- Assumptions
- Setting up Authentication with Azure Resource Manager (ARM)
- Install Ingress Controller using Helm
The Application Gateway Ingress controller runs as pod within the AKS cluster. It listens to Kubernetes Ingress Resources from the Kubernetes API server and converts them to Azure Application Gateway configuration and updates the Application Gateway through the Azure Resource Manager (ARM).
In order to install the ingress controller on AKS we use Helm.
- An existing Azure Application Gateway v2.
- An existing Azure Kubernetes Service cluster with the following properties:
- RBAC is disabled in the cluster.
- The AKS service is launched with Advanced Networking.
- The aad-pod-identity service is installed on the AKS cluster.
Since the ingress controller needs to talk to the Kubernetes API server and the Azure Resource Manager it will need an identity to access both these entities. Since we are currently supporting only a non-RBAC cluster, the ingress controller currently does not need an identity to talk to the Kubernetes API server but needs and identity to talk to ARM.
The aad-pod-identity gives a clean way of exposing an existing Azure AD identity to a pod. Kindly follow the aad-pod-identity installation instructions to deploy the aad-pod-identity service on your AKS cluster. This is a pre-requiste for installing the ingress controller.
-
Create an Azure identity in the same resource group as the AKS nodes (typically the resource group with a
MC_prefix string)az identity create -g <resourcegroup> -n <identity-name>
-
Find the principal, resource and client ID for this identity
az identity show -g <resourcegroup> -n <identity-name>
-
Assign this new identity
Contributoraccess on the application gatewayaz role assignment create --role Contributor --assignee <principal ID from the command above> --scope <Resource ID of Application Gateway>
-
Assign this new identity
Readeraccess on the resource group that the application gateway belongs toaz role assignment create --role Reader --assignee <principal ID from the command above> --scope <Resource ID of Application Gateway Resource Group>
-
Add the
application-gateway-kubernetes-ingresshelm repo and perform a helm updatehelm repo add application-gateway-kubernetes-ingress https://azure.github.io/application-gateway-kubernetes-ingress/helm/ helm repo update
-
Edit helm-config.yaml and fill in the values for
appgwandarmAuth# This file contains the essential configs for the ingress controller helm chart ################################################################################ # Specify which application gateway the ingress controller will manage # appgw: subscriptionId: <subscription-id> resourceGroup: <resourcegroup-name> name: <applicationgateway-name> ################################################################################ # Specify which kubernetes namespace the ingress controller will watch # Default value is "default" # # kubernetes: # watchNamespace: <namespace> ################################################################################ # Specify the authentication with Azure Resource Manager # # Two authentication methods are available: # - Option 1: AAD-Pod-Identity (https://github.com/Azure/aad-pod-identity) armAuth: type: aadPodIdentity identityResourceID: <identity-resource-id> identityClientID: <identity-client-id>
NOTE: The
<identity-resource-id>and<identity-client-id>are the properties of the Azure AD Identity you setup in the previous section. You can retrieve this information by running the following command:bash az identity show -g <resourcegroup> -n <identity-name>Where<resourcegroup>is the resource group in which AKS cluster is running (this would have the prefixMC_). -
Install the helm chart
application-gateway-kubernetes-ingresswith thehelm-config.yamlconfiguration from the previous stephelm install -f <helm-config.yaml> application-gateway-kubernetes-ingress/ingress-azure
-
Check the log of the newly created pod to verify if it started properly