application-gateway-kubernetes-ingress icon indicating copy to clipboard operation
application-gateway-kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon Azure

AGIC with Linkerd service mesh

Open thangchung opened this issue 5 years ago • 7 comments

Currently, I'm working on the project that uses nginx-ingress in the AKS cluster - in-cluster ingress, and I read through some of the articles and news that with the Azure Cloud platform we can use AGIC to improve the performance of the application - Application Gateway vs In-cluster Ingress.

When I worked with nginx-ingress, and if we want to make it works correctly with Linkerd, then I need to inject Linkerd sidecar into it. I need to configure some of YAML on the ingress as below

annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
      grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;

But when I searched around in this repo, I didn't find anywhere describes about how can I make AGIC works well with Linkerd (with or without configuration to make it works well).

My question is Is it AGIC working well with Linkerd without needing to configure anything on the ingress or I need to do something?

Please help to point out where can I find the guidance to inject Linkerd to AGIC. Thank you very much.

thangchung avatar Apr 11 '20 07:04 thangchung

Hi @thangchung, AGIC’s Greenfield Deployment will work with the vanilla Linkerd demo app out of the box. App Gateway will be configured by AGIC and will send HTTP traffic to Linkerd2 injected proxies.

I did not have to use l5d-override-dst header to get it to run. If your use case requires l5d-override-dst - I'm afraid we won't be able to support that just yet. AGIC does not yet have an annotation applying header rewrites. (Application Gateway allows you to apply header rewrites but AGIC will overwrite the link between the Rewrite and the Routing Rule, so if you apply it via Azure Portal it will only last until the next time AGIC updates App Gwy config).

I should make you aware of a few limitations we have – traffic from App Gateway to Linkerd pods cannot be mTLS encrypted. (We don't yet support mTLS with a custom CA). So from App Gateway to Linkerd pods -- only http or https would work (no gRPC yet either).

Please keep us posted on your findings or details of the specific scenario you have so we can help further!

draychev avatar Apr 22 '20 19:04 draychev

@draychev Do you have an example of using HTTPS from the App Gateway to the pod?

debugaftercoffee avatar Jul 06 '20 18:07 debugaftercoffee

Hi @debugaftercoffee , you can refer to this doc from another customer

3quanfeng avatar Jul 06 '20 18:07 3quanfeng

@draychev any ETA on mTLS support?

mozts2005 avatar Jul 10 '20 16:07 mozts2005

@mozts2005 - mTLS to the backend support is on our (AppGW + AGIC) backlog, but currently no ETA.

mscatyao avatar Jul 13 '20 17:07 mscatyao

With OSM not being recommended together with AGIC, it is safe to assume the same can be said about using AGIC together with Linkerd? If not, is there a possibility for an update on this? Even if it's just a recommendation for using something else that will also be fine.

scav avatar May 13 '22 13:05 scav

Can we get a detailed approach/tutorial to integrate Linkerd Service Mesh with Application Gateway. We got success with Linkerd Service Mesh via NGINX Ingress but our Architecture demands Application Gateway in place with WAF policy enabled. Also, kindly suggest us the way to integrate Azure Front Door with NGINX Ingress and Linkerd.

gitakp avatar May 16 '22 12:05 gitakp