AKS #2: Install AGIC add-ons for AKS

The Application Gateway Ingress Controller (AGIC) is a Kubernetes application, which makes it possible for Azure Kubernetes Service (AKS) customers to leverage Azure’s native Application Gateway L7 load-balancer to expose cloud software to the Internet. AGIC monitors the Kubernetes cluster it is hosted on and continuously updates an Application Gateway, so that selected services are exposed to the Internet.

The Ingress Controller runs in its own pod on the customer’s AKS. AGIC monitors a subset of Kubernetes Resources for changes. The state of the AKS cluster is translated to Application Gateway specific configuration and applied to the Azure Resource Manager (ARM).

Prerequisites

• Follow #1 article to create an AKS cluster at AKS #1: Create Azure Kubernetes Service cluster
• Install KubeCTL by following Install KubeCTL on Linux

Install Application Gateway Add-Ons for AKS

1. Connect to a AKS Cluster

Open your terminal and make sure you’re logged in to Azure CLI, let’s get your created AKS cluster information by az aks show command

# show Azure Kubernetes Service
az aks show --name $AKS_NAME --resource-group $AKS_RG

You can now get the AKS credentials and use KubeCTL to start working on your Azure Kubernetes cluster

# get AKS credentials
az aks get-credentials --name $AKS_NAME --resource-group $AKS_RG
# press Y/Yes if asked

# now set AKS context for kubectl by
kubectl config use-context $AKS_NAME

# run kubectl command to get cluster nodes
kubectl get nodes -o wide

2. Install Application Gateway Ingress add-ons

# get current Application Gateway that created earlier
appgwId=$(az network application-gateway show -n $APPGW_NAME -g $AKS_RG -o tsv --query "id"  | tr -d '\r')

az aks addon enable --name $AKS_NAME --resource-group $AKS_RG --addon ingress-appgw --appgw-id $appgwId

we need to wait until it available on all the Azure resource, this is Azure bug registered here https://github.com/Azure/azure-cli/issues/6397

We should run following fix to re-assign cluster AAD to the Application Gateway

# get resource group for AKS nodes
nodeResourceGroup=$(az aks show -n $AKS_NAME -g $AKS_RG --query "nodeResourceGroup" -o tsv | tr -d '\r')

# get AGIC identity
agicIdentity=$(az aks show -n $AKS_NAME -g $AKS_RG --query "addonProfiles.ingressApplicationGateway.identity.resourceId" -o tsv  | tr -d '\r')

# get AKS VMSS ID
aksVmssId=$(az vmss list -g $nodeResourceGroup --query "[0].id" -o tsv  | tr -d '\r')

# assign AGIC identity to VMSS
az vmss identity assign --ids $aksVmssId --identities $agicIdentity

# get AGIC AAD service principal
agicIdentitySP=$(az aks show -n $AKS_NAME -g $AKS_RG --query "addonProfiles.ingressApplicationGateway.identity.objectId" -o tsv | tr -d '\r')

# get Application Gateway ID
appGWId=$(az aks show -n $AKS_NAME -g $AKS_RG --query 'addonProfiles.ingressApplicationGateway.config.applicationGatewayId' -o tsv | tr -d '\r')

# create role assigment to Application Gateway
az role assignment create --assignee-object-id $agicIdentitySP --assignee-principal-type ServicePrincipal --role 'Contributor' --scope $appGWId

3. Post Installations

After Application Ingress add-ons installed on Kubernetes cluster, you can verify its configuration on Azure Portal.

Get the current deployment of Application Ingress on your cluster by running kubectl get pods command. Make sure ingress-appgw-deployment is up and in running state

# get K8S deployment pods
kubectl get pod -A

#outputs
PS C:\Users\admin> kubectl get pods -A
NAMESPACE     NAME                                        READY   STATUS    RESTARTS   AGE
kube-system   azure-ip-masq-agent-42s4m                   1/1     Running   0          50m
kube-system   azure-ip-masq-agent-4q4dr                   1/1     Running   0          50m
kube-system   azure-ip-masq-agent-sdlfx                   1/1     Running   0          50m
kube-system   azure-npm-h46lv                             1/1     Running   0          49m
kube-system   azure-npm-rzrpx                             1/1     Running   0          49m
kube-system   azure-npm-wd8vr                             1/1     Running   0          49m
kube-system   cloud-node-manager-7rzf4                    1/1     Running   0          50m
kube-system   cloud-node-manager-8b49c                    1/1     Running   0          50m
kube-system   cloud-node-manager-97bqm                    1/1     Running   0          50m
kube-system   coredns-autoscaler-7d56cd888-rd8bw          1/1     Running   0          51m
kube-system   coredns-dc97c5f55-2nnd9                     1/1     Running   0          50m
kube-system   coredns-dc97c5f55-k82sv                     1/1     Running   0          51m
kube-system   csi-azuredisk-node-5lnqz                    3/3     Running   0          50m
kube-system   csi-azuredisk-node-cs9ns                    3/3     Running   0          50m
kube-system   csi-azuredisk-node-x76c2                    3/3     Running   0          50m
kube-system   csi-azurefile-node-5bjr6                    3/3     Running   0          50m
kube-system   csi-azurefile-node-7zgg9                    3/3     Running   0          50m
kube-system   csi-azurefile-node-lv4bl                    3/3     Running   0          50m
kube-system   ingress-appgw-deployment-7fd8c8bc8b-z7wt7   1/1     Running   0          41m
kube-system   konnectivity-agent-59d995c6fc-tfght         1/1     Running   0          29m
kube-system   konnectivity-agent-59d995c6fc-zwz8h         1/1     Running   0          29m
kube-system   kube-proxy-8mqhm                            1/1     Running   0          50m
kube-system   kube-proxy-kfsc2                            1/1     Running   0          50m
kube-system   kube-proxy-mpxsz                            1/1     Running   0          50m
kube-system   metrics-server-64b66fbbc8-7g6wf             1/1     Running   0          51m

Source Code

Source code for this article available at Github epiHATR/azurekubernetes/enable_agic.sh