docs: reorganize docs (#295)

Author: akshaysngupta

README.md

@@ -2,19 +2,31 @@
 [![Build Status](https://travis-ci.org/Azure/application-gateway-kubernetes-ingress.svg?branch=master)](https://travis-ci.org/Azure/application-gateway-kubernetes-ingress)
 [![Go Report Card](https://goreportcard.com/badge/Azure/application-gateway-kubernetes-ingress)](https://goreportcard.com/report/Azure/application-gateway-kubernetes-ingress)
 
-The Application Gateway Ingress Controller allows the [Azure Application Gateway](https://azure.microsoft.com/en-us/services/application-gateway/) to be used as the ingress for an [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/) aka AKS cluster. As shown in the figure below, the ingress controller runs as a pod within the AKS cluster. It consumes [Kubernetes Ingress Resources](https://kubernetes.io/docs/concepts/services-networking/ingress/) and converts them to an Azure Application Gateway configuration which allows the gateway to load-balance traffic to Kubernetes pods.
+The Application Gateway Ingress Controller allows [Azure Application Gateway](https://azure.microsoft.com/en-us/services/application-gateway/) to be used as the ingress for an [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/) aka AKS cluster.
+
+As shown in the figure below, the ingress controller runs as a pod within the AKS cluster. It consumes [Kubernetes `Ingress` Resources](http://kubernetes.io/docs/user-guide/ingress/) and converts them to an Azure Application Gateway configuration which allows the gateway to load-balance traffic to Kubernetes pods.
 
 ![Azure Application Gateway + AKS](docs/images/architecture.png)
 
-## Setup
-* **Greenfield Deployment**: If you are starting from scratch, refer to these [installation](docs/install-new.md) instructions which outlines steps to deploy an AKS cluster with Application Gateway and install application gateway ingress controller on the AKS cluster.
-* **Brownfield Deployment**: If you have an existing AKS cluster and Application Gateway, refer to these [installation](docs/install-existing.md) instructions to install application gateway ingress controller on the AKS cluster.
+## General
+### Setup
+* [**Greenfield Deployment**](docs/install-new.md): Refer to these installation instructions if you are starting from scratch. It outline steps to deploy an AKS cluster with Application Gateway and install application gateway ingress controller on the AKS cluster.
+* [**Brownfield Deployment**](docs/install-existing.md): Refer to these installation instructions if you have an existing AKS cluster and Application Gateway. It outlines steps to install application gateway ingress controller on the AKS cluster.
+
+### Usage
+[**Tutorials**](docs/tutorial.md): Refer to these to understand how you can expose an AKS service over HTTP or HTTPS, to the internet, using an Azure Application Gateway.
+
+[**Features**](docs/features.md): This document maintains a list of available features.
+
+[**Annotations**](docs/annotations.md): The Kubernetes Ingress specification does not allow all features of Application Gateway to be exposed through the ingress resource. Therefore we have introduced application gateway ingress controller specific annotations to expose application gateway features through an ingress resource. Please refer to these to understand the various annotations supported by the ingress controller, and the corresponding features that can be turned on in the application gateway for a given annotation.
+
+[**How-To**](docs/how-to.md): This document maintains a collection of complex scenarios.
 
-## Usage
-Refer to the [tutorials](docs/tutorial.md) to understand how you can expose an AKS service over HTTP or HTTPS, to the internet, using an Azure Application Gateway.
+### Troubleshooting
+For troubleshooting, please refer to this [guide](docs/troubleshooting.md).
 
-## Annotations
-The Kubernetes Ingress specification does not allow all features of Application Gateway to be exposed through the ingress resource. Therefore we have introduced application gateway ingress controller specific annotations to expose application gateway features through an ingress resource. Please refer to the [annotations](docs/annotations.md) to understand the various annotations supported by the ingress controller, and the corresponding features that can be turned on in the application gateway for a given annotation.
+### Frequently asked questions
+For FAQ, please refer to this [guide](docs/faq.md).
 
 ## Reporting Issues
 The best way to report an issue is to create a Github Issue for the project. Please include the following information when creating the issue:

docs/examples/aadpodidentity/aadpodidbinding.yaml

@@ -0,0 +1,14 @@
+# Frequrently Asked Questions: [WIP]
+
+* [What is an Ingress Controller?](#what-is-an-ingress-controller?)
+* [Can single ingress controller instance manage multiple Application Gateway?](#can-single-ingress-controller-instance-manage-multiple-application-gateway?)
+
+## What is an Ingress Controller?
+Kubernetes allows creation of `deployment` and `service` resource to expose a group of pods internally in the cluster. To expose the same service externally, an [`Ingress`](https://kubernetes.io/docs/concepts/services-networking/ingress/) resource is defined which provides load balancing, SSL termination and name-based virtual hosting.
+To satify this `Ingress` resource, an Ingress Controller is required which listens for any changes to `Ingress` resources and configures the load balancer policies.
+
+The Application Gateway Ingress Controller allows [Azure Application Gateway](https://azure.microsoft.com/en-us/services/application-gateway/) to be used as the ingress for an [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/) aka AKS cluster.
+
+
+## Can single ingress controller instance manage multiple Application Gateway?
+Currently, One instance of Ingress Controller can only be associated to one Application Gateway.

docs/examples/aadpodidentity/aadpodidentity.yaml

@@ -0,0 +1,4 @@
+# Features
+
+* [Backend Health Probes](features/probes.md)
+* [Cookie Based Affinity](features/cookie-affinity.md)

docs/faq.md

@@ -0,0 +1,20 @@
+## Enable Cookie based Affinity
+As outlined in the [Azure Application Gateway Documentation](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-components#http-settings), Application Gateway supports cookie based affinity enabling which it can direct subsequent traffic from a user session to the same server for processing.
+
+### Example
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: guestbook
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+    appgw.ingress.kubernetes.io/cookie-based-affinity: "true"
+spec:
+  rules:
+  - http:
+      paths:
+      - backend:
+          serviceName: frontend
+          servicePort: 80
+```

docs/features.md

@@ -0,0 +1,54 @@
+## Adding Health Probes to your service
+By default, Ingress controller will provision an HTTP GET probe for the exposed pods.
+The probe properties can be customized by adding a [Readiness or Liveness Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/) to your `deployment`/`pod` spec.
+
+### With `readinessProbe` or `livenessProbe`
+```yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: aspnetapp
+spec:
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        service: site
+    spec:
+      containers:
+      - name: aspnetapp
+        image: mcr.microsoft.com/dotnet/core/samples:aspnetapp
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 80
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 80
+          periodSeconds: 3
+          timeoutSeconds: 1
+```
+
+Kubernetes API Reference:
+* [Container Probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes)
+* [HttpGet Action](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.14/#httpgetaction-v1-core)
+
+*Note:*
+1) `readinessProbe` and `livenessProbe` are supported when configured with `httpGet`.
+2) Probing on a port other than the one exposed on the pod is currently not supported.
+3) `HttpHeaders`, `InitialDelaySeconds`, `SuccessThreshold` are not supported.
+
+###  Without `readinessProbe` or `livenessProbe`
+If the above probes are not provided, then Ingress Controller make an assumption that the service is reachable on `Path` specified for `backend-path-prefix` annotation or the `path` specified in the `ingress` definition for the service.
+
+### Default Values for Health Probe
+For any property that can not be inferred by the readiness/liveness probe, Default values are set.
+
+| Application Gateway Probe Property | Default Value |
+|-|-|
+| `Path` | / |
+| `Host` | localhost |
+| `Protocol` | HTTP |
+| `Timeout` | 30 |
+| `Interval` | 30 |
+| `UnhealthyThreshold` | 3 |

docs/features/cookie-affinity.md

@@ -0,0 +1,4 @@
+# How-Tos
+
+* [How to integrate with `lets encrypt` for automatic certificate issuance and rotation ?](how-tos/lets-encrypt.md)
+* [How to expose a WebSocket server ?](how-tos/websockets.md)

docs/features/probes.md

@@ -0,0 +1,135 @@
+## Certificate issuance with LetsEncrypt.org
+
+This section configures your AKS to leverage [LetsEncrypt.org](https://letsencrypt.org/) and automatically obtain a
+TLS/SSL certificate for your domain. The certificate will be installed on Application Gateway, which will perform
+SSL/TLS termination for your AKS cluster. The setup described here uses the
+[cert-manager](https://github.com/jetstack/cert-manager) Kubernetes add-on, which automates the creation and management of 
+certificates.
+
+Follow the steps below to install [cert-manager](https://docs.cert-manager.io) on your existing AKS cluster.
+
+##### 1. Helm Chart
+
+Run the following script to install the `cert-manager` helm chart. This will:
+  - create a new `cert-manager` namespace on your AKS
+  - create the following CRDs: Certificate, Challenge, ClusterIssuer, Issuer, Order
+  - install cert-manager chart (from [docs.cert-manager.io)](https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html#steps)
+
+
+```bash
+#!/bin/bash
+
+# Install the CustomResourceDefinition resources separately
+kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml
+
+# Create the namespace for cert-manager
+kubectl create namespace cert-manager
+
+# Label the cert-manager namespace to disable resource validation
+kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
+
+# Add the Jetstack Helm repository
+helm repo add jetstack https://charts.jetstack.io
+
+# Update your local Helm chart repository cache
+helm repo update
+
+# Install the cert-manager Helm chart
+helm install \
+  --name cert-manager \
+  --namespace cert-manager \
+  --version v0.8.0 \
+  jetstack/cert-manager
+```
+
+##### 2. ClusterIssuer Resource
+
+Create a `ClusterIssuer` resource. It is required by `cert-manager` to represent the `Lets Encrypt` certificate
+authority where the signed certificates will be obtained.
+
+By using the non-namespaced `ClusterIssuer` resource, cert-manager will issue certificates that can be consumed from
+multiple namespaces. `Let’s Encrypt` uses the ACME protocol to verify that you control a given domain name and to issue
+you a certificate. More details on configuring `ClusterIssuer` properties
+[here](https://docs.cert-manager.io/en/latest/tasks/issuers/index.html). `ClusterIssuer` will instruct `cert-manager`
+to issue certificates using the `Lets Encrypt` staging environment used for testing (the root certificate not present
+in browser/client trust stores).
+
+The default challenge type in the YAML below is `http01`. Other challenges are documented on [letsencrypt.org - Challenge Types](https://letsencrypt.org/docs/challenge-types/)
+
+**IMPORTANT:** Update `<YOUR.EMAIL@ADDRESS>` in the YAML below
+
+```bash
+#!/bin/bash
+kubectl apply -f - <<EOF
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: <YOUR.EMAIL@ADDRESS>
+    # ACME server URL for Let’s Encrypt’s staging environment.
+    # The staging environment will not issue trusted certificates but is
+    # used to ensure that the verification process is working properly
+    # before moving to production
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource used to store the account's private key.
+      name: example-issuer-account-key
+    # Enable the HTTP-01 challenge provider
+    # you prove ownership of a domain by ensuring that a particular
+    # file is present at the domain
+    http01: {}
+EOF
+```
+
+##### 3. Deploy App
+
+Create an Ingress resource to Expose the `guestbook` application using the Application Gateway with the Lets Encrypt Certificate.
+
+Ensure you Application Gateway has a public Frontend IP configuration with a DNS name (either using the
+default `azure.com` domain, or provision a `Azure DNS Zone` service, and assign your own custom domain).
+Note the annotation `certmanager.k8s.io/cluster-issuer: letsencrypt-staging`, which tells cert-manager to process the
+tagged Ingress resource.
+
+**IMPORTANT:**  Update `<PLACEHOLDERS.COM>` in the YAML below with your own domain (or the Application Gateway one, for example
+'kh-aks-ingress.westeurope.cloudapp.azure.com')
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: guestbook-letsencrypt-staging
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+    certmanager.k8s.io/cluster-issuer: letsencrypt-staging
+spec:
+  tls:
+  - hosts:
+    - <PLACEHOLDERS.COM>
+    secretName: guestbook-secret-name
+  rules:
+  - host: <PLACEHOLDERS.COM>
+    http:
+      paths:
+      - backend:
+          serviceName: frontend
+          servicePort: 80
+EOF
+```
+
+After a few seconds, you  can access the `guestbook` service through the Application Gateway HTTPS url using the automatically issued **staging** `Lets Encrypt` certificate.
+Your browser may warn you of an invalid cert authority. The staging certificate is issued by `CN=Fake LE Intermediate X1`. This is an indication that the system worked as expected and you are ready for your production certificate.
+
+
+##### 4. Production Certificate
+Once your staging certificate is setup successfully you can switch to a production ACME server:
+  1. Replace the staging annotation on your Ingress resource with: `certmanager.k8s.io/cluster-issuer: letsencrypt-prod`
+  2. Delete the existing staging `ClusterIssuer` you created in the previous step and create a new one by replacing the ACME server from the ClusterIssuer YAML above with `https://acme-v02.api.letsencrypt.org/directory`
+
+##### 5. Certificate Expiration and Renewal
+Before the `Lets Encrypt` certificate expires, `cert-manager` will automatically update the certificate in the Kubernetes secret store. At that point, Application Gateway Ingress Controller will apply the updated secret referenced in the ingress resources it is using to configure the Application Gateway.

docs/how-to.md

@@ -0,0 +1,81 @@
+## Expose a WebSocket server
+
+As outlined in the Application Gateway v2 documentation - it [provides native support for the WebSocket and HTTP/2 protocols](https://docs.microsoft.com/en-us/azure/application-gateway/overview#websocket-and-http2-traffic). Please note, that for both Application Gateway and the Kubernetes Ingress - there is no user-configurable setting to selectively enable or disable WebSocket support.
+
+The Kubernetes deployment YAML below shows the minimum configuration used to deploy a WebSocket server, which is the same as deploying a regular web server:
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: websocket-server
+spec:
+  selector:
+    matchLabels:
+      app: ws-app
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: ws-app
+    spec:
+      containers:
+        - name: websocket-app
+          imagePullPolicy: Always
+          image: your-container-repo.azurecr.io/websockets-app
+          ports:
+            - containerPort: 8888
+      imagePullSecrets:
+        - name: azure-container-registry-credentials
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: websocket-app-service
+spec:
+  selector:
+    app: ws-app
+  ports:
+  - protocol: TCP
+    port: 80
+    targetPort: 8888
+
+---
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: websocket-repeater
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+spec:
+  rules:
+    - host: ws.contoso.com
+      http:
+        paths:
+          - backend:
+              serviceName: websocket-app-service
+              servicePort: 80
+```
+
+Given that all the prerequisites are fulfilled, and you have an App Gateway controlled by a K8s Ingress in your AKS, the deployment above would result in a WebSockets server exposed on port 80 of your App Gateway's public IP and the `ws.contoso.com` domain.
+
+The following cURL command would test the WebSocket server deployment:
+```sh
+curl -i -N -H "Connection: Upgrade" \
+        -H "Upgrade: websocket" \
+        -H "Origin: http://localhost" \
+        -H "Host: ws.contoso.com" \
+        -H "Sec-Websocket-Version: 13" \
+        -H "Sec-WebSocket-Key: 123" \
+        http://1.2.3.4:80/ws
+```
+
+##### WebSocket Health Probes
+
+If your deployment does not explicitly define health probes, App Gateway would attempt an  HTTP GET on your WebSocket server endpoint.
+Depending on the server implementation ([here is one we love](https://github.com/gorilla/websocket/blob/master/examples/chat/main.go)) WebSocket specific headers may be required (`Sec-Websocket-Version` for instance).
+Since App Gateway does not add WebSocket headers, the App Gateway's health probe response from your WebSocket server will most likely be `400 Bad Request`.
+As a result App Gateway will mark your pods as unhealthy, which will eventually result in a `502 Bad Gateway` for the consumers of the WebSocket server.
+To avoid this you may need to add an HTTP GET handler for a health check to your server (`/health` for instance, which returns `200 OK`).