Skip to content

Commit

Permalink
Move AGIC charts to MCR and update docs (#1646)
Browse files Browse the repository at this point in the history
* replicate script

* update docs

* some other fixes

* fix docs

* add note

* fix note

* add version notes

* bump versions
  • Loading branch information
akshaysngupta authored Sep 16, 2024
1 parent f69f68e commit 24c4205
Show file tree
Hide file tree
Showing 14 changed files with 73 additions and 120 deletions.
15 changes: 2 additions & 13 deletions docs/developers/build.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,22 +126,11 @@ To test your changes on a cluster, you can use the [`Dev Release`](https://dev.a
`Dev Release` generates a new docker image and helm package for your changes. Once the pipeline completes, use helm to install the release on your AKS cluster.

```bash
# add the staging helm repository
helm repo add staging https://appgwingress.blob.core.windows.net/ingress-azure-helm-package-staging/
helm repo update

# list the available versions and pick the latest version
helm search repo staging -l --devel
NAME CHART VERSION APP VERSION DESCRIPTION
staging/ingress-azure 10486 10486 Use Azure Application Gateway as the ingress fo...
staging/ingress-azure 10465 10465 Use Azure Application Gateway as the ingress fo...
staging/ingress-azure 10256 10256 Use Azure Application Gateway as the ingress fo...

# install/upgrade
helm install ingress-azure \
-f helm-config.yaml \
application-gateway-kubernetes-ingress/ingress-azure \
--version 10486
oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure \
--version 1.7.5
```

You can also find the `version` by opening your build in the `Merge Builds` pipeline and looking for the `buildid`. Use this version when installing on the cluster after the `Dev Release` completes.
Expand Down
4 changes: 2 additions & 2 deletions docs/features/agic-reconcile.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@ Configure from helm install command(first time install) and helm upgrade command

```bash
# helm fresh install
helm intall <releaseName> -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure --version 1.2.0-rc3 --set reconcilePeriodSeconds=30
helm intall <releaseName> -f helm-config.yaml oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure --version 1.7.5 --set reconcilePeriodSeconds=30

# help upgrade
# --reuse-values, when upgrading, reuse the last release's values and merge in any overrides from the command line via --set and -f.
helm upgrade <releaseName> application-gateway-kubernetes-ingress/ingress-azure --reuse-values --version 1.2.0-rc3 --set reconcilePeriodSeconds=30
helm upgrade <releaseName> oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure --reuse-values --version 1.7.5 --set reconcilePeriodSeconds=30
```
2 changes: 1 addition & 1 deletion docs/features/appgw-ssl-certificate.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Please use [Greenfield Deployment](https://github.com/Azure/application-gateway-
To use the new feature, make sure the AGIC version is at least at 1.2.0-rc3

```bash
helm install application-gateway-kubernetes-ingress/ingress-azure -f helm-config.yaml --version 1.2.0-rc3 --generate-name
helm install oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure -f helm-config.yaml --version 1.7.5 --generate-name
```

## Create a certificate and configure the certificate to AppGw
Expand Down
2 changes: 1 addition & 1 deletion docs/features/multiple-namespaces.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ To enable multiple namespace support:
- delete the `watchNamespace` key entirely from [helm-config.yaml](../examples/sample-helm-config.yaml) - AGIC will observe all namespaces
- set `watchNamespace` to an empty string - AGIC will observe all namespaces
- add multiple namespaces separated by a comma (`watchNamespace: default,secondNamespace`) - AGIC will observe these namespaces exclusively
2. apply Helm template changes with: `helm install -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure`
2. apply Helm template changes with: `helm install -f helm-config.yaml oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure`

Once deployed with the ability to observe multiple namespaces, AGIC will:

Expand Down
4 changes: 2 additions & 2 deletions docs/helm-values-documenation.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

| Field | Default | Description |
| - | - | - |
| `verbosityLevel`| 3 | Sets the verbosity level of the AGIC logging infrastructure. See [Logging Levels](troubleshooting.md#logging-levels) for possible values. |
| `verbosityLevel`| 3 | Sets the verbosity level of the AGIC logging infrastructure. See [Logging Levels](logging-levels.md) for possible values. |
| `reconcilePeriodSeconds` | | Enable periodic reconciliation to checks if the latest gateway configuration is different from what it cached. Range: 30 - 300 seconds. Disabled by default. |
| `appgw.applicationGatewayID` | | Resource Id of the Application Gateway. Example: `applicationgatewayd0f0` |
| `appgw.subscriptionId` | Default is agent node pool's subscriptionId derived from CloudProvider config | The Azure Subscription ID in which App Gateway resides. Example: `a123b234-a3b4-557d-b2df-a0bc12de1234` |
Expand All @@ -25,7 +25,7 @@
| `kubernetes.affinity` | `{}` | Scheduling affinity |
| `kubernetes.volumes.extraVolumes` | `{}` | Specify additional volumes for the AGIC pod. This can be useful when [running on a `readOnlyRootFilesystem`](#run-with-read-only-root-filesystem), as AGIC requires a writeable `/tmp` directory. |
| `kubernetes.volumes.extraVolumeMounts` | `{}` | Specify additional volume mounts for the AGIC pod. This can be useful when [running on a `readOnlyRootFilesystem`](#run-with-read-only-root-filesystem), as AGIC requires a writeable `/tmp` directory. |
| `kubernetes.ingressClass` | `azure/application-gateway` | Specify a [custom ingress class](features\custom-ingress-class.md) which will be used to match `kubernetes.io/ingress.class` in ingress manifest |
| `kubernetes.ingressClass` | `azure/application-gateway` | Specify a [custom ingress class](features/custom-ingress-class.md) which will be used to match `kubernetes.io/ingress.class` in ingress manifest |
| `rbac.enabled` | false | Specify true if kubernetes cluster is rbac enabled |
| `armAuth.type` | | could be `aadPodIdentity` or `servicePrincipal` |
| `armAuth.identityResourceID` | | Resource ID of the Azure Managed Identity |
Expand Down
2 changes: 1 addition & 1 deletion docs/how-tos/continuous-deployment-pipeline.json
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@
"namespace": "agic",
"command": "upgrade",
"chartType": "Name",
"chartName": "application-gateway-kubernetes-ingress/ingress-azure",
"chartName": "oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure",
"chartPath": "",
"version": "",
"releaseName": "agic",
Expand Down
31 changes: 12 additions & 19 deletions docs/how-tos/deploy-AGIC-with-Workload-Identity-using-helm.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,7 @@ This assumes you have an existing Application Gateway. If not, you can create it
az network application-gateway create -g myResourceGroup -n myApplicationGateway --sku Standard_v2 --public-ip-address myPublicIP --vnet-name myVnet --subnet mySubnet --priority 100
```

## 1. Add the AGIC Helm repository

```bash
helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/
helm repo update
```

## 2. Set environment variables
## 1. Set environment variables

```bash
export RESOURCE_GROUP="myResourceGroup"
Expand All @@ -24,65 +17,65 @@ export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
export FEDERATED_IDENTITY_CREDENTIAL_NAME="myFedIdentity"
```

## 3. Create resource group, AKS cluster and identity
## 2. Create resource group, AKS cluster and identity

```bash
az group create --name "${RESOURCE_GROUP}" --location eastus
az aks create -g "${RESOURCE_GROUP}" -n myAKSCluster --node-count 1 --enable-oidc-issuer --enable-workload-identity
az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}"
```

## 4. Export the oidcIssuerProfile.issuerUrl
## 3. Export the oidcIssuerProfile.issuerUrl

```bash
export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" -otsv)"
```

## 5. Create federated identity credential
## 4. Create federated identity credential

**Note**: the name of the service account that gets created after the helm installation is “ingress-azure” and the following command assumes it will be deployed in “default” namespace. Please change the namespace name in the next command if you deploy the AGIC related Kubernetes resources in other namespace.

```bash
az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} --identity-name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${RESOURCE_GROUP} --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:default:ingress-azure
```

## 6. Obtain the ClientID of the identity created before that is needed for the next step
## 5. Obtain the ClientID of the identity created before that is needed for the next step

```bash
az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv
```

## 7. Export the Application Gateway resource ID
## 6. Export the Application Gateway resource ID

```bash
export APP_GW_ID="$(az network application-gateway show --name "${APPLICATION_GATEWAY_NAME}" --resource-group "${RESOURCE_GROUP}" --query 'id' --output tsv)"
```

## 8. Add Contributor role for the identity over the Application Gateway
## 7. Add Contributor role for the identity over the Application Gateway

```bash
az role assignment create --assignee <identityClientID> --scope "${APP_GW_ID}" --role Contributor
```

## 9. In helm-config.yaml specify
## 8. In helm-config.yaml specify

```yaml
armAuth:
type: workloadIdentity
identityClientID: <identityClientID>
```
## 10.Get the AKS cluster credentials
## 9. Get the AKS cluster credentials
```bash
az aks get-credentials -g "${RESOURCE_GROUP}" -n myAKSCluster
```

## 11. Install the helm chart
## 10. Install the helm chart

```bash
helm install ingress-azure \
-f helm-config.yaml \
application-gateway-kubernetes-ingress/ingress-azure \
--version 1.7.1
oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure \
--version 1.7.5
```
45 changes: 3 additions & 42 deletions docs/how-tos/helm-upgrade.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,49 +3,10 @@
> **_NOTE:_** [Application Gateway for Containers](https://aka.ms/agc) has been released, which introduces numerous performance, resilience, and feature changes. Please consider leveraging Application Gateway for Containers for your next deployment.
The Azure Application Gateway Ingress Controller for Kubernetes (AGIC) can be upgraded
using a Helm repository hosted on Azure Storage.

Before we begin the upgrade procedure, ensure that you have added the required repository:

- View your currently added Helm repositories with:

```bash
helm repo list
```

- Add the AGIC repo with:

```bash
helm repo add \
application-gateway-kubernetes-ingress \
https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/
```
using a Helm repository hosted on MCR.

## Upgrade

1. Refresh the AGIC Helm repository to get the latest release:

```bash
helm repo update
```

1. View available versions of the `application-gateway-kubernetes-ingress` chart:

``` bash
helm search repo -l application-gateway-kubernetes-ingress
```

Sample response:

```bash
NAME CHART VERSION APP VERSION DESCRIPTION
application-gateway-kubernetes-ingress/ingress-azure 1.0.0 1.0.0 Use Azure Application Gateway as the ingress for an Azure...
application-gateway-kubernetes-ingress/ingress-azure 0.7.0-rc1 0.7.0-rc1 Use Azure Application Gateway as the ingress for an Azure...
application-gateway-kubernetes-ingress/ingress-azure 0.6.0 0.6.0 Use Azure Application Gateway as the ingress for an Azure...
```

Latest available version from the list above is: `0.7.0-rc1`

1. View the Helm charts currently installed:

```bash
Expand All @@ -67,8 +28,8 @@ Before we begin the upgrade procedure, ensure that you have added the required r
```bash
helm upgrade \
odd-billygoat \
application-gateway-kubernetes-ingress/ingress-azure \
--version 1.0.0
oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure \
--version 1.7.5
```

## Rollback
Expand Down
2 changes: 1 addition & 1 deletion docs/how-tos/prevent-agic-from-overwriting.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ Apply the Helm changes:
helm upgrade \
--recreate-pods \
-f helm-config.yaml \
ingress-azure application-gateway-kubernetes-ingress/ingress-azure
ingress-azure oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure
```

As a result your AKS will have a new instance of `AzureIngressProhibitedTarget` called `prohibit-all-targets`:
Expand Down
24 changes: 10 additions & 14 deletions docs/setup/install.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@

> [Application Gateway for Containers](https://aka.ms/agc) has been released, which introduces numerous performance, resilience, and feature changes. Please consider leveraging Application Gateway for Containers for your next deployment.
> AGIC charts have been moved to MCR. Use oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure as the target repository.
AGIC versions >= 1.5.0 excluding release candidates are now available.
You need to complete the following tasks prior to deploying AGIC on your cluster:

1. Prepare your Azure subscription and your `az-cli` client.
Expand Down Expand Up @@ -52,7 +55,7 @@ You need to complete the following tasks prior to deploying AGIC on your cluster
3. Install Helm
[Helm](https://github.com/helm/helm) is an open-source packaging tool that is used to install ALB controller.
[Helm](https://github.com/helm/helm) is an open-source packaging tool that is used to install AGIC.
> Helm is already available in Azure Cloud Shell. If you are using Azure Cloud Shell, no additional Helm installation is necessary.
Expand Down Expand Up @@ -145,7 +148,7 @@ If using an existing Application Gateway, make sure the following:
echo "Set up federation with AKS OIDC issuer"
AKS_OIDC_ISSUER="$(az aks show -n "$AKS_NAME" -g "$RESOURCE_GROUP" --query "oidcIssuerProfile.issuerUrl" -o tsv)"
az identity federated-credential create --name "azure-alb-identity" \
az identity federated-credential create --name "agic" \
--identity-name "$IDENTITY_RESOURCE_NAME" \
--resource-group $RESOURCE_GROUP \
--issuer "$AKS_OIDC_ISSUER" \
Expand All @@ -163,14 +166,7 @@ If using an existing Application Gateway, make sure the following:

> Assignment of the managed identity immediately after creation may result in an error that the principalId does not exist. Allow about a minute of time to elapse for the identity to replicate in Microsoft Entra ID prior to delegating the identity.

1. Add the AGIC Helm repository:

```bash
helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/
helm repo update
```

1. Install ALB Controller using Helm
1. Install AGIC using Helm

### For new deployments

Expand All @@ -181,7 +177,7 @@ AGIC can be installed by running the following commands:
# on aks cluster with only linux node pools
helm install ingress-azure \
application-gateway-kubernetes-ingress/ingress-azure \
oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure \
--set appgw.applicationGatewayID=$APPGW_ID \
--set armAuth.type=workloadIdentity \
--set armAuth.identityClientID=$IDENTITY_CLIENT_ID \
Expand All @@ -190,7 +186,7 @@ AGIC can be installed by running the following commands:
# on aks cluster with windows node pools
helm install ingress-azure \
application-gateway-kubernetes-ingress/ingress-azure \
oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure \
--set appgw.applicationGatewayID=$APPGW_ID \
--set armAuth.type=workloadIdentity \
--set armAuth.identityClientID=$IDENTITY_CLIENT_ID \
Expand All @@ -208,7 +204,7 @@ AGIC can be upgraded by running the following commands:
# on aks cluster with only linux node pools
helm upgrade ingress-azure \
application-gateway-kubernetes-ingress/ingress-azure \
oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure \
--set appgw.applicationGatewayID=$APPGW_ID \
--set armAuth.type=workloadIdentity \
--set armAuth.identityClientID=$IDENTITY_CLIENT_ID \
Expand All @@ -217,7 +213,7 @@ AGIC can be upgraded by running the following commands:
# on aks cluster with windows node pools
helm upgrade ingress-azure \
application-gateway-kubernetes-ingress/ingress-azure \
oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure \
--set appgw.applicationGatewayID=$APPGW_ID \
--set armAuth.type=workloadIdentity \
--set armAuth.identityClientID=$IDENTITY_CLIENT_ID \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,9 @@ Updated AGIC Helm templates to use the right fields regarding AAD Pod Identity,
### Resolving the issue
It's recommended you upgrade your AGIC to release 1.2.0 and then apply AAD Pod Identity version >= 1.6.0
It's recommended you upgrade your AGIC to release >= 1.2.0 and then apply AAD Pod Identity version >= 1.6.0

#### Upgrade AGIC to 1.2.0
#### Upgrade AGIC to >= 1.2.0

AGIC version [v1.2.0](https://github.com/Azure/application-gateway-kubernetes-ingress/releases/tag/1.2.0) will be required.

Expand All @@ -65,15 +65,15 @@ helm repo update
# check the latest relese version of AGIC
helm search repo -l application-gateway-kubernetes-ingress
# install release 1.2.0
# install release 1.7.5
helm upgrade \
<release-name> \
application-gateway-kubernetes-ingress/ingress-azure
--version 1.2.0
oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure
--version 1.7.5
--reuse-values
```

***Note:**_ If you're upgrading from v1.0.0 or below, you'll have to delete AGIC and then reinstall with v1.2.0.
***Note:**_ If you're upgrading from v1.0.0 or below, you'll have to delete AGIC and then reinstall with v1.7.5.

#### Install the right version of AAD Pod Identity

Expand Down
12 changes: 0 additions & 12 deletions helm/index.md

This file was deleted.

Loading

0 comments on commit 24c4205

Please sign in to comment.