The Application Gateway Ingress Controller allows the Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service aka AKS cluster. As shown in the figure below, the ingress controller runs as a pod within the AKS cluster. It consumes Kubernetes Ingress Resources and converts them to an Azure Application Gateway configuration which allows the gateway to load-balance traffic to Kubernetes pods.

License: MIT License

HCL 100.00%

terraform-azurerm-appgw-ingress-k8s-cluster's Introduction

This module helps in deploying the necessary resources for the greenfield deployment of necessary resources for AKS cluster with Application Gateway as ingress controller.

Setup

Greenfield Deployment: If you are starting from scratch, refer to these installation instructions which outlines steps to deploy an AKS cluster with Application Gateway and install application gateway ingress controller on the AKS cluster.

Usage

Refer to the tutorials to understand how you can expose an AKS service over HTTP or HTTPS, to the internet, using an Azure Application Gateway.

Usage of the module

resource "azurerm_resource_group" "test" {
  name     = "testResourceGroup1"
  location = "West US"

  tags {
    environment = "dev"
    costcenter  = "it"
  }
}


module "appgw-ingress-k8s-cluster" {
  source                              = "Azure/appgw-ingress-k8s-cluster/azurerm"
  version                             = "0.1.0"
  resource_group_name                 = azurerm_resource_group.test.name
  location                            = "westus"
  aks_service_principal_app_id        = "<App ID of the service principal>"
  aks_service_principal_client_secret = "<Client secret of the service principal>"
  aks_service_principal_object_id     = "<Object ID of the service principal>"

  tags = {
    environment = "dev"
    costcenter  = "it"
  }
}

Authors

Originally created by Vaijanath Angadihiremath

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

terraform-azurerm-appgw-ingress-k8s-cluster's People

Contributors

Stargazers

Watchers

terraform-azurerm-appgw-ingress-k8s-cluster's Issues

Is this still maintained?

The last commit is two years old. Will there be any updates and support for recent terraform versions?

Error: Unsupported argument

getting unsupported arguments error message with v 0.1.0, and a different error with v0.1.1

`Error: Unsupported argument

on module.tf line 10, in module "appgw-ingress-k8s-cluster":
10: resource_group_name = "${azurerm_resource_group.test.name}"

An argument named "resource_group_name" is not expected here.

Error: Unsupported argument

on module.tf line 11, in module "appgw-ingress-k8s-cluster":
11: location = "westeurope"

An argument named "location" is not expected here.`

Principals of type Application cannot validly be used in role assignments.

Getting below error on terraform apply:
Using object ID.

2 error(s) occurred:

* azurerm_role_assignment.ra1: 1 error(s) occurred:

* azurerm_role_assignment.ra1: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="PrincipalTypeNotSupported" Message="Principals of type Application cannot validly be used in role assignments."
* azurerm_kubernetes_cluster.test: 1 error(s) occurred:

* azurerm_kubernetes_cluster.test: Error creating/updating Managed Kubernetes Cluster "aks-cluster1" (Resource Group "aksrg1"): containerservice.ManagedClustersClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ServicePrincipalNotFound" Message="Service principal clientID: xxxxx-xxxxx-xxxxx-xxxxx not found in Active Directory tenant xxxxx-xxxxx-xxxxx-xxxxx, Please see https://aka.ms/acs-sp-help for more details."

I also tried with using tenant ID but getting PrincipalNotFound error.

Terraform rewrite all packend pools configured by ingress

In second deploy terraform delete all configured backends, rules and settings made by ingress-appgw-deployment.

Terrform:
resource "azurerm_public_ip" "aks-ingress" {
name = "${var.workspace}-aks-ingress"
resource_group_name = "${var.workspace}-aks"
location = azurerm_resource_group.rg.location
allocation_method = "Static"
sku = "Standard"
}

resource "azurerm_application_gateway" "aks-ingress" {
location = azurerm_resource_group.rg.location
name = "${var.workspace}-aks-ingress"
resource_group_name = "${var.workspace}-aks"

backend_address_pool {
name = "default"
}
backend_http_settings {
cookie_based_affinity = "Disabled"
name = "default"
port = 80
protocol = "Http"
path = "/"
}
frontend_ip_configuration {
name = azurerm_public_ip.aks-ingress.name
public_ip_address_id = azurerm_public_ip.aks-ingress.id
}
frontend_port {
name = "default"
port = 80
}
gateway_ip_configuration {
name = "public"
subnet_id = azurerm_subnet.public.id
}
http_listener {
frontend_ip_configuration_name = azurerm_public_ip.aks-ingress.name
frontend_port_name = "default"
name = "default"
protocol = "Http"
}

request_routing_rule {
http_listener_name = "default"
name = "default"
rule_type = "Basic"
backend_http_settings_name = "default"
backend_address_pool_name = "default"
}

sku {
name = "WAF_v2"
tier = "WAF_v2"
capacity = 1
}
}

resource "azurerm_kubernetes_cluster" "aks" {
name = var.workspace
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
dns_prefix = var.workspace
private_cluster_enabled = false
node_resource_group = "${var.workspace}-aks"

identity {
type = "SystemAssigned"
}

default_node_pool{
name = "default"
vm_size = var.kube-node-vm-size
node_count = var.kube-pool-node-count
vnet_subnet_id = azurerm_subnet.private.id
}

network_profile {
network_plugin = "azure"
network_policy = "azure"
}
addon_profile {
ingress_application_gateway {
enabled = true
gateway_id = azurerm_application_gateway.aks-ingress.id
}
}
tags = {
Environment = var.workspace
}
depends_on = [
azurerm_subnet.private,
azurerm_resource_group.rg
]
}

resource "kubernetes_ingress" "ingress" {
metadata {
name = "ingress"
namespace = kubernetes_namespace.ns.metadata.0.name
annotations = {
"kubernetes.io/ingress.class" = "azure/application-gateway"
"appgw.ingress.kubernetes.io/ssl-redirect" = "true"
"appgw.ingress.kubernetes.io/waf-policy-for-path" = azurerm_web_application_firewall_policy.ingress-ssi.id
}
}
spec {
tls {
secret_name = kubernetes_secret.ssl.metadata.0.name
hosts = [var.domain]
}
rule {
host = var.domain
http {
path {
backend {
service_name = kubernetes_service.app.metadata.0.name
service_port = kubernetes_service.app.spec.0.port.0.port
}
path = "/"
}
backend {
service_name = kubernetes_service.app2.metadata.0.name
service_port = kubernetes_service.app2.spec.0.port.0.port
}
path = "/app2/*"
}
}
...

Terraform plan
resource "azurerm_application_gateway" "aks-ingress" {
id = "/subscriptions/000000/resourceGroups/dev-aks/providers/Microsoft.Network/applicationGateways/dev-aks-ingress"
name = "dev-aks-ingress"
~ tags = {
- "managed-by-k8s-ingress" = "1.4.0/0e9dc17c/2021-02-26-03:29T+0000" -> null
}
# (4 unchanged attributes hidden)
~ backend_address_pool {
id = "/subscriptions/000000/resourceGroups/dev-aks/providers/Microsoft.Network/applicationGateways/dev-aks-ingress/backendAddressPools/defaultaddresspool"
~ name = "defaultaddresspool" -> "default"
# (2 unchanged attributes hidden)
}
- backend_address_pool {
- fqdns = [] -> null
- id = "/subscriptions/000000/resourceGroups/dev-aks/providers/Microsoft.Network/applicationGateways/dev-aks-ingress/backendAddressPools/pool-dev-app-8080-bp-8080" -> null
- ip_addresses = [
- "192.168.150.26",
] -> null
....

installation link is broken

Installing link is broken

This repo is missing important files

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Getting kubeconfig ?

I've been able to successfully invoke this module and now I'd like to download the kubeconfig file from the k8s cluster created.

I don't see any items as output from the module, so I'm looking for suggestions on how to get access to the kubeconfig file for the k8s cluster after calling the module.

Regards,
Rajesh

azure / terraform-azurerm-appgw-ingress-k8s-cluster Goto Github PK