v1.22.4.3

Implementation Updates

• Migrated from JSON to Bicep ARM templates for the cluster resources - #302 (HT: @ferantivero & @teilmeier)
• Updated the App Gateway subnet size to align with current safe sizing recommendations - #304
• Updated to recent azure resource API version - #302
• Re-enabled the firewall rule that supports pre-konnectivity clusters to reduce failures - #305 (HT: @ulkeba)
• Fixed an output param that was returning the wrong thing. - #305

Walkthrough updates

• Ensure AKS Defender feature is enabled - #301
• Fixed typos - #303 (HT: @rick-brown-slalom)
• Add some echo statements after getting values to help user know if those commands were successful. - #305

Misc updates

• Added drawio diagrams - #292 (HT: @teilmeier)

v1.22.4.2

Implementation Updates

• Added Azure Defender for Containers, and Azure Policy enforcement of the same - #283
• Tightened up Azure App Gateway's NSG - #284 (HT: @Gordonby)
• Migrated from JSON to Bicep ARM templates for the bootstrapping resources - #286 (HT: @teilmeier)
• Fixed up the Flux extension to properly disable Flux controllers not in use. - #288 (HT: @teilmeier)
• Adjusted the Flux extension to properly enable the Azure Portal experience around GitOps - #288 (HT: @teilmeier)
• Moved the private endpoints used by Azure Container Registry and Azure Key Vault into their own subnet - #291 (HT: @teilmeier)

Walkthrough Updates

• Updated the IP range/allocation table to correct a typo - #282 (HT: @skazure)
• Add notice about the usage of --sdk-auth in the GitHub Actions flow - #287

v1.22.4.1

Implementation Updates

• Use categoryGroup on diagnosticSettings in more places - #272 & #276
• Enable OIDC Issuer feature to support upcoming Workload identities - #274
• Migrate from JSON to Bicep ARM templates (Network templates only at this time) - #276
• Added zone support for all public IPs - #276
• Simplified the Azure Firewall Policy to help work around its annoying IaC issues and speed up the second hub deployment a bit - #276
• Added diagnosticSettings to public IPs - #276
• Azure Resource Provider API updates (various PRs)

Walkthrough Updates

• Added some guidance around how to use the Flux v2 Extension with private git repos. - #277 & #274 (HT: @thepaulmacca)

v1.22.4.0

Implementation Updates

• Updated to AKS Version 1.22.4 (from 1.22.2) - #256
• Updated kured to 1.9.0 - #256
• Replaced OSS Flux v1 with the Flux v2 AKS Extension - #256

Flux OSS -> AKS Extension Notes

This marks a significant change to the flow of the walkthrough. The ACR deployment now happens BEFORE the AKS deployment to allow all bootstrapping images to be uploaded before the cluster is deployed. This is important because the cluster is now bootstrapped WITH the deployment instead of as a post-deployment step as it was in all prior releases.

Also, the version of Flux went from v1 to the now standard v2 version.

Walkthrough Updates

• Minor wording updates and link updates - #256 & #269

v1.22.2.1

Implementation Updates

• Allowed AppGW's X-Forwarded-Host header to flow through the ingress controller. HT @Xitric - #254

Walkthrough Updates

• Added some added detail around supported cert formats by Key Vault for customers using their own cert generation process. HT @scaswell-hirez - #255
• For customers using the authorized IP address range feature, added extra guidance around what IP addresses should be added. HT @scaswell-hirez - #261
• The "inner-loop" scripts are rarely maintained and are left for curiosity purposes only. Added some additional warnings around just using them "as is." HT @kevingbb - #263
  • Completely removed the .azcli files from those scripts - #267
• Removed instructions for preview features that have gone GA - #267
• Support the "403 validation check" on kubectl 1.23 (which is in RC status at the time of writing this) - #267
• Add a bit more "self-help" text around the out-of-band Key Vault cert upload step to handle users that are behind corporate proxies or other egress situations. HT: @kevingbb - #267

v1.22.2.0

Implementation Updates

• Upgraded cluster to 1.22.2 (Preview) version. GA is expected this month. Feel free to use the prior release tag for the 1.21.2 version. - #252
• Updated Traefik to 2.5.x (from 2.4.x) - #252
• Implemented suggestion from @kendallroden to include allowPrivilegeEscalation: false on the example Traefik install, to avoid common Azure Policies assignments that may pre-exist in your subscription or parent management groups. - #252

Walkthrough Updates

• Fixed example log analytics query to function properly after a recent name change. HT @AAkindele. - #247
• Added a callout around the usage of LibreSSL being aliased to openssl on some system. HT @kendallroden - #246

v1.21.2.2

Implementation Updates

• Migrate to Azure RBAC from Access Policies for Azure Key Vault. HT: @stephaneey - #241
• Provided a more meaningful name to the Azure App Gateway public SSL cert. - #241
• Restricted public access to Azure Key Vault - #241
• Updated example kured installation to target version 1.7.0 - #240
• Improve dependsOn references to be more accurate for runtime needs - #241

Walkthrough Updates

• Fixed how saveenv.sh emits the cache file so that it can be run again safely after sourcing it - #239
• Fixed a 404 in the Azure AD Pod Identity documentation - #241

v1.21.2.1

• Enable SLA-backed SKU by default - #238
• When creating the client-facing, self-signed cert for AppGW, add the SAN extension so that you can get a full trust experience (after importing the root certificate) - #237
• Reintroduce the CriticalAddonsOnly taint as all addons used in this implementation support the taint now - #236
• Update Pod Disruption Budget API version to policy/v1 since that's GA in 1.21 - #219

And also some quality of life improvements in the walkthrough itself:

• Be clearer about preview features so folks don't run into deployment failures later - #235
• Updated instructions to work better with MSDN and AAD Guest accounts - #222
• Better support for terminated shell sessions with an environment variable persist step to support conducting the walkthrough over multiple shell sessions. - #220 (HT: @alfredoihernandez)
• Allow users to optionally set their own domain (instead of requiring it to be contoso.com) - #218 (HT: @AAkindele)

v1.21.2.0

• Removed unneeded NTP firewall rule - #214
• Switched from OWASP 3.0 to 3.2 ruleset - #214
• Fixed unclear resource naming of the 443 port in App Gateway - #214
• Updated from AKS 1.21.1 to AKS 1.21.2 - #215

v1.21.1.0

• Update to AKS 1.21.1 - #211
• Add Event Grid System Topic for AKS notifications - #212
• Fix GitHub Workflow deployment after introduction of Azure RBAC - #212