application-gateway-kubernetes-ingress
application-gateway-kubernetes-ingress copied to clipboard
Azure
Please Add Support for networking.k8s.io/v1
Ingress and IngressClass types in the extensions/v1beta1 and networking.k8s.io/v1beta1 API versions are deprecated and will no longer be served in 1.22+. Persisted objects can be accessed via the networking.k8s.io/v1 API.
Above is from the k8s change log, please can support be added to this library as we do not want to upgrade to k8s 1.19.* until this lib can support these changes that have come in.
Thanks
Alex
Ingress annotation kubernetes.io/ingress.class should now be considered formally deprecated and we need support for IngressClass resource and ingressClassName, pathType Ingress resource specs added in Kubernetes 1.18 as the following example:
IngressClass
apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
name: azure-application-gateway
spec:
controller: azure/application-gateway
Ingress
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
appgw.ingress.kubernetes.io/backend-path-prefix: "/"
spec:
ingressClassName: azure-application-gateway
tls:
- hosts:
- bar.foo.com
secretName: tls-secret
rules:
- host: bar.foo.com
http:
paths:
- path: /api
pathType: Prefix
backend:
serviceName: bar-foo-service
servicePort: 80
@mateustanaka you are right. AGIC 1.4.0 can't work without deprecated annotation (based on my testing), however, AGIC works fine with networking.k8s.io/v1 Ingress api : service.port.name , service.port.number and other new fields.
...
rules:
- host: hostname
http:
paths:
- path: /api/*
pathType: Prefix
backend:
service:
name: service-api
port:
number: 443
...
Indeed @rlevchenko i believe the missing attribute for AGIC to properly interpret this new spec is the proper handling of the path depending on pathType. AGIC will not properly interpret the pathType attribute of the ingress definition as per networking.k8s.io api and one would need to always provide the path as it should appear in the AppGW routing rule. In order to comply with the new specification
rules:
- host: hostname
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: service-api
port:
number: 443
Should register /api/* as the path in the routing rule and
rules:
- host: hostname
http:
paths:
- path: /api
pathType: Exact
backend:
service:
name: service-api
port:
number: 443
should register /path
Does this work today.. If not how should we handle a slash with AGIC. I want the same result for /api/user/ as I would get for /api/user (no slash in this case). Right now it seems like I need to have 2 rules? is there a better way to do this?
Any plans on fixing this ?
cert-manager 1.5.4 http01 challenge does not work anymore
@skoop22 We are planning to include support for networking.k8s.io/v1 in the 1.5.0 release. We have released 1.5.0-rc1 which contains some changes to support networking.k8s.io/v1 so feel free to test that out in the meantime before we release 1.5.0.
cert-manager 1.5.4 http01 challenge does not work anymore
I can verify that in cert-manager v1.5.4 the temporary Ingress that cert-manager creates by default to solve http-01 challenges is now created with ingress class specified via spec.ingressClassName field not the kubernetes.io/ingress.class annotation.
@skoop22 We are planning to include support for networking.k8s.io/v1 in the 1.5.0 release. We have released 1.5.0-rc1 which contains some changes to support networking.k8s.io/v1 so feel free to test that out in the meantime before we release 1.5.0.
Hi @mscatyao, it seems that v1.5.0 didn't include a fix for this issue! Do you confirm?
Any update on this? Just tried AKS 1.24, enabled AGIC (got 1.5.0-rc1 - #1336) - creating ingress with spec.ingressClassName = azure-application-gateway (becuase using old annotation is not supported in this k8s version) doesn't work - ingress is deployed, external IP is not assigned and traffic is not forwarded.
Can't find any official info on how to use this - all examples are still using old deprecated/removed api (#1292).
I think the AGIC is almost there.
I created an example using AGIC 1.5.1 with cert-manager 1.7.1.
The first ingress was:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging-application-gateway
name: httpbin
namespace: httpbin
spec:
ingressClassName: azure-application-gateway
rules:
- host: wasp-sbx-eus2-ingress.eastus2.cloudapp.azure.com
http:
paths:
- backend:
service:
name: httpbin
port:
number: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- wasp-sbx-eus2-ingress.eastus2.cloudapp.azure.com
secretName: httpbin-tls-ingress-certificate
Then, the Ingress was correctly configured in AGIC:
NAME CLASS HOSTS ADDRESS PORTS AGE
cm-acme-http-solver-jxdtf <none> wasp-sbx-eus2-ingress.eastus2.cloudapp.azure.com 80 14m
httpbin azure-application-gateway wasp-sbx-eus2-ingress.eastus2.cloudapp.azure.com 20.96.144.115 80, 443 14m
Note that the solver was created with Deprecated Annotation instead of new ingressClassName:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: azure-application-gateway
nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0,::/0
labels:
acme.cert-manager.io/http-domain: "3005420016"
acme.cert-manager.io/http-token: "1199771439"
acme.cert-manager.io/http01-solver: "true"
name: cm-acme-http-solver-jxdtf
namespace: httpbin
spec:
rules:
- host: wasp-sbx-eus2-ingress.eastus2.cloudapp.azure.com
http:
paths:
- backend:
service:
name: cm-acme-http-solver-xlbtv
port:
number: 8089
path: /.well-known/acme-challenge/L1kdWvsZCRCNLToxPWfWDFX9rbyVYl_r-9cpJOlzMsk
pathType: ImplementationSpecific
Maybe now it could be a cert-manager issue since I think cert-manager created the second Solver Ingress.
@smsilva is this the only part that needs to be updated to complete the upgrade?
Is this issue complete?
https://azure.github.io/application-gateway-kubernetes-ingress/ingress-v1/
Note: Ingress/V1 is fully supported with AGIC >= 1.5.1
