Application Gateway Ingress Controller
Application Gateway Ingress Controller (AGIC) is a Kubernetes application, which makes it possible for Azure Kubernetes Service (AKS) customers to leverage Azure’s native Application Gateway L7 load-balancer to expose cloud software to the Internet. AGIC monitors the Kubernetes cluster it is hosted on and continuously updates an App Gateway, so that selected services are exposed to the Internet.
The Ingress Controller runs in its own pod on the customer’s AKS. AGIC monitors a subset of Kubernetes Resources for changes. The state of the AKS cluster is translated to App Gateway specific configuration and applied to the Azure Resource Manager (ARM).
AGIC is configured via the Kubernetes Ingress resource, along with Service and Deployments/Pods. It provides a number of features, leveraging Azure’s native App Gateway L7 load balancer. To name a few:
- URL routing
- Cookie-based affinity
- SSL termination
- End-to-end SSL
- Support for public, private, and hybrid web sites
- Integrated web application firewall
Changelog
Blogs and talks
- Application Gateway Ingress Controller for Azure Kubernetes Service
- Ignite 2019 - AGIC GA announcement
Setup
-
Greenfield Deployment: Instructions on installing AGIC, AKS and App Gateway on blank-slate infrastructure.
-
Preview - Greenfield Deployment (Windows cluster): Instructions on installing AGIC, AKS and App Gateway on blank-slate infrastructure (running Windows Node Pool).
-
Brownfield Deployment: Install AGIC on an existing AKS and Application Gateway.
Usage
Tutorials: Refer to these to understand how you can expose an AKS service over HTTP or HTTPS, to the internet, using an Azure Application Gateway.
Features: List of all available AGIC features.
Annotations: The Kubernetes Ingress specification does not allow all features of Application Gateway to be exposed through the ingress resource. Therefore we have introduced application gateway ingress controller specific annotations to expose application gateway features through an ingress resource. Please refer to these to understand the various annotations supported by the ingress controller, and the corresponding features that can be turned on in the application gateway for a given annotation.
Helm Values Configuration Options: This document lists the various configuration options available through helm.
Upgrade/Rollback AGIC using helm: This documents explains how to upgrade/rollback AGIC helm installation.
How-tos
- Setup E2E SSL
- Network connectivity when using kubenet or different virtual networks
- Automate SSL Cert issuance and rotation with Let’s Encrypt
- Expose a WebSocket server
- Automate DNS updates
- Upgrade AGIC via Helm
- Scale your Applications using Application Gateway Metrics (Beta)
- Continuous Deployment with AKS and AGIC using Azure Pipelines
- Minimizing Downtime During Deployments
- Increase AGIC verbosity level
Troubleshooting
For troubleshooting, please refer to this guide.
Frequently asked questions
For FAQ, please refer to this guide.
Reporting Issues
The best way to report an issue is to create a Github Issue for the project. Please include the following information when creating the issue:
- Subscription ID for AKS cluster.
- Subscription ID for Application Gateway.
- AKS cluster name/ARM Resource ID.
- Application Gateway name/ARM Resource ID.
- Ingress resource definition that might causing the problem.
- The Helm configuration used to install the ingress controller.
Helm Values Configuration Options
Available options
| Field | Default | Description |
|---|---|---|
verbosityLevel |
3 | Sets the verbosity level of the AGIC logging infrastructure. See Logging Levels for possible values. |
reconcilePeriodSeconds |
Enable periodic reconciliation to checks if the latest gateway configuration is different from what it cached. Range: 30 - 300 seconds. Disabled by default. | |
appgw.applicationGatewayID |
Resource Id of the Application Gateway. Example: applicationgatewayd0f0 |
|
appgw.subscriptionId |
Default is agent node pool’s subscriptionId derived from CloudProvider config | The Azure Subscription ID in which App Gateway resides. Example: a123b234-a3b4-557d-b2df-a0bc12de1234 |
appgw.resourceGroup |
Default is agent node pool’s resource group derived from CloudProvider config | Name of the Azure Resource Group in which App Gateway was created. Example: app-gw-resource-group |
appgw.name |
Name of the Application Gateway. Example: applicationgatewayd0f0 |
|
appgw.environment |
AZUREPUBLICCLOUD |
Specify which cloud environment. Possbile values: AZURECHINACLOUD, AZUREGERMANCLOUD, AZUREPUBLICCLOUD, AZUREUSGOVERNMENTCLOUD |
appgw.shared |
false | This boolean flag should be defaulted to false. Set to true should you need a Shared App Gateway. |
appgw.subResourceNamePrefix |
No prefix if empty | Prefix that should be used in the naming of the Application Gateway’s sub-resources |
kubernetes.watchNamespace |
Watches all if empty | Specify the name space, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. |
kubernetes.securityContext |
runAsUser: 0 |
Specify security context to use with AGIC deployment. By default, AGIC will assume root permission. Jump to Security Context for more information. |
kubernetes.podAnnotations |
{} |
Specify custom annotations for AGIC pod |
kubernetes.nodeSelector |
{} |
Scheduling node selector |
kubernetes.tolerations |
[] |
Scheduling tolerations |
kubernetes.affinity |
{} |
Scheduling affinity |
kubernetes.ingressClass |
azure/application-gateway |
Specify a custom ingress class which will be used to match kubernetes.io/ingress.class in ingress manifest |
rbac.enabled |
false | Specify true if kubernetes cluster is rbac enabled |
armAuth.type |
could be aadPodIdentity or servicePrincipal |
|
armAuth.identityResourceID |
Resource ID of the Azure Managed Identity | |
armAuth.identityClientId |
The Client ID of the Identity. See below for more information on Identity | |
armAuth.secretJSON |
Only needed when Service Principal Secret type is chosen (when armAuth.type has been set to servicePrincipal) |
|
nodeSelector |
{} |
(Legacy: use kubernetes.nodeSelector instead) Scheduling node selector |
Example
appgw:
applicationGatewayID: <application-gateway-resource-id>
environment: "AZUREUSGOVERNMENTCLOUD" # default: AZUREPUBLICCLOUD
armAuth:
type: aadPodIdentity
identityResourceID: <identityResourceId>
identityClientID: <identityClientId>
kubernetes:
nodeSelector: {}
tolerations: []
affinity: {}
rbac:
enabled: false
Security Context
By default, AGIC will assume root permission which allows it to read cloud-provider config and get meta-data information about the cluster.
If you want AGIC to run without root access, then make sure that AGIC is installed with atleast the following information to run successfully:
appgw.subscriptionId,appgw.resourceGroupandappgw.name
orappgw.applicationGatewayID
AGIC also uses cloud-provider config to get Node’s Virtual Network Name / Subscription and Route table name. If AGIC is not able to reach this information, It will skip assigning the Node’s route table to Application Gateway’s subnet which is required when using kubenet network plugin. To workaround, this assignment can be performed manually.