AKS - Application Gateway Ingress Controller management
As discussed in my post about AKS planning there are a couple of choices for what device you use in conjunction with your Azure Kubernetes Service (AKS) ingress controller. The default scenario is you deploy a Azure Load Balancer and then you install your ingress controller of choice. The ingress controller then works in unison with the Load balancer.
For information on how to implement AGIC checkout the links on this page .In this article we are going to discuss AGIC and some of the practicalities of working with this configuration.
To use AGIC you need to use AAD pod identity. We configure a managed identity with permissions to manage and update the Application Gateway. We use AAD Pod identity to allow AGIC to use this managed identity. For more information on AKS and managed identities checkout my previous post on this topic.
Application Gateway Managed Identity
- Reader permissions on Application Gateway Resource Group
- Contributor permissions on Application Gateway resource
- Managed Identity Operator permissions on KeyVaults if used for SSLs
- Managed Identity Operator over the Application Gateway managed identity for use with the AAD pod identity
This site contains the annotations that can be used in your ingress config to manage the way the application gateway behaves. You will always need to set the ingress class so the application knows to use AGIC `"kubernetes.io/ingress.class" = "azure/application-gateway"`. In addition the applications are configured to use the certificate that has been deployed to the application gateway.
The name is the friendly name you use when you deploy the SSL to the Application Gateway. If you add new certs or update these after a renewal ensure you are referencing the correct certificate. Below is how the annotation block may look on a common AKS ingress deployment.