feat (in-cluster): [webapprouting] replace traefik with nginx addon

README.md

@@ -42,7 +42,6 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
 - [Flux GitOps Operator](https://fluxcd.io) *[AKS-managed extension]*
 - [ImageCleaner (Eraser)](https://learn.microsoft.com/azure/aks/image-cleaner) *[AKS-managed add-on]*
 - [Secrets Store CSI Driver for Kubernetes](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) *[AKS-managed add-on]*
-- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-ingress/)
 
 ![Network diagram depicting a hub-spoke network with two peered VNets and main Azure resources used in the architecture.](https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/images/secure-baseline-architecture.svg)
 
@@ -83,20 +82,19 @@ We perform the prior steps manually here for you to understand the involved comp
 Without a workload deployed to the cluster it will be hard to see how these decisions come together to work as a reliable application platform for your business. The deployment of this workload would typically follow a CI/CD pattern and may involve even more advanced deployment strategies (such as blue/green). The following steps represent a manual deployment, suitable for illustration purposes of this infrastructure.
 
 - [ ] Just like the cluster, there are [workload prerequisites to address](./docs/deploy/08-workload-prerequisites.md)
-- [ ] [Configure AKS Ingress Controller with Azure Key Vault integration](./docs/deploy/09-secret-management-and-ingress-controller.md)
-- [ ] [Deploy the workload](./docs/deploy/10-workload.md)
+- [ ] [Deploy the workload](./docs/deploy/09-workload.md)
 
 ### 5. :checkered_flag: Validate
 
 Now that the cluster and the sample workload is deployed; it's time to look at how the cluster is functioning.
 
-- [ ] [Perform end-to-end deployment validation](./docs/deploy/11-validation.md)
+- [ ] [Perform end-to-end deployment validation](./docs/deploy/10-validation.md)
 
 ## :broom: Clean up resources
 
 Most of the Azure resources deployed in the prior steps will incur ongoing charges unless removed.
 
-- [ ] [Clean up all resources](./docs/deploy/12-cleanup.md)
+- [ ] [Clean up all resources](./docs/deploy/11-cleanup.md)
 
 ## Preview and additional features
 

cluster-manifests/a0008/ingress-network-policy.yaml

@@ -9,8 +9,10 @@ spec:
       app.kubernetes.io/name: aspnetapp
   ingress:
   - from:
-    - namespaceSelector: {}
-      podSelector:
+    - namespaceSelector:
         matchLabels:
-          app.kubernetes.io/name: traefik-ingress-ilb
-          app.kubernetes.io/instance: traefik-ingress-ilb
+          kubernetes.io/metadata.name: app-routing-system
+    - podSelector:
+        matchLabels:
+          app: nginx-internal-0
+          app.kubernetes.io/component: ingress-controller

cluster-manifests/a0008/nginx-internal.yaml

@@ -0,0 +1,23 @@
+#  ------------------------------------------------------------
+#   Copyright (c) Microsoft Corporation.  All rights reserved.
+#   Licensed under the MIT License (MIT). See License.txt in the repo root #  for license information.
+#  ------------------------------------------------------------
+
+apiVersion: approuting.kubernetes.azure.com/v1alpha1
+kind: NginxIngressController
+metadata:
+  name: nginx-internal
+  namespace: a0008
+  labels:
+    app.kubernetes.io/name: nginx-ingress-ilb
+    app.kubernetes.io/instance: nginx-ingress-ilb
+spec:
+  ingressClassName: nginx-internal
+  controllerNamePrefix: nginx-internal
+  loadBalancerAnnotations:
+    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+    service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "snet-clusteringressservices"
+  httpDisabled: false
+  scaling:
+    maxReplicas: 3
+    minReplicas: 2

contoso-bicycle/README.md

@@ -85,7 +85,7 @@ The web service's host should have these capabilities.
 
 - Deploy the AKS cluster into an existing Azure Virtual Network spoke. Use the existing Azure Firewall in the regional hub for securing outgoing traffic from the cluster.
 - Traffic from public-facing website is required to be encrypted. This encryption is implemented with Azure Application Gateway with integrated web application firewall (WAF).
-- Use Traefik as the Kubernetes ingress controller.
+- Use NGINX as the Kubernetes ingress controller.
 - The workload is stateless. No data will be persisted inside the cluster.
 - Azure Network Policy will be enabled for use, even though there's a single workload in one line-of-business.
 - Azure Container Registry will be used for the container image registry. The cluster will access the registry through Azure Private Link.