feat: Add NginxIngressController configuration for web application ro…

…uting (#4362)
Azure · Feb 4, 2025 · f836d25 · f836d25
1 parent 244ce5f
commit f836d25
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 14 deletions.
diff --git a/avm/res/container-service/managed-cluster/README.md b/avm/res/container-service/managed-cluster/README.md
@@ -17,7 +17,7 @@ This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.
 | :-- | :-- |
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
-| `Microsoft.ContainerService/managedClusters` | [2024-03-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2024-03-02-preview/managedClusters) |
+| `Microsoft.ContainerService/managedClusters` | [2024-09-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2024-09-02-preview/managedClusters) |
 | `Microsoft.ContainerService/managedClusters/agentPools` | [2024-08-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2024-08-01/managedClusters/agentPools) |
 | `Microsoft.ContainerService/managedClusters/maintenanceConfigurations` | [2023-10-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2023-10-01/managedClusters/maintenanceConfigurations) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
@@ -76,11 +76,11 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
       aadProfileManaged: true
     }
     autoNodeOsUpgradeProfileUpgradeChannel: 'NodeImage'
+    defaultIngressControllerType: 'Internal'
     disableLocalAccounts: true
     enableKeyvaultSecretsProvider: true
     enableSecretRotation: true
     kedaAddon: true
-    kubernetesVersion: '1.28'
     maintenanceConfigurations: [
       {
         maintenanceWindow: {
@@ -153,6 +153,9 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
     "autoNodeOsUpgradeProfileUpgradeChannel": {
       "value": "NodeImage"
     },
+    "defaultIngressControllerType": {
+      "value": "Internal"
+    },
     "disableLocalAccounts": {
       "value": true
     },
@@ -165,9 +168,6 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
     "kedaAddon": {
       "value": true
     },
-    "kubernetesVersion": {
-      "value": "1.28"
-    },
     "maintenanceConfigurations": {
       "value": [
         {
@@ -248,11 +248,11 @@ param aadProfile = {
   aadProfileManaged: true
 }
 param autoNodeOsUpgradeProfileUpgradeChannel = 'NodeImage'
+param defaultIngressControllerType = 'Internal'
 param disableLocalAccounts = true
 param enableKeyvaultSecretsProvider = true
 param enableSecretRotation = true
 param kedaAddon = true
-param kubernetesVersion = '1.28'
 param maintenanceConfigurations = [
   {
     maintenanceWindow: {
@@ -2711,6 +2711,7 @@ param tags = {
 | [`azurePolicyVersion`](#parameter-azurepolicyversion) | string | Specifies the azure policy version to use. |
 | [`backendPoolType`](#parameter-backendpooltype) | string | The type of the managed inbound Load Balancer BackendPool. |
 | [`costAnalysisEnabled`](#parameter-costanalysisenabled) | bool | Specifies whether the cost analysis add-on is enabled or not. If Enabled `enableStorageProfileDiskCSIDriver` is set to true as it is needed. |
+| [`defaultIngressControllerType`](#parameter-defaultingresscontrollertype) | string | Ingress type for the default NginxIngressController custom resource. It will be ignored if `webApplicationRoutingEnabled` is set to `false`. |
 | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
 | [`disableCustomMetrics`](#parameter-disablecustommetrics) | bool | Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false. |
 | [`disableLocalAccounts`](#parameter-disablelocalaccounts) | bool | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. |
@@ -3857,6 +3858,22 @@ Specifies whether the cost analysis add-on is enabled or not. If Enabled `enable
 - Type: bool
 - Default: `False`
 
+### Parameter: `defaultIngressControllerType`
+
+Ingress type for the default NginxIngressController custom resource. It will be ignored if `webApplicationRoutingEnabled` is set to `false`.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'AnnotationControlled'
+    'External'
+    'Internal'
+    'None'
+  ]
+  ```
+
 ### Parameter: `diagnosticSettings`
 
 The diagnostic settings of the service.

diff --git a/avm/res/container-service/managed-cluster/main.bicep b/avm/res/container-service/managed-cluster/main.bicep
@@ -170,6 +170,15 @@ param webApplicationRoutingEnabled bool = false
 @description('Optional. Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`.')
 param dnsZoneResourceId string?
 
+@description('Optional. Ingress type for the default NginxIngressController custom resource. It will be ignored if `webApplicationRoutingEnabled` is set to `false`.')
+@allowed([
+  'AnnotationControlled'
+  'External'
+  'Internal'
+  'None'
+])
+param defaultIngressControllerType string?
+
 @description('Optional. Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided.')
 param enableDnsZoneContributorRoleAssignment bool = true
 
@@ -533,7 +542,7 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT
 // Main Resources //
 // ============== //
 
-resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-preview' = {
+resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-09-02-preview' = {
   name: name
   location: location
   tags: tags
@@ -622,6 +631,11 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-p
               any(dnsZoneResourceId)
             ]
           : null
+        nginx: !empty(defaultIngressControllerType)
+          ? {
+              defaultIngressControllerType: any(defaultIngressControllerType)
+            }
+          : null
       }
     }
     addonProfiles: {

diff --git a/avm/res/container-service/managed-cluster/main.json b/avm/res/container-service/managed-cluster/main.json
@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.32.4.45862",
-      "templateHash": "2212050801048635140"
+      "templateHash": "17979235232913108460"
     },
     "name": "Azure Kubernetes Service (AKS) Managed Clusters",
     "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster."
@@ -1116,6 +1116,19 @@
         "description": "Optional. Specifies the resource ID of connected DNS zone. It will be ignored if `webApplicationRoutingEnabled` is set to `false`."
       }
     },
+    "defaultIngressControllerType": {
+      "type": "string",
+      "nullable": true,
+      "allowedValues": [
+        "AnnotationControlled",
+        "External",
+        "Internal",
+        "None"
+      ],
+      "metadata": {
+        "description": "Optional. Ingress type for the default NginxIngressController custom resource. It will be ignored if `webApplicationRoutingEnabled` is set to `false`."
+      }
+    },
     "enableDnsZoneContributorRoleAssignment": {
       "type": "bool",
       "defaultValue": true,
@@ -1685,7 +1698,7 @@
     },
     "managedCluster": {
       "type": "Microsoft.ContainerService/managedClusters",
-      "apiVersion": "2024-03-02-preview",
+      "apiVersion": "2024-09-02-preview",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "tags": "[parameters('tags')]",
@@ -1711,7 +1724,8 @@
         "ingressProfile": {
           "webAppRouting": {
             "enabled": "[parameters('webApplicationRoutingEnabled')]",
-            "dnsZoneResourceIds": "[if(not(empty(parameters('dnsZoneResourceId'))), createArray(parameters('dnsZoneResourceId')), null())]"
+            "dnsZoneResourceIds": "[if(not(empty(parameters('dnsZoneResourceId'))), createArray(parameters('dnsZoneResourceId')), null())]",
+            "nginx": "[if(not(empty(parameters('defaultIngressControllerType'))), createObject('defaultIngressControllerType', parameters('defaultIngressControllerType')), null())]"
           }
         },
         "addonProfiles": {
@@ -3029,7 +3043,7 @@
       "metadata": {
         "description": "The principal ID of the system assigned identity."
       },
-      "value": "[tryGet(tryGet(reference('managedCluster', '2024-03-02-preview', 'full'), 'identity'), 'principalId')]"
+      "value": "[tryGet(tryGet(reference('managedCluster', '2024-09-02-preview', 'full'), 'identity'), 'principalId')]"
     },
     "kubeletIdentityClientId": {
       "type": "string",
@@ -3092,7 +3106,7 @@
       "metadata": {
         "description": "The location the resource was deployed into."
       },
-      "value": "[reference('managedCluster', '2024-03-02-preview', 'full').location]"
+      "value": "[reference('managedCluster', '2024-09-02-preview', 'full').location]"
     },
     "oidcIssuerUrl": {
       "type": "string",

diff --git a/avm/res/container-service/managed-cluster/tests/e2e/automatic/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/automatic/main.test.bicep
@@ -50,7 +50,6 @@ module testDeployment '../../../main.bicep' = [
       enableKeyvaultSecretsProvider: true
       enableSecretRotation: true
       kedaAddon: true
-      kubernetesVersion: '1.28'
       aadProfile: {
         aadProfileEnableAzureRBAC: true
         aadProfileManaged: true
@@ -95,6 +94,7 @@ module testDeployment '../../../main.bicep' = [
       skuName: 'Automatic'
       vpaAddon: true
       webApplicationRoutingEnabled: true
+      defaultIngressControllerType: 'Internal'
     }
   }
 ]
diff --git a/avm/res/container-service/managed-cluster/version.json b/avm/res/container-service/managed-cluster/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "0.6",
+  "version": "0.7",
   "pathFilters": [
     "./main.json"
   ]