如何安装使用新应用程序网关的应用程序网关入口控制器 (AGIC)How to Install an Application Gateway Ingress Controller (AGIC) Using a New Application Gateway

以下说明假设将在不包含任何现有组件的环境中安装应用程序网关入口控制器 (AGIC)。The instructions below assume Application Gateway Ingress Controller (AGIC) will be installed in an environment with no pre-existing components.

所需的命令行工具Required Command Line Tools

请确保已安装以下命令行工具:Please ensure the following command line tools are installed:

创建标识Create an Identity

遵循以下步骤创建 Azure Active Directory (AAD) 服务主体对象Follow the steps below to create an Azure Active Directory (AAD) service principal object. 请记下 appIdpasswordobjectId 值 - 在后续步骤中需要用到。Please record the appId, password, and objectId values - these will be used in the following steps.

  1. 创建 AD 服务主体(详细了解 RBAC):Create AD service principal (Read more about RBAC):

    az ad sp create-for-rbac --skip-assignment -o json > auth.json
    appId=$(jq -r ".appId" auth.json)
    password=$(jq -r ".password" auth.json)
    

    在后续步骤中将要用到 JSON 输出中的 appIdpasswordThe appId and password values from the JSON output will be used in the following steps

  2. 使用上一命令的输出中的 appId 获取新服务主体的 objectIdUse the appId from the previous command's output to get the objectId of the new service principal:

    objectId=$(az ad sp show --id $appId --query "objectId" -o tsv)
    

    此命令的输出为 objectId,在下面所述的 Azure 资源管理器模板中将要用到此值The output of this command is objectId, which will be used in the Azure Resource Manager template below

  3. 创建稍后要在 Azure 资源管理器模板部署中使用的参数文件。Create the parameter file that will be used in the Azure Resource Manager template deployment later.

    cat <<EOF > parameters.json
    {
      "aksServicePrincipalAppId": { "value": "$appId" },
      "aksServicePrincipalClientSecret": { "value": "$password" },
      "aksServicePrincipalObjectId": { "value": "$objectId" },
      "aksEnableRBAC": { "value": false }
    }
    EOF
    

    若要部署启用 RBAC 的群集,请将 aksEnabledRBAC 字段设置为 trueTo deploy an RBAC enabled cluster, set the aksEnabledRBAC field to true

部署组件Deploy Components

此步骤将以下组件添加到订阅:This step will add the following components to your subscription:

  1. 下载 Azure 资源管理器模板,并根据需要修改该模板。Download the Azure Resource Manager template and modify the template as needed.

    wget https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/deploy/azuredeploy.json -O template.json
    
  2. 使用 az cli 部署该 Azure 资源管理器模板。Deploy the Azure Resource Manager template using az cli. 此步骤最多可能需要 5 分钟。This may take up to 5 minutes.

    resourceGroupName="MyResourceGroup"
    location="chinanorth2"
    deploymentName="ingress-appgw"
    
    # create a resource group
    az group create -n $resourceGroupName -l $location
    
    # modify the template as needed
    az group deployment create \
            -g $resourceGroupName \
            -n $deploymentName \
            --template-file template.json \
            --parameters parameters.json
    
  3. 部署完成后,将部署输出下载到名为 deployment-outputs.json 的文件中。Once the deployment finished, download the deployment output into a file named deployment-outputs.json.

    az group deployment show -g $resourceGroupName -n $deploymentName --query "properties.outputs" -o json > deployment-outputs.json
    

设置应用程序网关入口控制器Set up Application Gateway Ingress Controller

我们已根据上一部分中的说明创建并配置了新的 AKS 群集和应用程序网关。With the instructions in the previous section, we created and configured a new AKS cluster and an Application Gateway. 现在,我们已准备好将一个示例应用和入口控制器部署到新的 Kubernetes 基础结构。We are now ready to deploy a sample app and an ingress controller to our new Kubernetes infrastructure.

设置 Kubernetes 凭据Setup Kubernetes Credentials

对于以下步骤,需要设置 kubectl 命令用于连接到新的 Kubernetes 群集。For the following steps, we need setup kubectl command, which we will use to connect to our new Kubernetes cluster. 我们将使用 az CLI 获取 Kubernetes 的凭据。We will use az CLI to obtain credentials for Kubernetes.

获取新部署的 AKS 的凭据(详细了解):Get credentials for your newly deployed AKS (read more):

# use the deployment-outputs.json created after deployment to get the cluster name and resource group name
aksClusterName=$(jq -r ".aksClusterName.value" deployment-outputs.json)
resourceGroupName=$(jq -r ".resourceGroupName.value" deployment-outputs.json)

az aks get-credentials --resource-group $resourceGroupName --name $aksClusterName

安装 AAD Pod IdentityInstall AAD Pod Identity

Azure Active Directory Pod Identity 提供对 Azure 资源管理器 (ARM) 的基于令牌的访问。Azure Active Directory Pod Identity provides token-based access to Azure Resource Manager (ARM).

AAD Pod Identity 会将以下组件添加到 Kubernetes 群集:AAD Pod Identity will add the following components to your Kubernetes cluster:

将 AAD Pod Identity 安装到群集:To install AAD Pod Identity to your cluster:

  • 已启用 RBAC 的 AKS 群集 RBAC enabled AKS cluster

    kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
    
  • 已禁用 RBAC 的 AKS 群集 RBAC disabled AKS cluster

    kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment.yaml
    

安装 HelmInstall Helm

Helm 是 Kubernetes 的包管理器。Helm is a package manager for Kubernetes. 我们将利用它来安装 application-gateway-kubernetes-ingress 包:We will leverage it to install the application-gateway-kubernetes-ingress package:

  1. 安装 Helm 并运行以下命令来添加 application-gateway-kubernetes-ingress Helm 包:Install Helm and run the following to add application-gateway-kubernetes-ingress helm package:

    • 已启用 RBAC 的 AKS 群集 RBAC enabled AKS cluster

      kubectl create serviceaccount --namespace kube-system tiller-sa
      kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller-sa
      helm init --tiller-namespace kube-system --service-account tiller-sa
      
    • 已禁用 RBAC 的 AKS 群集 RBAC disabled AKS cluster

      helm init
      
  2. 添加 AGIC Helm 存储库:Add the AGIC Helm repository:

    helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.chinacloudapi.cn/ingress-azure-helm-package/
    helm repo update
    

安装入口控制器 Helm 图表Install Ingress Controller Helm Chart

  1. 使用前面创建的 deployment-outputs.json 文件并创建以下变量。Use the deployment-outputs.json file created above and create the following variables.

    applicationGatewayName=$(jq -r ".applicationGatewayName.value" deployment-outputs.json)
    resourceGroupName=$(jq -r ".resourceGroupName.value" deployment-outputs.json)
    subscriptionId=$(jq -r ".subscriptionId.value" deployment-outputs.json)
    identityClientId=$(jq -r ".identityClientId.value" deployment-outputs.json)
    identityResourceId=$(jq -r ".identityResourceId.value" deployment-outputs.json)
    
  2. 下载 helm-config.yaml 用于配置 AGIC:Download helm-config.yaml, which will configure AGIC:

    wget https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/sample-helm-config.yaml -O helm-config.yaml
    

    或复制以下 YAML 文件:Or copy the YAML file below:

    # This file contains the essential configs for the ingress controller helm chart
    
    # Verbosity level of the App Gateway Ingress Controller
    verbosityLevel: 3
    
    ################################################################################
    # Specify which application gateway the ingress controller will manage
    #
    appgw:
        subscriptionId: <subscriptionId>
        resourceGroup: <resourceGroupName>
        name: <applicationGatewayName>
    
        # Setting appgw.shared to "true" will create an AzureIngressProhibitedTarget CRD.
        # This prohibits AGIC from applying config for any host/path.
        # Use "kubectl get AzureIngressProhibitedTargets" to view and change this.
        shared: false
    
    ################################################################################
    # Specify which kubernetes namespace the ingress controller will watch
    # Default value is "default"
    # Leaving this variable out or setting it to blank or empty string would
    # result in Ingress Controller observing all acessible namespaces.
    #
    # kubernetes:
    #   watchNamespace: <namespace>
    
    ################################################################################
    # Specify the authentication with Azure Resource Manager
    #
    # Two authentication methods are available:
    # - Option 1: AAD-Pod-Identity (https://github.com/Azure/aad-pod-identity)
    armAuth:
        type: aadPodIdentity
        identityResourceID: <identityResourceId>
        identityClientID:  <identityClientId>
    
    ## Alternatively you can use Service Principal credentials
    # armAuth:
    #    type: servicePrincipal
    #    secretJSON: <<Generate this value with: "az ad sp create-for-rbac --subscription <subscription-uuid> --sdk-auth | base64 -w0" >>
    
    ################################################################################
    # Specify if the cluster is RBAC enabled or not
    rbac:
        enabled: false # true/false
    
    # Specify aks cluster related information. THIS IS BEING DEPRECATED.
    aksClusterConfiguration:
        apiServerAddress: <aks-api-server-address>
    
  3. 编辑新下载的 helm-config.yaml,并填写 appgwarmAuth 节。Edit the newly downloaded helm-config.yaml and fill out the sections appgw and armAuth.

    sed -i "s|<subscriptionId>|${subscriptionId}|g" helm-config.yaml
    sed -i "s|<resourceGroupName>|${resourceGroupName}|g" helm-config.yaml
    sed -i "s|<applicationGatewayName>|${applicationGatewayName}|g" helm-config.yaml
    sed -i "s|<identityResourceId>|${identityResourceId}|g" helm-config.yaml
    sed -i "s|<identityClientId>|${identityClientId}|g" helm-config.yaml
    
    # You can further modify the helm config to enable/disable features
    nano helm-config.yaml
    

    值:Values:

    • verbosityLevel:设置 AGIC 日志记录基础结构的详细级别。verbosityLevel: Sets the verbosity level of the AGIC logging infrastructure. 有关可能的值,请参阅日志记录级别See Logging Levels for possible values.
    • appgw.subscriptionId:应用程序网关所在的 Azure 订阅 ID。appgw.subscriptionId: The Azure Subscription ID in which Application Gateway resides. 示例: a123b234-a3b4-557d-b2df-a0bc12de1234Example: a123b234-a3b4-557d-b2df-a0bc12de1234
    • appgw.resourceGroup:在其中创建了应用程序网关的 Azure 资源组的名称。appgw.resourceGroup: Name of the Azure Resource Group in which Application Gateway was created. 示例: app-gw-resource-groupExample: app-gw-resource-group
    • appgw.name:应用程序网关的名称。appgw.name: Name of the Application Gateway. 示例: applicationgatewayd0f0Example: applicationgatewayd0f0
    • appgw.shared:此布尔标志应默认为 falseappgw.shared: This boolean flag should be defaulted to false. 如果需要共享的应用程序网关,请设置为 trueSet to true should you need a Shared Application Gateway.
    • kubernetes.watchNamespace:指定 AGIC 应监视的命名空间。kubernetes.watchNamespace: Specify the name space, which AGIC should watch. 此命名空间可以是单字符串值,也可以是逗号分隔的命名空间列表。This could be a single string value, or a comma-separated list of namespaces.
    • armAuth.type:可以是 aadPodIdentityservicePrincipalarmAuth.type: could be aadPodIdentity or servicePrincipal
    • armAuth.identityResourceID:Azure 托管标识的资源 IDarmAuth.identityResourceID: Resource ID of the Azure Managed Identity
    • armAuth.identityClientId:标识的客户端 ID。armAuth.identityClientId: The Client ID of the Identity. 有关标识的详细信息,请参阅下文See below for more information on Identity
    • armAuth.secretJSON:仅当选择了服务主体机密类型时(armAuth.type 设置为 servicePrincipal)才需要指定该值armAuth.secretJSON: Only needed when Service Principal Secret type is chosen (when armAuth.type has been set to servicePrincipal)

    Note

    identityResourceIDidentityClientID 是在执行部署组件步骤期间创建的值,可使用以下命令再次获取这些值:The identityResourceID and identityClientID are values that were created during the Deploy Components steps, and could be obtained again using the following command:

    az identity show -g <resource-group> -n <identity-name>
    

    在以上命令中,<resource-group> 是应用程序网关的资源组。<resource-group> in the command above is the resource group of your Application Gateway. <identity-name> 是创建的标识的名称。<identity-name> is the name of the created identity. 可以使用 az identity list 列出给定订阅的所有标识All identities for a given subscription can be listed using: az identity list

  4. 安装应用程序网关入口控制器包:Install the Application Gateway ingress controller package:

    helm install -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure
    

安装示例应用Install a Sample App

安装应用程序网关、AKS 和 AGIC 后,接下来可以安装示例应用:Now that we have Application Gateway, AKS, and AGIC installed we can install a sample app:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: aspnetapp
  labels:
    app: aspnetapp
spec:
  containers:
  - image: "mcr.microsoft.com/dotnet/core/samples:aspnetapp"
    name: aspnetapp-image
    ports:
    - containerPort: 80
      protocol: TCP

---

apiVersion: v1
kind: Service
metadata:
  name: aspnetapp
spec:
  selector:
    app: aspnetapp
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: aspnetapp
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: aspnetapp
          servicePort: 80
EOF

或者,可以:Alternatively you can:

  • 下载上述 YAML 文件:Download the YAML file above:
curl https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/aspnetapp.yaml -o aspnetapp.yaml
  • 应用 YAML 文件:Apply the YAML file:
kubectl apply -f aspnetapp.yaml

其他示例Other Examples

此操作指南包含了有关如何使用应用程序网关通过 HTTP 或 HTTPS 向 Internet 公开 AKS 服务的更多示例。This how-to guide contains more examples on how to expose an AKS service via HTTP or HTTPS, to the Internet with Application Gateway.