教程:通过 Azure CLI 使用现有的应用程序网关为现有 AKS 群集启用应用程序网关入口控制器加载项(预览版)Tutorial: Enable Application Gateway Ingress Controller add-on for an existing AKS cluster with an existing Application Gateway through Azure CLI (Preview)

你可以使用 Azure CLI 为 Azure Kubernetes 服务 (AKS) 群集启用应用程序网关入口控制器 (AGIC) 加载项(当前为预览版)。You can use Azure CLI to enable the Application Gateway Ingress Controller (AGIC) add-on, which is currently in preview, for your Azure Kubernetes Services (AKS) cluster. 本教程介绍如何使用 AGIC 加载项通过部署在不同虚拟网络中的现有应用程序网关在现有 AKS 群集中公开你的 Kubernetes 应用程序。In this tutorial, you'll learn how to use AGIC add-on to expose your Kubernetes application in an existing AKS cluster through an existing Application Gateway deployed in separate virtual networks. 首先,你将在一个虚拟网络中创建一个 AKS 群集,在一个单独的虚拟网络中创建一个应用程序网关,以模拟现有资源。You'll start by creating an AKS cluster in one virtual network and an Application Gateway in a separate virtual network to simulate existing resources. 然后,你将启用 AGIC 加载项,将两个虚拟网络对等互连在一起,并部署一个示例应用程序,系统将使用 AGIC 加载项通过应用程序网关公开该应用程序。You'll then enable the AGIC add-on, peer the two virtual networks together, and deploy a sample application which will be exposed through the Application Gateway using the AGIC add-on. 如果要为同一虚拟网络中的现有应用程序网关和现有 AKS 群集启用 AGIC 加载项,则可跳过下面的对等互连步骤。If you're enabling the AGIC add-on for an existing Application Gateway and existing AKS cluster in the same virtual network, then you can skip the peering step below. 此加载项为 AKS 群集提供了一种比之前通过 Helm 进行部署快得多的 AGIC 部署方法,而且还提供了完全托管体验。The add-on provides a much faster way of deploying AGIC for your AKS cluster than previously through Helm and also offers a fully managed experience.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建资源组Create a resource group
  • 创建新的 AKS 群集Create a new AKS cluster
  • 创建新的应用程序网关Create a new Application Gateway
  • 使用现有的应用程序网关在现有的 AKS 群集中启用 AGIC 加载项Enable the AGIC add-on in the existing AKS cluster using the existing Application Gateway
  • 将应用程序网关虚拟网络与 AKS 群集虚拟网络对等互连Peer the Application Gateway virtual network with the AKS cluster virtual network
  • 在 AKS 群集上部署将 AGIC 用于入口的示例应用程序Deploy a sample application using AGIC for Ingress on the AKS cluster
  • 检查是否可以通过应用程序网关访问应用程序Check that the application is reachable through Application Gateway

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

如果选择在本地安装并使用 CLI,本教程要求运行 Azure CLI 2.0.4 或更高版本。If you choose to install and use the CLI locally, this tutorial requires you to run the Azure CLI version 2.0.4 or later. 若要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

使用 az feature register 命令注册 AKS-IngressApplicationGatewayAddon 功能标志,如以下示例所示;当此加载项仍为预览版时,只需为每个订阅执行一次此操作:Register the AKS-IngressApplicationGatewayAddon feature flag using the az feature register command as shown in the following example; you'll only need to do this once per subscription while the add-on is still in preview:

az feature register --name AKS-IngressApplicationGatewayAddon --namespace microsoft.containerservice

可能需要花费几分钟时间,状态才会显示为“已注册”。It might take a few minutes for the status to show Registered. 可以使用 az feature list 命令检查注册状态:You can check on the registration status using the az feature list command:

az feature list -o table --query "[?contains(name, 'microsoft.containerservice/AKS-IngressApplicationGatewayAddon')].{Name:name,State:properties.state}"

准备就绪后,使用 az provider register 命令刷新 Microsoft.ContainerService 资源提供程序的注册状态:When ready, refresh the registration of the Microsoft.ContainerService resource provider using the az provider register command:

az provider register --namespace Microsoft.ContainerService

对于本教程,请确保安装/更新 aks-preview 扩展;请使用以下 Azure CLI 命令Be sure to install/update the aks-preview extension for this tutorial; use the following Azure CLI commands

az extension add --name aks-preview
az extension list
az extension update --name aks-preview
az extension list

创建资源组Create a resource group

在 Azure 中,可将相关的资源分配到资源组。In Azure, you allocate related resources to a resource group. 使用 az group create 创建资源组。Create a resource group by using az group create. 下面的示例在 canadacentral 位置(区域)创建名为 myResourceGroup 的资源组。The following example creates a resource group named myResourceGroup in the canadacentral location (region).

az group create --name myResourceGroup --location canadacentral

部署新的 AKS 群集Deploy a new AKS cluster

现在,你将部署新的 AKS 群集,以模拟你有一个现有 AKS 群集且需要为其启用 AGIC 加载项的情况。You'll now deploy a new AKS cluster, to simulate having an existing AKS cluster that you want to enable the AGIC add-on for.

在下面的示例中,你将在所创建的资源组 myResourceGroup 中使用 Azure CNI托管实例部署名为 myCluster 的新 AKS 群集 。In the following example, you'll be deploying a new AKS cluster named myCluster using Azure CNI and Managed Identities in the resource group you created, myResourceGroup.

az aks create -n myCluster -g myResourceGroup --network-plugin azure --enable-managed-identity 

若要为 az aks create 命令配置其他参数,请访问此处的参考信息。To configure additional parameters for the az aks create command, visit references here.

部署新的应用程序网关Deploy a new Application Gateway

现在,你将部署新的应用程序网关,以模拟你有一个现有的应用程序网关且需要使用它对发往 AKS 群集 myCluster 的流量进行负载均衡的情况。You'll now deploy a new Application Gateway, to simulate having an existing Application Gateway that you want to use to load balance traffic to your AKS cluster, myCluster. 应用程序网关的名称将是 myApplicationGateway,但你需要首先创建一个名为 myPublicIp 的公共 IP 资源、一个名为 myVnet 且地址空间为 11.0.0.0/8 的新虚拟网络、一个名为 mySubnet 且地址空间为 11.1.0.0/16 的子网,然后使用 myPublicIpmySubnet 中部署你的应用程序网关。The name of the Application Gateway will be myApplicationGateway, but you will need to first create a public IP resource, named myPublicIp, and a new virtual network called myVnet with address space 11.0.0.0/8, and a subnet with address space 11.1.0.0/16 called mySubnet, and deploy your Application Gateway in mySubnet using myPublicIp.

在不同虚拟网络中使用 AKS 群集和应用程序网关时,两个虚拟网络的地址空间不得重叠。When using an AKS cluster and Application Gateway in separate virtual networks, the address spaces of the two virtual networks must not overlap. AKS 群集在其中进行部署的默认地址空间为 10.0.0.0/8,因此,我们将应用程序网关虚拟网络地址前缀设置为 11.0.0.0/8。The default address space that an AKS cluster deploys in is 10.0.0.0/8, so we set the Application Gateway virtual network address prefix to 11.0.0.0/8.

az network public-ip create -n myPublicIp -g MyResourceGroup --allocation-method Static --sku Standard
az network vnet create -n myVnet -g myResourceGroup --address-prefix 11.0.0.0/8 --subnet-name mySubnet --subnet-prefix 11.1.0.0/16 
az network application-gateway create -n myApplicationGateway -l canadacentral -g myResourceGroup --sku Standard_v2 --public-ip-address myPublicIp --vnet-name myVnet --subnet mySubnet

备注

应用程序网关入口控制器 (AGIC) 加载项支持应用程序网关 v2 SKU(标准版和 WAF 版),支持应用程序网关 v1 SKU。Application Gateway Ingress Controller (AGIC) add-on only supports Application Gateway v2 SKUs (Standard and WAF), and not the Application Gateway v1 SKUs.

使用现有的应用程序网关在现有的 AKS 群集中启用 AGIC 加载项Enable the AGIC add-on in existing AKS cluster with existing Application Gateway

现在,你将在所创建的 AKS 群集 myCluster 中启用 AGIC 加载项,并指定 AGIC 加载项使用你创建的现有应用程序网关 myApplicationGatewayNow, you'll enable the AGIC add-on in the AKS cluster you created, myCluster, and specify the AGIC add-on to use the existing Application Gateway you created, myApplicationGateway. 请确保你已在本教程开头添加/更新了 aks-preview 扩展。Make sure you've added/updated the aks-preview extension at the beginning of this tutorial.

appgwId=$(az network application-gateway show -n myApplicationGateway -g myResourceGroup -o tsv --query "id") 
az aks enable-addons -n myCluster -g myResourceGroup -a ingress-appgw --appgw-id $appgwId

将两个虚拟网络对等互连在一起Peer the two virtual networks together

由于我们已将 AKS 群集部署在其自己的虚拟网络中,并将应用程序网关部署在另一个虚拟网络中,因此你需要将这两个虚拟网络对等互连在一起,以便流量从应用程序网关流向群集中的 Pod。Since we deployed the AKS cluster in its own virtual network and the Application Gateway in another virtual network, you'll need to peer the two virtual networks together in order for traffic to flow from the Application Gateway to the pods in the cluster. 将两个虚拟网络对等互连需要两次运行 Azure CLI 命令,以确保连接是双向的。Peering the two virtual networks requires running the Azure CLI command two separate times, to ensure that the connection is bi-directional. 第一个命令将创建从应用程序网关虚拟网络到 AKS 虚拟网络的对等连接;第二个命令将创建另一个方向的对等连接。The first command will create a peering connection from the Application Gateway virtual network to the AKS virtual network; the second command will create a peering connection in the other direction.

nodeResourceGroup=$(az aks show -n myCluster -g myResourceGroup -o tsv --query "nodeResourceGroup")
aksVnetName=$(az network vnet list -g $nodeResourceGroup -o tsv --query "[0].name")

aksVnetId=$(az network vnet show -n $aksVnetName -g $nodeResourceGroup -o tsv --query "id")
az network vnet peering create -n AppGWtoAKSVnetPeering -g myResourceGroup --vnet-name myVnet --remote-vnet $aksVnetId --allow-vnet-access

appGWVnetId=$(az network vnet show -n myVnet -g myResourceGroup -o tsv --query "id")
az network vnet peering create -n AKStoAppGWVnetPeering -g $nodeResourceGroup --vnet-name $aksVnetName --remote-vnet $appGWVnetId --allow-vnet-access

部署使用 AGIC 的示例应用程序Deploy a sample application using AGIC

现在,你将向所创建的 AKS 群集部署一个示例应用程序,该应用程序将 AGIC 加载项用于入口,并将应用程序网关连接到 AKS 群集。You'll now deploy a sample application to the AKS cluster you created that will use the AGIC add-on for Ingress and connect the Application Gateway to the AKS cluster. 首先,你将通过运行 az aks get-credentials 命令获取所部署的 AKS 群集的凭据。First, you'll get credentials to the AKS cluster you deployed by running the az aks get-credentials command.

az aks get-credentials -n myCluster -g myResourceGroup

获取你创建的群集的凭据后,运行以下命令来设置一个示例应用程序,该应用程序将 AGIC 用于群集的入口。Once you have the credentials to the cluster you created, run the following command to set up a sample application that uses AGIC for Ingress to the cluster. AGIC 会使用你部署的新示例应用程序的相应路由规则更新你之前设置的应用程序网关。AGIC will update the Application Gateway you set up earlier with corresponding routing rules to the new sample application you deployed.

kubectl apply -f https://raw.githubusercontent.com/Azure/application-gateway-kubernetes-ingress/master/docs/examples/aspnetapp.yaml 

检查应用程序是否可供访问Check that the application is reachable

将应用程序网关设置为向 AKS 群集提供流量以后,接下来让我们验证是否可以访问你的应用程序。Now that the Application Gateway is set up to serve traffic to the AKS cluster, let's verify that your application is reachable. 首先获取入口的 IP 地址。You'll first get the IP address of the Ingress.

kubectl get ingress

检查你创建的示例应用程序是否已启动并正在运行,方法是访问通过运行上述命令获取的应用程序网关的 IP 地址或通过 curl 进行检查。Check that the sample application you created is up and running by either visiting the IP address of the Application Gateway that you got from running the above command or check with curl. 应用程序网关可能需要花费一分钟来获取更新,因此,如果应用程序网关在门户上仍然处于“正在更新”状态,则等待其完成更新,然后再尝试访问该 IP 地址。It may take Application Gateway a minute to get the update, so if the Application Gateway is still in an "Updating" state on Portal, then let it finish before trying to reach the IP address.

清理资源Clean up resources

当不再需要资源组、应用程序网关以及所有相关资源时,请将其删除。When no longer needed, remove the resource group, application gateway, and all related resources.

az group delete --name myResourceGroup 

后续步骤Next steps