application-gateway-kubernetes-ingress icon indicating copy to clipboard operation
application-gateway-kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon Azure

AzureIngressProhibitedTarget to support Wildcards and Regular Expressions

Open stevensoave opened this issue 2 years ago • 5 comments

Is your feature request related to a problem? Please describe. We want to use multiple AKS clusters, which would use a Shared Application Gateway setup. When I say multiple, i'm meaning 20 or more AKS clusters. Each of these clusters expose 20 or more ingress hostnames.

Using the current AzureIngressProhibitedTarget does not scale well and would be near impossible to manage in fluid, ever changing environments. Specifically adding each other AKS clusters ingress hostnames to other AKS AGIC AzureIngressProhibitedTarget is currently unmanageable. Also it would be very hard to manage if other teams added an ingress hostname, and other AGIC were not aware of it via the AzureIngressProhibitedTarget. The added listener and configuration would be deleted from the Shared Application Gateway, as per current design.

Describe the solution you'd like Allow the AzureIngressProhibitedTarget to support wildcards, and regular expressions. e.g. *.sub.domain.com or *.domain.com

stevensoave avatar Nov 15 '21 15:11 stevensoave

Hello,

I'd like to give a huge +1 here.

Azure App Gw with its AGIC is such a powerful setup. But that prohibited target implementation makes it really uncomfortable.

My customer is building a very similiar setup like @stevensoave. Currently we do need to build a complex workaround setup - which is not very attractive at all.

jakobyte1024 avatar Nov 16 '21 12:11 jakobyte1024

@jakobyte1024 agree. It could be great, the AzureIngressProhibitedTargets is just making it unusable at this scale.

What type of workaround do you have going at the moment? I would just be worried that one misconfiguration could see a lot of Listeners, Rules etc dissappear. I wouldn't want to be on the receiving end of that ;-)

stevensoave avatar Nov 16 '21 15:11 stevensoave

@stevensoave currently thinking of a pipeline or sync-tool that creates ProhibitedTargets on each listed cluster. Twitter answered with https://twitter.com/jakobyte1024/status/1458731148264226820?s=20

jakobyte1024 avatar Nov 17 '21 12:11 jakobyte1024

@stevensoave As a word of warning, please make sure to read the limitations of AppGW for such a massive scale setup. We have just been trapped by this and thus needed to change our architecture. Im not sure if it applies here as well, but if I read 20 clusters with each of them exposing 20 or more ingresses, that may well result in #cluster x #ingress backend-pools using AGIC, which are currently hard-limited to 100.

alxy avatar Nov 28 '21 17:11 alxy

Support for wildcards (or better said, for quoted strings in hostname parameters) has been added here to main:

https://github.com/Azure/application-gateway-kubernetes-ingress/issues/1548

Unfortunately not part of any release.

pkerspe avatar Jan 30 '24 06:01 pkerspe