Add Azure Kubernetes Service Samples (#73)

* aks

* update

* update

* update

* update

* update

* update

* update

* update

* update comments

---------

Co-authored-by: Muyao <v-muyaofeng@microsoft.com>

Author: yuwzho

azure-kubernetes-service/README.md

@@ -0,0 +1,15 @@
+# Azure Kubernetes Service Documentation
+
+This folder contains documentation for setting up and deploying various components on Azure Kubernetes Service (AKS) for the Spring PetClinic microservices project.
+
+## Table of Contents
+
+1. [Create Kubernetes Service](./docs/01-create-kubernetes-service.md)
+2. [Create Eureka Server](./docs/02-create-eureka-server.md)
+3. [Create Config Server](./docs/03-create-config-server.md)
+4. [Create Spring Boot Admin](./docs/04-create-spring-boot-admin.md)
+5. [Create Application Supporting Service](./docs/05-create-application-supporting-service.md)
+6. [Containerize Application](./docs/06-containerize-application.md)
+7. [Deploy Application](./docs/07-deploy-application.md)
+8. [Get Log and Metrics](./docs/08-get-log-and-metrics.md)
+

azure-kubernetes-service/docs/01-create-kubernetes-service.md

@@ -0,0 +1,224 @@
+## Introduction
+This document provides a step-by-step guide to create an Azure Kubernetes Service (AKS) cluster, integrate it with Azure Container Registry (ACR), and set up Azure Key Vault and Nginx ingress with a CA certificate.
+
+## Prerequisites
+- Azure CLI installed
+- Azure subscription
+- Sufficient permissions to create resources in the Azure subscription:
+    - **Contributor** - Creates resources and all other Azure resources.
+    - **User Access Administrator** - Assign necessary roles.
+
+## Outputs
+- Azure Container Registry (ACR)
+- Azure Kubernetes Service (AKS) connected to ACR
+- Azure Key Vault
+- Nginx ingress with CA certificate
+
+## Steps
+
+### 1. Clone the repo
+Clone the git repo and go to the working folder.
+```bash
+cd spring-petclinic-microservices/azure-kubernetes-service
+```
+
+### 2. Set Variables
+
+Update `resources/var.sh` and set up the variables for your environment.
+```
+source resources/var.sh
+az account set -s ${SUBSCRIPTION}
+
+echo "RESOURCE_GROUP=${RESOURCE_GROUP}"
+echo "AKS_NAME=${AKS_NAME}"
+echo "ACR_NAME=${ACR_NAME}"
+echo "KEYVAULT_NAME=${KEYVAULT_NAME}"
+echo "WORKSPACE_NAME=${WORKSPACE_NAME}"
+```
+
+### 3. Create Resource Group
+Create a resource group to host all the Azure resources.
+```bash
+az group create -n ${RESOURCE_GROUP} -l eastus2
+```
+
+### 4. Create Azure Container Registry
+Create Azure Container Registry (ACR). This ACR will be used to:
+- Build application components
+- Store application images built by buildpack
+
+```bash
+az acr create -g ${RESOURCE_GROUP} -n ${ACR_NAME} --sku Premium
+```
+
+### 5. Create AKS
+1. Enable `EncryptionAtHost`, may take 10+ minutes to finish
+    ```bash
+    az feature register --namespace Microsoft.Compute --name EncryptionAtHost
+    ```
+   Run `az feature register --namespace Microsoft.Compute --name EncryptionAtHost` to wait for its state to be `Registered`.
+
+1. Create workspace
+    ```
+    az monitor log-analytics workspace create --resource-group ${RESOURCE_GROUP} --workspace-name ${WORKSPACE_NAME}
+    ```
+
+1. Create AKS. 
+   Below commands guide you to create the AKS. For more information on the features enabled in the AKS cluster, refer to the following documentation:
+
+    - [Attach Azure Container Registry to AKS](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration)
+    - [Enable Workload Identity](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview)
+    - [Azure Load Balancer SKU](https://learn.microsoft.com/en-us/azure/load-balancer/skus)
+    - [Cluster Autoscaler](https://learn.microsoft.com/en-us/azure/aks/cluster-autoscaler)
+    - [Network concepts](https://learn.microsoft.com/en-us/azure/aks/concepts-network)
+    - [Encryption at Host](https://learn.microsoft.com/en-us/azure/aks/enable-host-encryption)
+    - [Outbound Type](https://learn.microsoft.com/en-us/azure/aks/egress-outboundtype)
+    - [Node pools](https://learn.microsoft.com/en-us/azure/aks/create-node-pools)
+    - [Storage concepts](https://learn.microsoft.com/en-us/azure/aks/concepts-storage)
+    - [Monitor AKS](https://learn.microsoft.com/en-us/azure/aks/monitor-aks)
+
+
+    ```
+    WORKSPACE_ID=$(az monitor log-analytics workspace show --resource-group ${RESOURCE_GROUP} --workspace-name ${WORKSPACE_NAME} --query id -o tsv)
+    ```
+
+    ```
+    az aks create \
+        -g  ${RESOURCE_GROUP} \
+        -n ${AKS_NAME} \
+        --attach-acr ${ACR_NAME} \
+        --enable-workload-identity  \
+        --load-balancer-sku standard \
+        --enable-cluster-autoscaler \
+        --max-count 40 \
+        --min-count 1  \
+        --network-plugin azure \
+        --no-ssh-key \
+        --enable-encryption-at-host \
+        --outbound-type loadBalancer  \
+        --enable-oidc-issuer \
+        --enable-aad \
+        --vm-set-type VirtualMachineScaleSets \
+        --os-sku Mariner  \
+        --node-osdisk-size 100 \
+        --node-osdisk-type Ephemeral \
+        --node-vm-size Standard_D4as_v4 \
+        --enable-azure-monitor-metrics \
+        --enable-addons monitoring \
+        --workspace-resource-id ${WORKSPACE_ID}
+    ```
+
+    > Note: After creating the AKS, it may take some time to update. During this time, the following commands will fail.
+
+    ```
+    az aks nodepool add \
+        --cluster-name ${AKS_NAME} \
+        -g ${RESOURCE_GROUP} \
+        -n nodepool2 \
+        --enable-cluster-autoscaler \
+        --enable-encryption-at-host \
+        --max-count 40 \
+        --min-count 1 \
+        --node-osdisk-size 200 \
+        --node-osdisk-type Ephemeral \
+        --node-vm-size Standard_D8as_v4 \
+        --os-sku Mariner \
+        --os-type Linux \
+        --node-count 1
+    ```
+
+    > Note: This command also needs some time to finish updating.
+
+    ```
+    az aks nodepool add \
+        --cluster-name ${AKS_NAME} \
+        -g ${RESOURCE_GROUP} \
+        -n nodepool3 \
+        --enable-cluster-autoscaler \
+        --enable-encryption-at-host \
+        --max-count 40 \
+        --min-count 1 \
+        --node-osdisk-size 200 \
+        --node-osdisk-type Ephemeral \
+        --node-vm-size Standard_D16as_v4 \
+        --os-sku Mariner \
+        --os-type Linux \
+        --node-count 1
+    ```
+
+1. Retrieve access token. This command gets the admin access for the AKS cluster. For more access management, see https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac?tabs=portal
+
+    ```
+    az aks get-credentials --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME} --overwrite-existing --admin
+    ```
+
+1. Install or update the kubectl CLI
+    ```
+    az aks install-cli
+    ```
+
+1. Verify you can connect to the AKS
+
+    ```
+    kubectl get ns
+    ```
+
+### 6. Create Azure Keyvault and cert
+
+1. Get AKS outbound IPs and record these IPs as `<AKS-outbound-ip>`
+    ```
+    az aks show -g  ${RESOURCE_GROUP} -n ${AKS_NAME} --query networkProfile.loadBalancerProfile.effectiveOutboundIPs[].id
+    az resource show --ids <the ID from previous output> --query properties.ipAddress -o tsv
+    ```
+
+1. Get AKS Vnet IDs
+    ```
+    NODE_RESOURCE_GROUP=$(az aks show --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME} --query nodeResourceGroup -o tsv)
+    az resource list --resource-type microsoft.network/virtualnetworks -g ${NODE_RESOURCE_GROUP} --query "[?starts_with(name, 'aks-vnet')].name" -o tsv
+    ```
+
+    List all subnets under the vnet, record these ids as `<subnet-ids>`
+    ```
+    az network vnet subnet list --resource-group ${NODE_RESOURCE_GROUP} --vnet-name <vnetName> --query "[].id" -o tsv
+    ```
+
+1. Create Azure KeyVault
+`az keyvault create --resource-group ${RESOURCE_GROUP} --name ${KEYVAULT_NAME} --network-acls-ips <AKS-outbound-ip> --network-acls-vnets <subnet-ids>`
+
+1. Assign access to yourself
+    ```
+    # Get your Azure AD user ID
+    USER_ID=$(az ad signed-in-user show --query id --output tsv)
+    KEYVUALT_ID=$(az keyvault show --name ${KEYVAULT_NAME} --query id --output tsv)
+    # Assign yourself the necessary permissions
+    az role assignment create --role "Key Vault Certificates Officer" --assignee ${USER_ID} --scope ${KEYVUALT_ID}
+    ```
+
+1. Create a self-signed certificate or import your CA cert to the Keyvault, ref: https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal
+  > Here suggest to create a wildcard domain cert, like `*.demo.com`.
+
+### 7. Enable Nginx in Kubernetes
+Below steps guide how to enable the Nginx as add-on in the AKS cluster. For more details can view [Managed NGINX ingress with the application routing add-on](https://learn.microsoft.com/en-us/azure/aks/app-routing).
+
+1. Enable Nginx
+    ```
+    az extension add -n aks-preview --upgrade
+    az aks approuting enable --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME}
+
+    KEYVUALT_ID=$(az keyvault show --name ${KEYVAULT_NAME} --query id --output tsv)
+    az aks approuting update --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME} --nginx External --enable-kv --attach-kv ${KEYVUALT_ID}
+    ```
+
+1. Retrieve the Nginx public IP and note the "EXTERNAL-IP"
+
+    ```
+    kubectl get svc nginx -n app-routing-system
+    ```
+
+1. Go to your DNS zone to add record.
+   - Add A record to point the domain in your TLS cert to the external IP you obtained. E.g. `demo.com` points to the IP address.
+   - Add a wildcard CName record to the A record. E.g. `*.demo.com` points to the `demo.com`
+
+## Next Steps
+
+- Follow [02-create-eureka-server](./02-create-eureka-server.md) to create and deploy a Eureka Server on Azure Kubernetes Service.

azure-kubernetes-service/docs/02-create-eureka-server.md

@@ -0,0 +1,106 @@
+## Introduction
+
+In this guide, you will learn how to create and deploy a Eureka Server on Azure Kubernetes Service (AKS). Eureka Server is a service registry that allows microservices to register themselves and discover other registered services. See more details in [Service Discovery: Eureka Server](https://cloud.spring.io/spring-cloud-netflix/multi/multi_spring-cloud-eureka-server.html).
+
+> This guide uses a generic Eureka server. If you want to use the discovery server specific to this project, package the code in the `spring-petclinic-discovery-server` directory and deploy it. Refer to the subsequent application deployment guide for detailed instructions.
+
+## Prerequisites
+
+- Follow [01-create-kubernetes-service](./01-create-kubernetes-service.md) to create Azure Kubernetes Service and Azure Container Registry.
+- Maven
+- Azure CLI
+- Docker
+
+## Outputs
+
+By the end of this guide, you will have a running Eureka Server on your AKS cluster.
+
+## Steps
+
+### Prepare the Eureka Server Image
+
+1. **Setup variables**
+   
+   Set up the variables used to deploy Eureka Server:
+   ```bash
+   source resources/var.sh
+   az account set -s ${SUBSCRIPTION}
+
+   echo "RESOURCE_GROUP=${RESOURCE_GROUP}"
+   echo "AKS_NAME=${AKS_NAME}"
+   echo "ACR_NAME=${ACR_NAME}"
+   echo "EUREKA_IMAGE_TAG=${EUREKA_IMAGE_TAG}"
+   ```
+
+1. **Package the Eureka Server**
+
+   Go to the `azure-kubernetes-service/resources/eureka/eureka-server` folder and build the Eureka server package:
+
+   ```bash
+   cd resources/eureka/eureka-server
+   mvn clean package -DskipTests
+   ```
+
+1. **Build the Docker image**
+  
+   Use Azure Container Build to build the Eureka image. For more details, see [Automate container image builds and maintenance with Azure Container Registry tasks](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tasks-overview).
+
+   ```azurecli
+   az acr build --registry ${ACR_NAME} --image eureka-server:${EUREKA_IMAGE_TAG} target/docker
+   ```
+
+### Deploy the Eureka Server
+
+1. **Edit the Kubernetes Resource File**
+
+   Locate the `eureka-server.yaml` file in the `azure-kubernetes-service/resources/eureka` directory. Edit the following code snippet:
+
+   - **`<eureka-image-tag>`**: Update to the value of `${EUREKA_IMAGE_TAG}`
+   - **`<acr-name>`**: Update to the value of `${ACR_NAME}`
+
+   ```yaml
+      containers:
+      - name: eureka-server
+        image: "<acr-name>.azurecr.io/eureka-server:<eureka-image-tag>"
+   ```
+
+1. **Apply the Kubernetes Configuration**
+
+   Apply the configuration using kubectl to create the Eureka Server:
+
+   ```bash
+   kubectl apply -f ../eureka-server.yaml
+   ```
+
+   The `eureka-server.yaml` file contains the necessary Kubernetes resources to deploy the Eureka Server. It includes:
+
+   - **Service**: Exposes the Eureka Server on port 8761.
+   - **ConfigMap**: Stores configuration data for the Eureka Server can be consumed by other deployments.
+   - **Deployment**: Manages the deployment of the Eureka Server, including resource requests and limits, probes for liveness and readiness, and lifecycle hooks.
+
+1. **Verify the Deployment**
+
+   Use the following command to check the status of the Eureka Server pod:
+
+   ```bash
+   kubectl get pods
+   ```
+
+   If successful, you should see something like:
+
+   ```
+   NAME                                   READY   STATUS    RESTARTS   AGE
+   eureka-server-867c8c97b6-nvqjx         1/1     Running   0          36m
+   ```
+
+   **Tip**: If the pod is not running, check for errors using:
+  
+   ```bash
+   kubectl describe pod <pod-name>
+   kubectl logs <pod-name>
+   ```
+
+## Next Steps
+
+- Follow [03-create-config-server](./03-create-config-server.md) to create and deploy a Spring Cloud Config Server on Azure Kubernetes Service.
+