Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Version updates #417

Merged
merged 5 commits into from
Jul 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https

#### Azure platform

- AKS v1.29
- AKS v1.30
- System and user [node pool separation](https://learn.microsoft.com/azure/aks/use-system-pools)
- [AKS-managed Microsoft Entra ID integration](https://learn.microsoft.com/azure/aks/managed-aad)
- Microsoft Entra ID-backed Kubernetes RBAC (*local user accounts disabled*)
Expand All @@ -43,7 +43,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
- [ImageCleaner (Eraser)](https://learn.microsoft.com/azure/aks/image-cleaner) *[AKS-managed add-on]*
- [Kubernetes Reboot Daemon](https://learn.microsoft.com/azure/aks/node-updates-kured)
- [Secrets Store CSI Driver for Kubernetes](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) *[AKS-managed add-on]*
- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.11/routing/providers/kubernetes-ingress/)
- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-ingress/)

![Network diagram depicting a hub-spoke network with two peered VNets and main Azure resources used in the architecture.](https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/images/secure-baseline-architecture.svg)

Expand Down
4 changes: 2 additions & 2 deletions cluster-stamp.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ param clusterAuthorizedIPRanges array = []
@description('AKS Service, Node Pool, and supporting services (KeyVault, App Gateway, etc) region. This needs to be the same region as the vnet provided in these parameters. This defaults to the resource group\'s location for higher reliability.')
param location string = resourceGroup().location

param kubernetesVersion string = '1.29'
param kubernetesVersion string = '1.30'

@description('Domain name to use for App Gateway and AKS ingress.')
param domainName string = 'contoso.com'
Expand Down Expand Up @@ -1137,7 +1137,7 @@ resource paEnforceImageSource 'Microsoft.Authorization/policyAssignments@2024-04
policyDefinitionId: pdEnforceImageSource.id
parameters: {
allowedContainerImagesRegex: {
// If all images are pull into your ARC instance as described in these instructions you can remove the docker.io & ghcr.io entries.
// If all images are pull into your ACR instance as described in these instructions you can remove the docker.io & ghcr.io entries.
value: '${acr.name}\\.azurecr\\.io/.+$|mcr\\.microsoft\\.com/.+$|docker\\.io/library/.+$'
}
excludedNamespaces: {
Expand Down
2 changes: 1 addition & 1 deletion docs/deploy/07-bootstrap-validation.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ GitOps allows a team to author Kubernetes manifest files, persist them in their
- Cluster-wide configuration of Azure Monitor for Containers
- The workload's namespace named `a0008`

1. Install `kubectl` 1.28 or newer. (`kubectl` supports ±1 Kubernetes version.)
1. Install `kubectl` 1.29 or newer. (`kubectl` supports ±1 Kubernetes version.)

```bash
sudo az aks install-cli
Expand Down
2 changes: 1 addition & 1 deletion docs/deploy/09-secret-management-and-ingress-controller.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi

```bash
# Import ingress controller image hosted in public container registries
az acr import --source docker.io/library/traefik:v2.11 -n $ACR_NAME_AKS_BASELINE
az acr import --source docker.io/library/traefik:v3.0 -n $ACR_NAME_AKS_BASELINE
```

1. Install the Traefik Ingress Controller.
Expand Down
14 changes: 7 additions & 7 deletions workload/traefik.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
app.kubernetes.io/name: traefik-ingress-ilb
app.kubernetes.io/instance: traefik-ingress-ilb
---
#https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
#https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Expand Down Expand Up @@ -46,7 +46,6 @@ rules:
- update
- apiGroups:
- traefik.io
- traefik.containo.us
resources:
- middlewares
- middlewaretcps
Expand All @@ -57,6 +56,7 @@ rules:
- tlsoptions
- tlsstores
- serverstransports
- serverstransporttcps
verbs:
- get
- list
Expand All @@ -65,7 +65,7 @@ rules:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-watch-workloads
name: traefik-ingress-controller
namespace: a0008
labels:
app.kubernetes.io/name: traefik-ingress-ilb
Expand Down Expand Up @@ -230,10 +230,10 @@ spec:
# PRODUCTION READINESS CHANGE REQUIRED
# This image should be sourced from a non-public container registry, such as the
# one deployed along side of this reference implementation.
# az acr import --source docker.io/library/traefik:v2.11 -n <your-acr-instance-name>
# az acr import --source docker.io/library/traefik:v3.0 -n <your-acr-instance-name>
# and then set this to
# image: <your-acr-instance-name>.azurecr.io/library/traefik:v2.11
- image: docker.io/library/traefik:v2.11
# image: <your-acr-instance-name>.azurecr.io/library/traefik:v3.0
- image: docker.io/library/traefik:v3.0
imagePullPolicy: IfNotPresent
name: traefik-ingress-controller
resources:
Expand Down Expand Up @@ -310,4 +310,4 @@ spec:
securityContext:
fsGroup: 65532
nodeSelector:
agentpool: npuser01
agentpool: npuser01