|
| 1 | +# How to deploy AGIC via Helm using Workload Identity |
| 2 | + |
| 3 | +This assumes you have an existing Application Gateway. If not, you can create it with command: |
| 4 | + |
| 5 | +```bash |
| 6 | +az network application-gateway create -g myResourceGroup -n myApplicationGateway --sku Standard_v2 --public-ip-address myPublicIP --vnet-name myVnet --subnet mySubnet --priority 100 |
| 7 | +``` |
| 8 | + |
| 9 | +## 1. Add the AGIC Helm repository |
| 10 | + |
| 11 | +```bash |
| 12 | +helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/ |
| 13 | +helm repo update |
| 14 | +``` |
| 15 | + |
| 16 | +## 2. Set environment variables |
| 17 | + |
| 18 | +```bash |
| 19 | +export RESOURCE_GROUP="myResourceGroup" |
| 20 | +export APPLICATION_GATEWAY_NAME="myApplicationGateway" |
| 21 | +export USER_ASSIGNED_IDENTITY_NAME="myIdentity" |
| 22 | +export FEDERATED_IDENTITY_CREDENTIAL_NAME="myFedIdentity" |
| 23 | +``` |
| 24 | + |
| 25 | +## 3. Create resource group, AKS cluster and identity |
| 26 | + |
| 27 | +```bash |
| 28 | +az group create --name "${RESOURCE_GROUP}" --location eastus |
| 29 | +az aks create -g "${RESOURCE_GROUP}" -n myAKSCluster --node-count 1 --enable-oidc-issuer --enable-workload-identity |
| 30 | +az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" |
| 31 | +``` |
| 32 | + |
| 33 | +## 4. Export the oidcIssuerProfile.issuerUrl |
| 34 | + |
| 35 | +```bash |
| 36 | +export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" -otsv)" |
| 37 | +``` |
| 38 | + |
| 39 | +## 5. Create federated identity credential. |
| 40 | + |
| 41 | +**Note**: the name of the service account that gets created after the helm installation is “ingress-azure” and the following command assumes it will be deployed in “default” namespace. Please change the namespace name in the next command if you deploy the AGIC related Kubernetes resources in other namespace. |
| 42 | + |
| 43 | +```bash |
| 44 | +az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} --identity-name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${RESOURCE_GROUP} --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:default:ingress-azure |
| 45 | +``` |
| 46 | + |
| 47 | +## 6. Obtain the ClientID of the identity created before that is needed for the next step |
| 48 | + |
| 49 | +```bash |
| 50 | +az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv |
| 51 | +``` |
| 52 | + |
| 53 | +## 7. Export the Application Gateway resource ID |
| 54 | + |
| 55 | +```bash |
| 56 | +export APP_GW_ID="$(az network application-gateway show --name "${APPLICATION_GATEWAY_NAME}" --resource-group "${RESOURCE_GROUP}" --query 'id' --output tsv)" |
| 57 | +``` |
| 58 | + |
| 59 | +## 8. Add Contributor role for the identity over the Application Gateway |
| 60 | + |
| 61 | +```bash |
| 62 | +az role assignment create --assignee <identityClientID> --scope "${APP_GW_ID}" --role Contributor |
| 63 | +``` |
| 64 | + |
| 65 | +## 9. In helm-config.yaml specify: |
| 66 | + |
| 67 | +```yaml |
| 68 | +armAuth: |
| 69 | + type: workloadIdentity |
| 70 | + identityClientID: <identityClientID> |
| 71 | +``` |
| 72 | +
|
| 73 | +## 10.Get the AKS cluster credentials. |
| 74 | +
|
| 75 | +```bash |
| 76 | +az aks get-credentials -g "${RESOURCE_GROUP}" -n myAKSCluster |
| 77 | +``` |
| 78 | + |
| 79 | +## 11. Install the helm chart |
| 80 | + |
| 81 | +```bash |
| 82 | +helm install ingress-azure \ |
| 83 | + -f helm-config.yaml \ |
| 84 | + application-gateway-kubernetes-ingress/ingress-azure \ |
| 85 | + --version 1.7.1 |
| 86 | +``` |
0 commit comments