How to deploy AGIC via Helm using Workload Identity

NOTE: Application Gateway for Containers has been released, which introduces numerous performance, resilience, and feature changes. Please consider leveraging Application Gateway for Containers for your next deployment.

This assumes you have an existing Application Gateway. If not, you can create it with command:

az network application-gateway create -g myResourceGroup -n myApplicationGateway --sku Standard_v2 --public-ip-address myPublicIP --vnet-name myVnet --subnet mySubnet --priority 100

1. Set environment variables

export RESOURCE_GROUP="myResourceGroup"
export APPLICATION_GATEWAY_NAME="myApplicationGateway"
export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
export FEDERATED_IDENTITY_CREDENTIAL_NAME="myFedIdentity"

2. Create resource group, AKS cluster and identity

az group create --name "${RESOURCE_GROUP}"  --location eastus
az aks create -g "${RESOURCE_GROUP}" -n myAKSCluster --node-count 1 --enable-oidc-issuer --enable-workload-identity 
az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}"

3. Export the oidcIssuerProfile.issuerUrl

export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" -otsv)"

4. Create federated identity credential

Note: the name of the service account that gets created after the helm installation is “ingress-azure” and the following command assumes it will be deployed in “default” namespace. Please change the namespace name in the next command if you deploy the AGIC related Kubernetes resources in other namespace.

az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} --identity-name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${RESOURCE_GROUP} --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:default:ingress-azure

5. Obtain the ClientID of the identity created before that is needed for the next step

az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv

6. Export the Application Gateway resource ID

export APP_GW_ID="$(az network application-gateway show --name "${APPLICATION_GATEWAY_NAME}"  --resource-group "${RESOURCE_GROUP}"  --query 'id' --output tsv)"

7. Add Contributor role for the identity over the Application Gateway

az role assignment create --assignee <identityClientID> --scope "${APP_GW_ID}" --role Contributor

8. In helm-config.yaml specify

armAuth:
    type: workloadIdentity
    identityClientID: <identityClientID>

9. Get the AKS cluster credentials

az aks get-credentials -g "${RESOURCE_GROUP}" -n myAKSCluster

10. Install the helm chart

helm install ingress-azure \
  -f helm-config.yaml \
  oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure \
  --version 1.7.5