Add new doc: "Deploy and run an Azure OpenAI/ChatGPT app on AKS"

scenarios/AksOpenAiTerraform/.gitignore

@@ -0,0 +1,40 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+.venv
+.vscode

scenarios/AksOpenAiTerraform/README.md

@@ -0,0 +1,71 @@
+---
+title: Deploy and run an Azure OpenAI ChatGPT application on AKS via Terraform
+description: This article shows how to deploy an AKS cluster and Azure OpenAI Service via Terraform and how to deploy a ChatGPT-like application in Python.
+ms.topic: quickstart 
+ms.date: 09/06/2024 
+author: aamini7
+ms.author: ariaamini
+ms.custom: innovation-engine, linux-related-content 
+---
+
+## Provision Resources with Terraform (~5 minutes)
+Run terraform to provision all the Azure resources required to setup your new OpenAI website.
+```bash
+# Terraform parses TF_VAR_* as vars (Ex: TF_VAR_name -> name)
+export TF_VAR_location="westus3"  
+export TF_VAR_kubernetes_version="1.30.9"
+export TF_VAR_model_name="gpt-4o-mini"
+export TF_VAR_model_version="2024-07-18"
+# Terraform consumes sub id as $ARM_SUBSCRIPTION_ID
+export ARM_SUBSCRIPTION_ID=$SUBSCRIPTION_ID
+# Run Terraform
+terraform -chdir=terraform init
+terraform -chdir=terraform apply -auto-approve
+```
+
+## Login to Cluster
+In order to use the kubectl to run commands on the newly created cluster, you must first login.
+```bash
+RESOURCE_GROUP=$(terraform -chdir=terraform output -raw resource_group_name)
+az aks get-credentials --admin --name AksCluster --resource-group $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID
+```
+
+# Install Helm Charts
+Install nginx and cert-manager through Helm
+```bash
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+
+STATIC_IP=$(terraform -chdir=terraform output -raw static_ip)
+DNS_LABEL=$(terraform -chdir=terraform output -raw dns_label)
+helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
+  --set controller.replicaCount=2 \
+  --set controller.nodeSelector."kubernetes\.io/os"=linux \
+  --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
+  --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"=$DNS_LABEL \
+  --set controller.service.loadBalancerIP=$STATIC_IP \
+  --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz
+helm upgrade --install cert-manager jetstack/cert-manager \
+  --set crds.enabled=true \
+  --set nodeSelector."kubernetes\.io/os"=linux
+```
+
+## Deploy
+Apply/Deploy Manifest File 
+```bash
+export IMAGE="aamini8/magic8ball:latest"
+# Uncomment below to manually build docker image yourself instead of using pre-built image.
+# docker build -t <YOUR IMAGE NAME> ./magic8ball --push
+export HOSTNAME=$(terraform -chdir=terraform output -raw hostname)
+export WORKLOAD_IDENTITY_CLIENT_ID=$(terraform -chdir=terraform output -raw workload_identity_client_id)
+export AZURE_OPENAI_DEPLOYMENT=$(terraform -chdir=terraform output -raw openai_deployment)
+export AZURE_OPENAI_ENDPOINT=$(terraform -chdir=terraform output -raw openai_endpoint)
+envsubst < quickstart-app.yml | kubectl apply -f -
+```
+
+## Wait for host to be ready
+```bash
+kubectl wait --for=condition=Ready certificate/tls-secret
+echo "Visit: https://$HOSTNAME"
+```

scenarios/AksOpenAiTerraform/magic8ball/Dockerfile

@@ -0,0 +1,12 @@
+FROM python:3.13-slim
+WORKDIR /app
+
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+
+COPY requirements.txt ./
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+EXPOSE 8501
+ENTRYPOINT ["streamlit", "run", "app.py", "--server.port=8501", "--server.address=0.0.0.0"]

scenarios/AksOpenAiTerraform/magic8ball/app.py

@@ -0,0 +1,65 @@
+import os
+from openai import AzureOpenAI
+import streamlit as st
+from azure.identity import WorkloadIdentityCredential, get_bearer_token_provider
+
+azure_deployment = os.getenv("AZURE_OPENAI_DEPLOYMENT")
+azure_endpoint = os.getenv("AZURE_OPENAI_ENDPOINT")
+workload_identity_client_id = os.getenv("WORKLOAD_IDENTITY_CLIENT_ID")
+
+client = AzureOpenAI(
+    api_version="2024-10-21",
+    azure_endpoint=azure_endpoint,
+    azure_ad_token_provider=get_bearer_token_provider(
+        WorkloadIdentityCredential(client_id=workload_identity_client_id),
+        "https://cognitiveservices.azure.com/.default",
+    ),
+)
+
+
+def ask_openai_api(messages: list[str]):
+    completion = client.chat.completions.create(
+        messages=messages, model=azure_deployment, stream=True, max_tokens=20
+    )
+    return completion
+
+
+assistant_prompt = """
+Answer as a magic 8 ball and make random predictions.
+If the question is not clear, respond with "Ask the Magic 8 Ball a question about your future."
+"""
+
+# Init state
+if "messages" not in st.session_state:
+    st.session_state.messages = [{"role": "system", "content": assistant_prompt}]
+if "disabled" not in st.session_state:
+    st.session_state.disabled = False
+
+st.title(":robot_face: Magic 8 Ball")
+for message in st.session_state.messages[1:]:  # Print previous messages
+    with st.chat_message(message["role"]):
+        st.markdown(message["content"])
+
+
+def disable_chat():
+    st.session_state.disabled = True
+
+
+if prompt := st.chat_input(
+    "Ask your question", on_submit=disable_chat, disabled=st.session_state.disabled
+):
+    # Print Question
+    st.session_state.messages.append({"role": "user", "content": prompt})
+    with st.chat_message("user"):
+        st.write(prompt)
+
+    # Print Response
+    with st.chat_message("assistant"):
+        messages = st.session_state.messages
+        with st.spinner("Loading..."):
+            response = st.write_stream(ask_openai_api(messages))
+    st.session_state.messages.append({"role": "assistant", "content": response})
+
+    # Re-enable textbox
+    st.session_state.disabled = False
+    st.rerun()

scenarios/AksOpenAiTerraform/magic8ball/requirements.txt

@@ -0,0 +1,3 @@
+streamlit~=1.40.1
+azure-identity~=1.20.0
+openai~=1.65.2

scenarios/AksOpenAiTerraform/quickstart-app.yml

@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: magic8ball-configmap
+data:
+  AZURE_OPENAI_ENDPOINT: $AZURE_OPENAI_ENDPOINT
+  AZURE_OPENAI_DEPLOYMENT: $AZURE_OPENAI_DEPLOYMENT
+  WORKLOAD_IDENTITY_CLIENT_ID: $WORKLOAD_IDENTITY_CLIENT_ID
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: magic8ball
+  labels:
+    app.kubernetes.io/name: magic8ball
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: magic8ball
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: magic8ball
+        azure.workload.identity/use: "true"
+    spec:
+      serviceAccountName: magic8ball-sa
+      containers:
+      - name: magic8ball
+        image: $IMAGE
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8501
+        envFrom:
+        - configMapRef: 
+            name: magic8ball-configmap
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: magic8ball
+spec:
+  selector:
+    app.kubernetes.io/name: magic8ball
+  ports:
+  - port: 80
+    targetPort: 8501
+    protocol: TCP
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: magic8ball-sa
+  annotations:
+    azure.workload.identity/client-id: $WORKLOAD_IDENTITY_CLIENT_ID
+    azure.workload.identity/tenant-id: $TENANT_ID
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: magic8ball
+  annotations:
+    cert-manager.io/issuer: letsencrypt-dev
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - $HOSTNAME
+    secretName: tls-secret
+  rules:
+  - host: $HOSTNAME
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: magic8ball
+            port:
+              number: 80
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-dev
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: $EMAIL
+    privateKeySecretRef:
+      name: tls-secret
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: nginx