Skip to content

Latest commit

 

History

History
221 lines (164 loc) · 9.32 KB

install-new.md

File metadata and controls

221 lines (164 loc) · 9.32 KB

Greenfield Deployment

The instructions below assume Application Gateway Ingress Controller (AGIC) will be installed in an environment with no pre-existing components.

Required Command Line Tools

We recommend the use of Azure Cloud Shell for all command line operations below. Launch your shell from shell.azure.com or by clicking the link:

Embed launch

Alternatively, launch Cloud Shell from Azure portal using the following icon:

Portal launch

Your Azure Cloud Shell already has all necessary tools. Should you choose to use another environment, please ensure the following command line tools are installed:

  1. az - Azure CLI: installation instructions
  2. kubectl - Kubernetes command-line tool: installation instructions
  3. helm - Kubernetes package manager: installation instructions

Create an Identity

Follow the steps below to create an Azure Active Directory (AAD) service principal object. Please record the appId, password, and objectId values - these will be used in the following steps.

  1. Create AD service principal (Read more about RBAC):

    az ad sp create-for-rbac --skip-assignment

    note: the appId and password values from the JSON output will be used in the following steps

  2. Use the appId from the previous command's output to get the objectId of the newl service principal:

    az ad sp show --id <appId> --query "objectId"

    note: the output of this command is objectId, which will be used in the ARM template below

Deploy Components

Click on the Deploy to Azure icon below to begin the infrastructure deployment using an ARM template. This step will add the following components to your subscription:

Important

Please use the appId, objectId, and password values from the az commands above and paste them in the corresponding ARM template fields:

  • paste the appId vaule in the Aks Service Principal App Id template field
  • paste the password value in the Aks Service Principal Client Secret field
  • paste the objectId value in the Aks Service Principal Object Id field

Note: To deploy an RBAC enabled cluster, set the aksEnabledRBAC field to true

Navigate to the deployment output and record the parameters: Azure portal: Home -> *resource group* -> Deployments -> *new deployment* -> Outputs)

Example: Deployment Output

Set up Application Gateway Ingress Controller

With the instructions in the previous section we created and configured a new AKS cluster and an App Gateway. We are now ready to deploy an sample app and an ingress controller to our new Kubernetes infrastructure.

Setup Kubernetes Credentials

For the following steps we need setup kubectl command, which we will use to connect to our new Kubernetes cluster. Cloud Shell has kubectl already installed. We will use az CLI to obtain credentials for Kubernetes.

Get credentials for your newly deployed AKS (read more): bash az aks get-credentials --resource-group <your-new-resource-group> --name <name-of-new-AKS-cluster>

Install AAD Pod Identity

Azure Active Directory Pod Identity provides token-based access to Azure Resource Manager (ARM).

AAD Pod Identity will add the following components to your Kubernetes cluster:

  1. Kubernetes CRDs: AzureIdentity, AzureAssignedIdentity, AzureIdentityBinding
  2. Managed Identity Controller (MIC) component
  3. Node Managed Identity (NMI) component

To install AAD Pod Identity to your cluster:

- *RBAC enabled* AKS cluster

```bash
kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
```

- *RBAC disabled* AKS cluster

```bash
kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment.yaml
```

Install Helm

Helm is a package manager for Kubernetes. We will leverage it to install the application-gateway-kubernetes-ingress package:

  1. Install Helm and run the following to add application-gateway-kubernetes-ingress helm package:

    • RBAC enabled AKS cluster
    kubectl create serviceaccount --namespace kube-system tiller-sa
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller-sa
helm init --tiller-namespace kube-system --service-account tiller-sa
    • RBAC disabled AKS cluster
    helm init

  2. Add the AGIC Helm repository:

    helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/
helm repo update

Install Ingress Controller

  1. Download helm-config.yaml, which will configure AGIC:

    wget https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/sample-helm-config.yaml -O helm-config.yaml

  2. Edit helm-config.yaml and fill in the values for appgw and armAuth.

    nano helm-config.yaml

    NOTE: The <identity-resource-id> and <identity-client-id> are the properties of the Azure AD Identity you setup in the previous section. You can retrieve this information by running the following command: az identity show -g <resourcegroup> -n <identity-name>, where <resourcegroup> is the resource group in which the top level AKS cluster object, Application Gateway and Managed Identify are deployed.

  3. Install the Application Gateway ingress controller package:

    helm install -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure

Install a Sample App

Now that we have App Gateway, AKS, and AGIC installed we can install a sample app via Azure Cloud Shell:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
 name: aspnetapp
 labels:
   app: aspnetapp
spec:
 containers:
 - image: "mcr.microsoft.com/dotnet/core/samples:aspnetapp"
   name: aspnetapp-image
   ports:
   - containerPort: 80
     protocol: TCP

---

apiVersion: v1
kind: Service
metadata:
 name: aspnetapp
spec:
 selector:
   app: aspnetapp
 ports:
 - protocol: TCP
   port: 80
   targetPort: 80

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: aspnetapp
 annotations:
   kubernetes.io/ingress.class: azure/application-gateway
spec:
 rules:
 - http:
     paths:
     - path: /
       backend:
         serviceName: aspnetapp
         servicePort: 80
EOF

Alternatively you can:

  1. Download the YAML file above:
curl https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/aspnetapp.yaml -o aspnetapp.yaml
  1. Apply the YAML file:
kubectl apply -f apsnetapp.yaml

Other Examples

The tutorials document contains more examples on how toexpose an AKS service via HTTP or HTTPS, to the Internet with App Gateway.