Merge pull request #274018 from JackStromberg/patch-163

v1.0.2

Author: American-Dipper

articles/application-gateway/for-containers/alb-controller-release-notes.md

@@ -1,12 +1,12 @@
 ---
 title: Release notes for ALB Controller
-description: This article lists updates made to the Application Gateway for Containers ALB Controller
+description: This article lists updates made to the Application Gateway for Containers ALB Controller.
 services: application-gateway
 author: greglin
 ms.service: application-gateway
 ms.subservice: appgw-for-containers
 ms.topic: article
-ms.date: 02/27/2024
+ms.date: 5/9/2024
 ms.author: greglin
 ---
 
@@ -27,23 +27,17 @@ Instructions for new or existing deployments of ALB Controller are found in the
 
 | ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
-| 1.0.0| v1 | v1.26, v1.27, v1.28 | URL redirect for both Gateway and Ingress API, v1beta1 -> v1 of Gateway API, quality improvements<br/>Breaking Changes: TLS Policy for Gateway API [PolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1alpha2.PolicyTargetReferenceWithSectionName)<br/>Listener is now referred to as [SectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SectionName)<br/>Fixes: Request timeout of 3 seconds, [HealthCheckPolicy interval](https://github.com/Azure/AKS/issues/4086), [pod crash for missing API fields](https://github.com/Azure/AKS/issues/4087) |
+| 1.0.2| v1 | v1.26, v1.27, v1.28, v1.29 | ECDSA + RSA certificate support for both Ingress and Gateway API, Ingress fixes, Server-sent events support |
 
 ## Release history
 
-0.6.3 - Hotfix to address handling of AGC frontends during controller restart in managed scenario
-
-0.6.2 - Skipped
-
-November 6, 2023 - 0.6.1 - Gateway / Ingress API - Header rewrite support, Ingress API - URL rewrite support, Ingress multiple-TLS listener bug fix,
-two certificates maximum per host, adopting [semantic versioning (semver)](https://semver.org/), quality improvements
-
-September 25, 2023 - 0.5.024542 - Custom Health Probes, Controller HA, Multi-site support for Ingress, [helm_release via Terraform fix](https://github.com/Azure/AKS/issues/3857), Path rewrite for Gateway API, status for Ingress resources, quality improvements
-
-July 25, 2023 - 0.4.023971 - Ingress + Gateway coexistence improvements
-
-July 24, 2023 - 0.4.023961 - Improved Ingress support
-
-July 24, 2023 - 0.4.023921 - Initial release of ALB Controller
-
-- Minimum supported Kubernetes version: v1.25
+| ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes |
+| ---------------------- | ------------------- | ------------------ | ------------- |
+| 1.0.0| v1 | v1.26, v1.27, v1.28 | General Availability! URL redirect for both Gateway and Ingress API, v1beta1 -> v1 of Gateway API, quality improvements<br/>Breaking Changes: TLS Policy for Gateway API [PolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1alpha2.PolicyTargetReferenceWithSectionName)<br/>Listener is now referred to as [SectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SectionName)<br/>Fixes: Request timeout of 3 seconds, [HealthCheckPolicy interval](https://github.com/Azure/AKS/issues/4086), [pod crash for missing API fields](https://github.com/Azure/AKS/issues/4087) |
+| 0.6.3 | v1beta1 | v1.25 | Hotfix to address handling of Application Gateway for Containers frontends during controller restart in managed scenario |
+| 0.6.2 | - | - | Skipped release |
+| November 6, 2023 - 0.6.1 | v1beta1 | v1.25 | Gateway / Ingress API - Header rewrite support, Ingress API - URL rewrite support, Ingress multiple-TLS listener bug fix, two certificates maximum per host, adopting [semantic versioning (semver)](https://semver.org/), quality improvements |
+| September 25, 2023 - 0.5.024542 | v1beta1 | v1.25 | Custom Health Probes, Controller HA, Multi-site support for Ingress, [helm_release via Terraform fix](https://github.com/Azure/AKS/issues/3857), Path rewrite for Gateway API, status for Ingress resources, quality improvements |
+| July 25, 2023 - 0.4.023971 | v1beta1 | v1.25 | Ingress + Gateway coexistence improvements |
+| July 24, 2023 - 0.4.023961 | v1beta1 | v1.25 | Improved Ingress support |
+| July 24, 2023 - 0.4.023921 | v1beta1 | v1.25 | Initial release of ALB Controller |

articles/application-gateway/for-containers/application-gateway-for-containers-components.md

@@ -6,7 +6,7 @@ author: greglin
 ms.service: application-gateway
 ms.subservice: appgw-for-containers
 ms.topic: conceptual
-ms.date: 03/26/2024
+ms.date: 5/9/2024
 ms.author: greglin
 ---
 
@@ -105,11 +105,11 @@ Application Gateway for Containers inserts three extra headers to all requests b
 
 ## Request timeouts
 
-Application Gateway for Containers enforces the following timeouts as requests are initiated and maintained between the client, AGC, and backend.
+Application Gateway for Containers enforces the following timeouts as requests are initiated and maintained between the client, Application Gateway for Containers, and backend.
 
 | Timeout | Duration | Description |
 | ------- | --------- | ----------- |
-| Request Timeout | 60 seconds | time for which AGC waits for the backend target response. |
+| Request Timeout | 60 seconds | time for which Application Gateway for Containers waits for the backend target response. |
 | HTTP Idle Timeout | 5 minutes | idle timeout before closing an HTTP connection. |
 | Stream Idle Timeout | 5 minutes | idle timeout before closing an individual stream carried by an HTTP connection. |
 | Upstream Connect Timeout | 5 seconds | time for establishing a connection to the backend target. |

articles/application-gateway/for-containers/custom-health-probe.md

@@ -6,7 +6,7 @@ author: greg-lindsay
 ms.service: application-gateway
 ms.subservice: appgw-for-containers
 ms.topic: conceptual
-ms.date: 02/27/2024
+ms.date: 5/9/2024
 ms.author: greglin
 ---
 
@@ -30,7 +30,6 @@ The following properties make up custom health probes:
 | timeout | How long in seconds the request should wait until it's marked as a failure  The minimum interval must be > 0 seconds. |
 | healthyThreshold | Number of health probes before marking the target endpoint healthy. The minimum interval must be > 0. |
 | unhealthyTreshold | Number of health probes to fail before the backend target should be labeled unhealthy. The minimum interval must be > 0. |
-| protocol| Specifies either nonencrypted `HTTP` traffic or encrypted traffic via TLS as `HTTPS` |
 | (http) host | The hostname specified in the request to the backend target. |
 | (http) path | The specific path of the request. If a single file should be loaded, the path might be /index.html. |
 | (http -> match) statusCodes | Contains two properties, `start` and `end`, that define the range of valid HTTP status codes returned from the backend. |
@@ -56,6 +55,9 @@ When the default health probe is used, the following values for each health prob
 | (http) host | localhost |
 | (http) path | / |
 
+>[!Note]
+>Health probes are initiated with the `User-Agent` value of `Microsoft-Azure-Application-LB/AGC`.
+
 ## Custom health probe
 
 In both Gateway API and Ingress API, a custom health probe can be defined by defining a [_HealthCheckPolicyPolicy_ resource](api-specification-kubernetes.md#alb.networking.azure.io/v1.HealthCheckPolicy) and referencing a service the health probes should check against.  As the service is referenced by an HTTPRoute or Ingress resource with a class reference to Application Gateway for Containers, the custom health probe is used for each reference.

articles/application-gateway/for-containers/ecdsa-rsa-certificates.md

@@ -0,0 +1,143 @@
+---
+title: ECDSA and RSA Certificates for Azure Application Gateway for Containers
+description: Learn how to configure a listener with both ECDSA and RSA certificates for Azure Application Gateway for Containers.
+services: application gateway
+author: greg-lindsay
+ms.service: application-gateway
+ms.subservice: appgw-for-containers
+ms.topic: conceptual
+ms.date: 5/9/2024
+ms.author: greglin
+---
+
+# ECDSA and RSA certificates for Application Gateway for Containers
+
+Cryptography is vital in ensuring privacy, integrity, and security of data as it is transmitted between a client and server on a network. Two widely adopted cryptographic algorithms for asymmetric encryption are Rivest-Shamir-Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA).
+
+- RSA asymmetric encryption was introduced in the 1970s and has wide device adoption today. RSA implements a simple mathematical approach to cryptography, which aids in adoption. 
+- ECDSA is an asymmetric encryption algorithm and successor to the Digital Signature Algorithm (DSA). ECDSA implements shorter key lengths than RSA, enabling excellent performance and scalability, while still retaining strong security. ECDSA was introduced in the 1990s, so some legacy devices might not be able to negotiate the algorithm.
+
+## Implementation in Application Gateway for Containers
+
+To provide flexibility, Application Gateway for Containers supports both ECDSA and RSA certificates. A listener can reference either ECDSA or RSA forcing a preferred encryption algorithm, or both can be supported in parallel. Running both algorithms in parallel enables both legacy and modern clients to negotiate a secure connection via RSA, while clients that support ECDSA can take advantage of the enhanced performance and security.
+
+Configuration of the certificates used with Application Gateway for Containers is defined within the Gateway or Ingress resources within Kubernetes. The public and private key is defined as a Kubernetes secret and referenced by name from the Gateway or Ingress resources. No designation is required within the secret resource to specify if the certificate is RSA or ECDSA. Application Gateway for Containers is programmed based on the certificate details provided.
+
+Application Gateway for Containers provides three variations for use of RSA and ECDSA secrets:
+
+- Two secrets: one secret containing an RSA certificate, the other containing an ECDSA certificate
+- One secret containing an RSA certificate
+- One secret containing an ECDSA certificate
+
+[![A diagram showing the Application Gateway for Containers with three variations of certificate configurations.](./media/ecdsa-rsa-certificates/ecdsa-rsa-certificates.png)](./media/ecdsa-rsa-certificates/ecdsa-rsa-certificates.png#lightbox)
+
+## Configure both ECDSA and RSA certificates on the same listener
+
+1. Configure Kubernetes secrets
+
+Two secret resources are created, each with its own certificate. One certificate is generated ECDSA and the other RSA.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rsa-tls-secret
+  namespace: test-infra
+data:
+  tls.crt: <base64encodedpublickey>
+  tls.key: <base64encodedprivatekey>
+type: kubernetes.io/tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ecdsa-tls-secret
+  namespace: test-infra
+data:
+  tls.crt: <base64encodedpublickey>
+  tls.key: <base64encodedprivatekey>
+type: kubernetes.io/tls
+```
+
+2. Reference the secrets via a listener
+
+# [Gateway API](#tab/tls-policy-gateway-api)
+
+Both ECDSA and RSA certificates on the same listener in Gateway API is supported by having two certificate references. A maximum of two certificates is supported: one ECDSA and one RSA.
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    alb.networking.azure.io/alb-name: alb-test
+    alb.networking.azure.io/alb-namespace: alb-test-infra
+  name: gateway-01
+  namespace: test-infra
+spec:
+  gatewayClassName: azure-alb-external
+  listeners:
+  - allowedRoutes:
+      namespaces:
+        from: All
+    name: http-listener
+    port: 80
+    protocol: HTTP
+  - allowedRoutes:
+      namespaces:
+        from: All
+    name: https-listener
+    port: 443
+    protocol: HTTPS
+    tls:
+      mode: Terminate
+      certificateRefs:
+      - kind : Secret
+        group: ""
+        name: ecdsa-tls-secret
+        namespace: test-infra
+      - kind : Secret
+        group: ""
+        name: rsa-tls-secret
+        namespace: test-infra
+```
+
+# [Ingress API](#tab/tls-policy-ingress-api)
+
+Both ECDSA and RSA certificates on the same host in Ingress API is supported by defining two host and secretName references. A maximum of two certificates is supported: one ECDSA and one RSA.
+
+>[!Warning]
+>Ingress resources that reference the same frontend and define the same host must reference the same certificates. If there’s a discrepancy in the number of certificates between two Ingress resources (for example, one has a single certificate and the other has two), the configuration of the first defined Ingress resource will be implemented. The configuration of the second Ingress resource will be disregarded.
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    alb.networking.azure.io/alb-name: alb-test
+    alb.networking.azure.io/alb-namespace: alb-test-infra
+  name: ingress-01
+  namespace: test-infra
+spec:
+  ingressClassName: azure-alb-external
+  tls:
+  - hosts:
+    - contoso.com
+    secretName: ecdsa-tls-secret
+  - hosts:
+    - contoso.com
+    secretName: rsa-tls-secret
+  rules:
+  - host: contoso.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: backend-v1
+            port:
+              number: 8080
+```
+
+---

articles/application-gateway/for-containers/how-to-header-rewrite-gateway-api.md

@@ -6,7 +6,7 @@ author: greg-lindsay
 ms.service: application-gateway
 ms.subservice: appgw-for-containers
 ms.topic: conceptual
-ms.date: 02/27/2024
+ms.date: 5/9/2024
 ms.author: greglin
 ---
 
@@ -170,7 +170,7 @@ Once the gateway is created, create an HTTPRoute that listens for hostname conto
 
 In this example, we look for the user agent used by the Bing search engine and simplify the header to SearchEngine-BingBot for easier backend parsing. 
 
-This example also demonstrates addition of a new header called `AGC-Header-Add` with a value of `agc-value` and removes a request header called `client-custom-header`.
+This example also demonstrates addition of a new header called `AGC-Header-Add` with a value of `AGC-value` and removes a request header called `client-custom-header`.
 
 > [!TIP]
 > For this example, while we can use the HTTPHeaderMatch of "Exact" for a string match, a demonstration is used in regular expression for illistration of further capabilities.
@@ -202,7 +202,7 @@ spec:
                 value: SearchEngine-BingBot
             add:
               - name: AGC-Header-Add
-                value: agc-value
+                value: AGC-value
             remove: ["client-custom-header"]
       backendRefs:
         - name: backend-v2
@@ -337,7 +337,7 @@ Via the response we should see:
 }
 ```
 
-Specifying a `client-custom-header` header with the value `moo` should be stripped from the request when AGC initiates the connection to the backend service:
+Specifying a `client-custom-header` header with the value `moo` should be stripped from the request when Application Gateway for Containers initiates the connection to the backend service:
 
 ```bash
 fqdnIp=$(dig +short $fqdn)

articles/application-gateway/for-containers/how-to-header-rewrite-ingress-api.md

@@ -6,7 +6,7 @@ author: greg-lindsay
 ms.service: application-gateway
 ms.subservice: appgw-for-containers
 ms.topic: conceptual
-ms.date: 03/5/2024
+ms.date: 5/9/2024
 ms.author: greglin
 ---
 
@@ -171,7 +171,7 @@ Once the Ingress is created, next we need to define an IngressExtension with the
 
 In this example, we set a static user-agent with a value of `rewritten-user-agent`.
 
-This example also demonstrates addition of a new header called `AGC-Header-Add` with a value of `agc-value` and removes a request header called `client-custom-header`.
+This example also demonstrates addition of a new header called `AGC-Header-Add` with a value of `AGC-value` and removes a request header called `client-custom-header`.
 
 > [!TIP]
 > For this example, while we can use the HTTPHeaderMatch of "Exact" for a string match, a demonstration is used in regular expression for illistration of further capabilities.
@@ -194,7 +194,7 @@ spec:
                 value: "rewritten-user-agent"
             add:
               - name: "AGC-Header-Add"
-                value: "agc-value"
+                value: "AGC-value"
             remove:
               - "client-custom-header"
 EOF
@@ -294,7 +294,7 @@ Via the response we should see:
 }
 ```
 
-Specifying a `client-custom-header` header with the value `moo` should be stripped from the request when AGC initiates the connection to the backend service:
+Specifying a `client-custom-header` header with the value `moo` should be stripped from the request when Application Gateway for Containers initiates the connection to the backend service:
 
 ```bash
 fqdnIp=$(dig +short $fqdn)

articles/application-gateway/for-containers/how-to-url-redirect-gateway-api.md

@@ -6,7 +6,7 @@ author: greg-lindsay
 ms.service: application-gateway
 ms.subservice: appgw-for-containers
 ms.topic: conceptual
-ms.date: 02/27/2024
+ms.date: 5/9/2024
 ms.author: greglin
 ---
 

articles/application-gateway/for-containers/how-to-url-redirect-ingress-api.md

@@ -6,7 +6,7 @@ author: greg-lindsay
 ms.service: application-gateway
 ms.subservice: appgw-for-containers
 ms.topic: conceptual
-ms.date: 02/27/2024
+ms.date: 5/9/2024
 ms.author: greglin
 ---