[WIP] New Lab - Application Gateway for Containers #87
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new comprehensive lab documentation for Application Gateway for Containers (AGC) with Azure Kubernetes Service (AKS). The lab guides users through deploying and configuring AGC to expose applications over HTTP/HTTPS with advanced features like Web Application Firewall policies and traffic splitting for canary deployments.
- Complete step-by-step guide for setting up Application Gateway for Containers with AKS
- Integration with cert-manager for HTTPS certificate management using Let's Encrypt
- Advanced features including WAF policy application and canary deployment implementation
| kind: Gateway | ||
| metadata: | ||
| name: gateway-01 | ||
| namespace: test-infra |
There was a problem hiding this comment.
The namespace 'test-infra' is used here, but the ApplicationLoadBalancer was created in namespace 'alb-test-infra' (line 204). This inconsistency will cause the Gateway to fail to find the referenced ALB resource.
| namespace: test-infra | |
| namespace: alb-test-infra |
There was a problem hiding this comment.
There is no namespace called "test-infra" should this be alb-test-infra instead?
| spec: | ||
| acme: | ||
| server: https://acme-v02.api.letsencrypt.org/directory # production endpoint | ||
| email: your-email@example.com |
There was a problem hiding this comment.
The email address should be updated to use a placeholder format that clearly indicates users need to replace it with their actual email, such as 'your-email@example.com' or 'user@domain.com'.
| email: your-email@example.com | |
| email: <your-email@example.com> |
There was a problem hiding this comment.
Should note that the user should replace you-email@example.com placeholder with a real email address otherwise this ClusterIssuer will not work
| While the current permissions are sufficient for creating the WAF Policy, the ALB controller is unable to join the policy to the HTTP route. Add a Network Contributor role with a scope matching the WAF Policy you just created: | ||
|
|
||
| ```bash | ||
| az role assignment create --assignee-object-id $PRINCIPAL_ID --assignee-principal-type ServicePrincipal --scope $WAF_POLICY_ID --role "4d97b98b-1d4f-4787-a291-c67834d212e7" # Network Contributor |
There was a problem hiding this comment.
The WAF_POLICY_ID variable will contain quotes from the previous command (line 598), which will cause this role assignment to fail. This is another consequence of the missing '-o tsv' parameter in the previous command.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…github.com/mestredelpino/aks-labs into new-lab/application-gateway-for-containers
pauldotyu
left a comment
pauldotyu
left a comment
There was a problem hiding this comment.
Have not had a chance to complete this end-to-end yet but can you review my suggestions for setup as well as some of the Copilot suggestions?
docs/networking/agc-lab.md
Outdated
| CONTROLLER_NAMESPACE='azure-alb-system' | ||
| az aks get-credentials --resource-group $RG_NAME --name $AKS_NAME | ||
| CLIENT_ID=$(az identity show -g $RG_NAME -n $IDENTITY_RESOURCE_NAME --query clientId -o tsv) | ||
| helm install alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller --namespace $HELM_NAMESPACE --version 1.7.9 --set albController.namespace=$CONTROLLER_NAMESPACE --set albController.podIdentity.clientID=$CLIENT_ID --create-namespace |
There was a problem hiding this comment.
There seems to be an issue with installing this version.
There was a problem hiding this comment.
I replaced for latest version in the docs (1.8.12). Link to docs: https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller?tabs=install-helm-windows
Can you please check again with the new version?
Co-authored-by: Paul Yu <paul.d.yu@gmail.com>
Co-authored-by: Paul Yu <paul.d.yu@gmail.com>
Co-authored-by: Paul Yu <paul.d.yu@gmail.com>
pauldotyu
left a comment
pauldotyu
left a comment
There was a problem hiding this comment.
@mestredelpino I tried to go e2e with your lab instructions but was unable to get the cert-manager to work. Can you take a look at the comments here and resolve and let me know if you are able to run through the lab e2e?
| # Install Azure CLI extensions. | ||
| az extension add --name alb | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Adding shared markdown to create resource group and AKS cluster.
| <ProvisionResourceGroup /> | |
| <ProvisionAKSCluster /> |
| Run the following command to create a new subnet containing at least 250 available IP addresses and enable subnet delegation for the Application Gateway for Containers association resource: | ||
|
|
||
| ```bash | ||
| SUBNET_ADDRESS_PREFIX='10.239.1.0/24' |
There was a problem hiding this comment.
This subnet address prefix might not always work. The 10.239.1.0/24 network range overlaps with the aks-virtualkubelet subnet. So you might want to use 10.238.1.0/24 or revise how the user deploys AGC. IMO, I think the user should be deploying AKS into their own virtual network and subnet to avoid modifying anything in the managed resource group.
|
|
||
|
|
||
| ```bash | ||
| kubectl get applicationloadbalancer alb-test -n alb-test-infra -o yaml -w |
There was a problem hiding this comment.
Should put a note after this to let folks know how long it can take to update.
| kind: Gateway | ||
| metadata: | ||
| name: gateway-01 | ||
| namespace: test-infra |
There was a problem hiding this comment.
There is no namespace called "test-infra" should this be alb-test-infra instead?
| kind: Deployment | ||
| metadata: | ||
| name: ngcolor-blue | ||
| namespace: test-infra |
There was a problem hiding this comment.
There is no namespace called "test-infra" at this point. Should it be "alb-test-infra" instead?
| kind: HTTPRoute | ||
| metadata: | ||
| name: ngcolor-app | ||
| namespace: test-infra |
There was a problem hiding this comment.
There is no namespace called "test-infra" at this point. Should it be "alb-test-infra" instead?
| spec: | ||
| acme: | ||
| server: https://acme-v02.api.letsencrypt.org/directory # production endpoint | ||
| email: your-email@example.com |
There was a problem hiding this comment.
Should note that the user should replace you-email@example.com placeholder with a real email address otherwise this ClusterIssuer will not work
| protocol: HTTPS | ||
| tls: | ||
| certificateRefs: | ||
| - name: letsencrypt-secret |
There was a problem hiding this comment.
If you follow the instructions up until this point, the secret is never deployed
| az network application-gateway waf-policy create \ | ||
| --name $WAF_POLICY_NAME \ | ||
| --resource-group $MC_RG_NAME \ | ||
| --location $LOCATION \ |
There was a problem hiding this comment.
$LOCATION is not set nor is needed.
| --location $LOCATION \ |
| ``` | ||
|
|
||
| --- | ||
|
|
There was a problem hiding this comment.
Should add a summary here to recap the lab and include resources to learn more.
2 participants
Purpose
Adding a new lab - Application Gateway for Containers
Does this introduce a breaking change?
Pull Request Type
What kind of change does this Pull Request introduce?
How to Test
What to Check
Verify that the following are valid:
View lab under Networking > Application Gateway for Containers
Run through lab
Other Information