "Registered." (This may take up to 20 minutes.)
-   az feature list -o table --query "[?name=='Microsoft.ContainerService/EnableImageCleanerPreview'].{Name:name,State:properties.state}"
-
-   # When all say "Registered" then re-register the AKS resource provider
-   az provider register --namespace Microsoft.ContainerService
-   ```
-
 1. Clone/download this repo locally, or even better fork this repository.
 
    > :twisted_rightwards_arrows: If you have forked this reference implementation repo, you'll be able to customize some of the files and commands for a more personalized and production-like experience; ensure references to this Git repository mentioned throughout the walk-through are updated to use your own fork.

diff --git a/07-bootstrap-validation.md b/07-bootstrap-validation.md
@@ -10,7 +10,7 @@ GitOps allows a team to author Kubernetes manifest files, persist them in their
 - Cluster-wide configuration of Azure Monitor for Containers
 - The workload's namespace named `a0008`
 
-1. Install `kubectl` 1.27 or newer. (`kubectl` supports ±1 Kubernetes version.)
+1. Install `kubectl` 1.28 or newer. (`kubectl` supports ±1 Kubernetes version.)
 
    ```bash
    sudo az aks install-cli
@@ -86,4 +86,4 @@ It is recommended to have a clearly defined bootstrapping process that occurs as
 
 ### Next step
 
-:arrow_forward: [Prepare for the workload by installing its prerequisites](./08-workload-prerequisites.md)
+:arrow_forward: [Prepare for the workload by installing its prerequisites](./08-workload-prerequisites.md)
diff --git a/09-secret-management-and-ingress-controller.md b/09-secret-management-and-ingress-controller.md
@@ -58,7 +58,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi
 
    ```bash
    # Import ingress controller image hosted in public container registries
-   az acr import --source docker.io/library/traefik:v2.10.7 -n $ACR_NAME_AKS_BASELINE
+   az acr import --source docker.io/library/traefik:v2.11 -n $ACR_NAME_AKS_BASELINE
    ```
 
 1. Install the Traefik Ingress Controller.
@@ -83,4 +83,4 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi
 
 ### Next step
 
-:arrow_forward: [Deploy the Workload](./10-workload.md)
+:arrow_forward: [Deploy the Workload](./10-workload.md)
diff --git a/10-workload.md b/10-workload.md
@@ -47,7 +47,7 @@ The cluster now has an [Traefik configured with a TLS certificate](./09-secret-m
    > You should expect a `403` HTTP response from your ingress controller if you attempt to connect to it *without* going through the App Gateway. Likewise, if any workload other than the ingress controller attempts to reach the workload, the traffic will be denied via network policies.
 
    ```bash
-   kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/azure-cli --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}},{"op":"add","path":"/spec/containers/0/securityContext","value":{"readOnlyRootFilesystem": true}}]' --override-type json  --env="DOMAIN_NAME=${DOMAIN_NAME_AKS_BASELINE}"
+   kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/devcontainers/base --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}},{"op":"add","path":"/spec/containers/0/securityContext","value":{"readOnlyRootFilesystem": true}}]' --override-type json  --env="DOMAIN_NAME=${DOMAIN_NAME_AKS_BASELINE}"
 
    # From within the open shell now running on a container inside your cluster
    curl -kI https://bu0001a0008-00.aks-ingress.$DOMAIN_NAME -w '%{remote_ip}\n'

diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
 
 #### Azure platform
 
-- AKS v1.28
+- AKS v1.29
   - System and User [node pool separation](https://learn.microsoft.com/azure/aks/use-system-pools)
   - [AKS-managed Microsoft Entra ID integration](https://learn.microsoft.com/azure/aks/managed-aad)
   - Microsoft Entra ID-backed Kubernetes RBAC (*local user accounts disabled*)
@@ -43,7 +43,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
 - [ImageCleaner (Eraser)](https://learn.microsoft.com/azure/aks/image-cleaner) *[AKS-managed add-on]*
 - [Kubernetes Reboot Daemon](https://learn.microsoft.com/azure/aks/node-updates-kured)
 - [Secrets Store CSI Driver for Kubernetes](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) *[AKS-managed add-on]*
-- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-ingress/)
+- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.11/routing/providers/kubernetes-ingress/)
 
 ![Network diagram depicting a hub-spoke network with two peered VNets and main Azure resources used in the architecture.](https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/images/secure-baseline-architecture.svg)
 
@@ -152,4 +152,4 @@ Please see our [Contributor guide](./CONTRIBUTING.md).
 
 This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact <[email protected]> with any additional questions or comments.
 
-With :heart: from Microsoft Patterns & Practices, [Azure Architecture Center](https://aka.ms/architecture).
+With :heart: from Microsoft Patterns & Practices, [Azure Architecture Center](https://aka.ms/architecture).
diff --git a/cluster-stamp.bicep b/cluster-stamp.bicep
@@ -28,7 +28,7 @@ param clusterAuthorizedIPRanges array = []
 @description('AKS Service, Node Pool, and supporting services (KeyVault, App Gateway, etc) region. This needs to be the same region as the vnet provided in these parameters. This defaults to the resource group\'s location for higher reliability.')
 param location string = resourceGroup().location
 
-param kubernetesVersion string = '1.28.3'
+param kubernetesVersion string = '1.29'
 
 @description('Domain name to use for App Gateway and AKS ingress.')
 param domainName string = 'contoso.com'
@@ -1632,7 +1632,7 @@ resource mc 'Microsoft.ContainerService/managedClusters@2024-01-02-preview' = {
         osDiskSizeGB: 80
         osDiskType: 'Ephemeral'
         osType: 'Linux'
-        osSKU: 'Ubuntu'
+        osSKU: 'AzureLinux'
         minCount: 3
         maxCount: 4
         vnetSubnetID: targetVirtualNetwork::snetClusterNodes.id
@@ -1666,7 +1666,7 @@ resource mc 'Microsoft.ContainerService/managedClusters@2024-01-02-preview' = {
         osDiskSizeGB: 120
         osDiskType: 'Ephemeral'
         osType: 'Linux'
-        osSKU: 'Ubuntu'
+        osSKU: 'AzureLinux'
         minCount: 2
         maxCount: 5
         vnetSubnetID: targetVirtualNetwork::snetClusterNodes.id
@@ -2321,4 +2321,4 @@ resource agwdiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01
 
 output aksClusterName string = clusterName
 output aksIngressControllerPodManagedIdentityClientId string = podmiIngressController.properties.clientId
-output keyVaultName string = kv.name
+output keyVaultName string = kv.name
diff --git a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep
@@ -84,57 +84,6 @@ resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorizat
         }
         defaultValue: {
         }
-        schema: {
-          description: 'A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.'
-          type: 'object'
-          properties: {
-            matchLabels: {
-              description: 'matchLabels is a map of {key,value} pairs.'
-              type: 'object'
-              additionalProperties: {
-                type: 'string'
-              }
-              minProperties: 1
-            }
-            matchExpressions: {
-              description: 'matchExpressions is a list of values, a key, and an operator.'
-              type: 'array'
-              items: {
-                type: 'object'
-                properties: {
-                  key: {
-                    description: 'key is the label key that the selector applies to.'
-                    type: 'string'
-                  }
-                  operator: {
-                    description: 'operator represents a key\'s relationship to a set of values.'
-                    type: 'string'
-                    enum: [
-                      'In'
-                      'NotIn'
-                      'Exists'
-                      'DoesNotExist'
-                    ]
-                  }
-                  values: {
-                    description: 'values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.'
-                    type: 'array'
-                    items: {
-                      type: 'string'
-                    }
-                  }
-                }
-                required: [
-                  'key'
-                  'operator'
-                ]
-                additionalProperties: false
-              }
-              minItems: 1
-            }
-          }
-          additionalProperties: false
-        }
       }
       allowedDomainSuffixes: {
         type: 'Array'
@@ -150,4 +99,4 @@ resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorizat
 
 output policyId string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.id
 output policyName string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.displayName
-output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description
+output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description
diff --git a/workload/aspnetapp-ingress-patch.yaml b/workload/aspnetapp-ingress-patch.yaml
@@ -3,4 +3,4 @@
   value: bu0001a0008-00.aks-ingress.contoso.com
 - op: replace
   path: "/spec/rules/0/host"
-  value: bu0001a0008-00.aks-ingress.contoso.com
+  value: bu0001a0008-00.aks-ingress.contoso.com
diff --git a/workload/aspnetapp.yaml b/workload/aspnetapp.yaml
@@ -128,4 +128,4 @@ spec:
             name: aspnetapp-service
             port:
               number: 80
----
+---
diff --git a/workload/kustomization.yaml b/workload/kustomization.yaml
@@ -4,9 +4,9 @@ kind: Kustomization
 resources:
 - aspnetapp.yaml
 
-patchesJson6902:
+patches:
 - target:
     kind: Ingress
     name: aspnetapp-ingress
     version: v1
-  path: aspnetapp-ingress-patch.yaml
+  path: aspnetapp-ingress-patch.yaml
diff --git a/workload/traefik.yaml b/workload/traefik.yaml
@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/name: traefik-ingress-ilb
     app.kubernetes.io/instance: traefik-ingress-ilb
 ---
-#https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+#https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -230,10 +230,10 @@ spec:
         # PRODUCTION READINESS CHANGE REQUIRED
         # This image should be sourced from a non-public container registry, such as the
         # one deployed along side of this reference implementation.
-        # az acr import --source docker.io/library/traefik:v2.10.7 -n <your-acr-instance-name>
+        # az acr import --source docker.io/library/traefik:v2.11 -n <your-acr-instance-name>
         # and then set this to
-        # image: <your-acr-instance-name>.azurecr.io/library/traefik:v2.10.7
-      - image: docker.io/library/traefik:v2.10.7
+        # image: <your-acr-instance-name>.azurecr.io/library/traefik:v2.11
+      - image: docker.io/library/traefik:v2.11
         imagePullPolicy: IfNotPresent
         name: traefik-ingress-controller
         resources: