ADjusted Readme, Added classes to easyauth ingress

Author: dminkovski

deploy/aks/easyauth/easyauth-proxy/values.yaml

@@ -47,7 +47,7 @@ service:
 ingress:
   enabled: true
   annotations: 
-    kubernetes.io/ingress.class: nginx
+    kubernetes.io/ingress.class: webapprouting.kubernetes.azure.com
     cert-manager.io/cluster-issuer: letsencrypt
     nginx.ingress.kubernetes.io/proxy-buffering: "on"
     nginx.ingress.kubernetes.io/proxy-buffers: "4"

deploy/aks/scripts/easyauth.ps1

@@ -1,10 +1,6 @@
 # Using template from: https://github.com/Azure/EasyAuthForK8s/blob/master/docs/deploy-to-existing-cluster.md
 # Docs ref: https://learn.microsoft.com/en-us/azure/aks/ingress-tls?tabs=azure-cli
 
-Write-Host ""
-Write-Host "Loading azd .env file from current environment"
-Write-Host ""
-
 $output = azd env get-values
 
 foreach ($line in $output) {
@@ -17,9 +13,14 @@ foreach ($line in $output) {
   [Environment]::SetEnvironmentVariable($name, $value)
 }
 
-Write-Host "Environment variables set."
-
-Write-Host "Enabling EasyAuth for the AKS Cluster"
+if($env:AZURE_USE_EASY_AUTH -eq "true"){
+  Write-Host "Enabling EasyAuth for the AKS Cluster"
+  Write-Host "If you want to disable EasyAuth, please set the AZURE_USE_EASY_AUTH environment variable to false"
+} else {
+  Write-Host "EasyAuth is not enabled for the AKS Cluster"
+  Write-Host "If you want to enable EasyAuth, please set the AZURE_USE_EASY_AUTH environment variable to true"
+  exit 1;
+}
 
 $location = $env:AZURE_LOCATION
 
@@ -43,6 +44,14 @@ $nodeRG = az aks show -n $clusterName -g $clusterRG -o json | ConvertFrom-Json |
 Write-Host "AKS Cluster is in resource group: $nodeRG"
 
 $ingressIP=$(kubectl get ingress ingress-api -n azure-open-ai -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
+
+if($ingressIP -eq "" -or  $null -eq $ingressIP){
+  Write-Host "Please retry once Ingress Address is assigned to the AKS Cluster"
+  #kubectl apply -f ..\..\app\backend\manifests\ingress.yml
+  exit 1;
+}
+
+
 Write-Host "Found Ingress IP: $ingressIP"
 
 # List public IP resources in the specified resource group and convert JSON output to PowerShell object
@@ -61,8 +70,8 @@ $ingressHost=$(az network public-ip show -g $nodeRG -n $ipName -o json | Convert
 # This should be the same as the $APP_HOSTNAME
 Write-Host "FQDN assigned to the public IP address: $ingressHost"
 if ($ingressHost -ne $appHostName) {
-  Write-Host "FQDN assigned to the public IP address does not match the expected value: $appHostName"
-  exit 1
+Write-Host "FQDN assigned to the public IP address does not match the expected value: $appHostName"
+exit 1
 }
 
 # ---------------------
@@ -80,11 +89,10 @@ $objectId = $appInfo | Select-Object -ExpandProperty id
 Write-Host "Retrieved object ID: $objectId"
 
 # Update the application to disable the first OAuth2Permission
-Write-Host "Disabling the first OAuth2Permission"
-az ad app update --id $appId --set oauth2Permissions[0].isEnabled=false
-
+#Write-Host "Disabling the first OAuth2Permission"
+#az ad app update --id $appId --set oauth2Permissions[0].isEnabled=false
 # Clear the OAuth2Permissions array
-az ad app update --id $appId --set oauth2Permissions=[]
+#az ad app update --id $appId --set oauth2Permissions=[]
 
 # Reset credentials for the Azure AD application to generate a new password
 Write-Host "Resetting credentials for the Azure AD application"
@@ -112,11 +120,11 @@ kubectl label namespace cert-manager cert-manager.io/disable-validation=true
 
 # Install the cert manager
 helm install cert-manager jetstack/cert-manager `
-  --namespace cert-manager `
-  --version v1.14.2 `
-  --set installCRDs=true `
-  --set ingressShim.defaultIssuerName=letsencrypt `
-  --set ingressShim.defaultIssuerKind=ClusterIssuer
+--namespace cert-manager `
+--version v1.14.2 `
+--set installCRDs=true `
+--set ingressShim.defaultIssuerName=letsencrypt `
+--set ingressShim.defaultIssuerKind=ClusterIssuer
 
 kubectl get pods -n cert-manager
 
@@ -200,4 +208,4 @@ Configuration AKS details:
 - Public AKS Resource Group: $nodeRG
 "@
 
-Write-Host $easyAuthConfig 
+Write-Host $easyAuthConfig 

docs/aks/README-AKS.md

@@ -193,28 +193,8 @@ azd env set AZURE_SEARCH_SERVICE_LOCATION "eastus2" # Region of the ACS service
 azd up
 ```
 
-### Running locally
-
-1. Run
-
-   ```shell
-   az login
-   ```
-
-2. Change dir to `app`
-
-   ```shell
-   cd app
-   ```
-
-3. Run the `./start.ps1` (Windows) or `./start.sh` (Linux/Mac) scripts or run the "VS Code Task: Start App" to start the project locally.
-4. Wait for the docker compose to start all the containers (web, api, indexer) and refresh your browser to [http://localhost](http://localhost)
-
 ### UI Navigation
 
-- In Azure: navigate to the Web App deployed by azd. The URL is printed out when azd completes (as "Endpoint"), or you can find it in the Azure portal.
-- Running locally: navigate to localhost:8080
-
 Once in the web app:
 
 - Try different topics in chat or Q&A context. For chat, try follow-up questions, clarifications, ask to simplify or elaborate on answer, etc.
@@ -236,11 +216,11 @@ If you want to chat with your custom documents you can:
 
 ### Enabling Application Insights
 
-Applications Insights is enabled by default. It allows to investigate each request tracing along with the logging of errors.
+Applications Insights is disabled by default. It allows to investigate each request tracing along with the logging of errors.
 
 If you want to disable it set the `AZURE_USE_APPLICATION_INSIGHTS` variable to false before running `azd up`
 
-1. Run `azd env set AZURE_USE_APPLICATION_INSIGHTS false`
+1. Run `azd env set AZURE_USE_APPLICATION_INSIGHTS true`
 1. Run `azd up`
 
 To see the performance data, go to the Application Insights resource in your resource group, click on the "Investigate -> Performance" blade and navigate to any HTTP request to see the timing data.
@@ -257,8 +237,7 @@ To see any exceptions and server errors, navigate to the "Investigate -> Failure
 azd env set AZURE_USE_EASY_AUTH true
 ```
 
-By default, the deployed apps on AKS will have no authentication or access restrictions enabled, meaning anyone with routable network access to the web app can chat with your indexed data.You can require authentication to your Microsoft Entra by following the [Add app authentication](https://learn.microsoft.com/en-us/azure/container-apps/authentication) tutorial and set it up against the deployed web and api apps.
-Furthermore in order to let Web app to access the Api app be sure to configure native client access with [user_impersonation ](https://learn.microsoft.com/en-us/azure/container-apps/authentication-azure-active-directory#native-client-application)
+By default, the deployed apps on AKS will have no authentication or access restrictions enabled, meaning anyone with routable network access to the web app can chat with your indexed data. If you enable easy authentication the deployment will use a script based on [EasyAuthForK8s](https://github.com/Azure/EasyAuthForK8s) and using [Cert Manager](https://cert-manager.io/) to manage easy authentication for you using Microsoft Entra.
 
 To then limit access to a specific set of users or groups, you can follow the steps from [Restrict your Microsoft Entra app to a set of users](https://learn.microsoft.com/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users) by changing "Assignment Required?" option under the Enterprise Application, and then assigning users/groups access. Users not granted explicit access will receive the error message -AADSTS50105: Your administrator has configured the application <app_name> to block users