AKS AGIC Application Gateway Ingress Controller Not Deploying

Question

I created a new cluster, created an application gateway and then installed AGIC per the tutorial. I then configured the ingress controller with the following config:

# This file contains the essential configs for the ingress controller helm chart

# Verbosity level of the App Gateway Ingress Controller
verbosityLevel: 3

################################################################################
# Specify which application gateway the ingress controller will manage
#
appgw:
    subscriptionId: <<subscriptionid>>
    resourceGroup: experimental-cluster-rg
    name: experimental-cluster-ag
    usePrivateIP: false

    # Setting appgw.shared to "true" will create an AzureIngressProhibitedTarget CRD.
    # This prohibits AGIC from applying config for any host/path.
    # Use "kubectl get AzureIngressProhibitedTargets" to view and change this.
    shared: false

################################################################################
# Specify which kubernetes namespace the ingress controller will watch
# Default value is "default"
# Leaving this variable out or setting it to blank or empty string would
# result in Ingress Controller observing all acessible namespaces.
#
# kubernetes:
#   watchNamespace: <namespace>

################################################################################
# Specify the authentication with Azure Resource Manager
#
# Two authentication methods are available:
# - Option 1: AAD-Pod-Identity (https://github.com/Azure/aad-pod-identity)
# armAuth:
#     type: aadPodIdentity
#     identityResourceID: <identityResourceId>
##     identityClientID:  <identityClientId>

## Alternatively you can use Service Principal credentials
armAuth:
    type: servicePrincipal
    secretJSON: <<hash>>

################################################################################
# Specify if the cluster is RBAC enabled or not
rbac:
    enabled: true

When I deploy the application and check the gateway, it appears to be updating the gateway through the ingress controller by creating its own settings. The problem seems to be that the application never gets exposed. I checked the health probe and it stated it was unhealthy due to 404 status. I was unable to access the application directly by IP. I get a 404 or 502 depending on how I try to access the application.

I tried deploying both an nginx and agic ingress and the nginx seems to work fine:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: aks-seed-ingress-main
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    # appgw.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
    - hosts:
      - agic-cluster.company.com
      - frontend.<ip0>.nip.io
      secretName: zigzypfxtls
  rules:
  - host: agic-cluster.company.com
    http:
      paths:
      - backend:
          serviceName: aks-seed
          servicePort: 80
        path: /
  - host: frontend.<ip0>.nip.io
    http:
      paths:
      - backend:
          serviceName: aks-seed
          servicePort: 80
        path: /
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: aks-seed-ingress-nginx
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  tls:
    - hosts:
      - frontend.<ip>.nip.io
  rules:
  - host: frontend.<ip>.nip.io
    http:
      paths:
      - backend:
          serviceName: aks-seed # Modify
          servicePort: 80
        path: /

I am unsure what I am missing. I followed the tutorials as best I could and the agic controller and application gateway appear to be communicating. However the application is inaccessible on the agic controller but accessible on the nginx controller. I only installed the nginx controller afterwards to ensure there was no issue with the application itself.

Ostrava · Accepted Answer · 2021-11-04 16:16:50Z

Check the health probes. When the health probes in the ingress controller are not within the accepted default return code range of 200-399, they will prevent you from accessing the app. Within the Ingress controller YAML (this is important), either change the path from '/' to a proper health endpoint within the health probe, or update the accepted range of return codes to 200-500 (for testing purposes).

Example YAML with health probes:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/use-private-ip: "false"
    cert-manager.io/cluster-issuer: letsencrypt
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/health-probe-path: "/"
    appgw.ingress.kubernetes.io/health-probe-status-codes: "200-500"
spec:
  tls:
  - hosts:
    - dev.mysite.com
    secretName: secret
  rules:
  - host: dev.mysite.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: srv-mysite
            port:
              number: 80

murali · Accepted Answer · 2021-03-18 10:56:35Z

I am facing the same issue, I followed below article and deployed the resources

https://learn.microsoft.com/en-us/azure/developer/terraform/create-k8s-cluster-with-aks-applicationgateway-ingress Azure ingress never came up Ready state

NAME                                                              READY   STATUS    RESTARTS   AGE
aspnetapp                                                         1/1     Running   0          25h
ingress-azure-1616064464-6694ff48f8-pptnp                         0/1     Running   0          72s

    $ helm list
NAME                            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                           APP VERSION
ingress-azure-1616064464        default         1               2021-03-18 06:47:45.959459087 -0400 EDT deployed        ingress-azure-1.4.0             1.4.0
myrelease                       default         1               2021-03-18 05:45:12.419235356 -0400 EDT deployed        nginx-ingress-controller-7.4.10 0.44.0

From describe pod I see below message

$ kubectl describe pod ingress-azure-1616064464-6694ff48f8-pptnp
Name:         ingress-azure-1616064464-6694ff48f8-pptnp
Namespace:    default

  Warning  Unhealthy  4s (x8 over 74s)  kubelet            Readiness probe failed: Get http://15.0.0.68:8123/health/ready: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

$ kubectl get ingress
NAME                            CLASS    HOSTS              ADDRESS         PORTS   AGE
aspnetapp                       <none>   *                                  80      10s
cafe-ingress-with-annotations   <none>   cafe.example.com   20.XX.XX.XX   80      63m

Suraj · Accepted Answer · 2021-08-03 14:42:24Z

0

Please check the permission assigned to the identity Might be you are Missing the Managed Identity Operator assignment please check it

answered Aug 3, 2021 at 14:42

Suraj

1

Add a comment |

Collectives™ on Stack Overflow

AKS AGIC Application Gateway Ingress Controller Not Deploying

3 Answers 3

Your Answer

Not the answer you're looking for? Browse other questions tagged
kubernetes-ingress
azure-aks
azure-application-gateway
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Your Answer

Sign up or log in

Post as a guest

Not the answer you're looking for? Browse other questions tagged kubernetes-ingressazure-aksazure-application-gateway or ask your own question.

Related

Not the answer you're looking for? Browse other questions tagged
kubernetes-ingress
azure-aks
azure-application-gateway
or ask your own question.