Provisioning Public IPs for Azure Kubernetes Service Ingress Controllers

Question

Pulumi · Accepted Answer

To provision public IP addresses for Azure Kubernetes Service (AKS) Ingress controllers, you can use Pulumi's `azure-native` package to create `PublicIPAddresses` and associate them with the Ingress controller's services.

Here's how you would approach this with Pulumi and Azure:

1. **Create a Public IP Address**: Use the `azure-native.network.PublicIPAddress` resource to create a public IP address. You'll need to provide details like the IP address SKU (Standard or Basic), location, resource group name, and any other desired settings.

2. **Associate with AKS Ingress**: Once you have the public IP address, you can use Kubernetes Ingress resources to expose your AKS services to the internet. The Ingress resource will need to reference the created Public IP Address. Pulumi doesn't directly bind the IP address to the Ingress controller; instead, services of type `LoadBalancer` in Kubernetes will involve an Azure Load Balancer that can be associated with a public IP.

Below is the Pulumi program written in Python that accomplishes this task. The program first creates a public IP address and then sets up a placeholder example of how you would create an Ingress to make use of that IP.

```python
import pulumi
import pulumi_azure_native as azure_native
import pulumi_kubernetes as kubernetes

# Replace these variables with appropriate values
resource_group_name = "myResourceGroup"
location = "westus"
public_ip_name = "myPublicIP"
aks_cluster_name = "myAksCluster"
aks_kubeconfig = "my-kubeconfig-contents"

# Create an Azure Resource Group
resource_group = azure_native.resources.ResourceGroup("resource_group",
                                                      resource_group_name=resource_group_name)

# Provision a Public IP address
public_ip = azure_native.network.PublicIPAddress("public_ip",
                                                 resource_group_name=resource_group.name,
                                                 location=location,
                                                 public_ip_allocation_method=azure_native.network.IPAllocationMethod.DYNAMIC,
                                                 sku=azure_native.network.PublicIPAddressSkuArgs(
                                                     name=azure_native.network.PublicIPAddressSkuName.STANDARD
                                                 ))

# Setup a Kubernetes provider to interact with AKS
k8s_provider = kubernetes.Provider("k8s_provider",
                                   kubeconfig=aks_kubeconfig)

# Use the public IP in an Ingress resource. This is a placeholder and should be modified
# according to your Ingress Controller setup in AKS and your application requirements.
ingress = kubernetes.networking.v1.Ingress(
    "ingress",
    metadata=kubernetes.meta.v1.ObjectMetaArgs(
        name="example-ingress",
        annotations={
            "kubernetes.io/ingress.class": "nginx",
            # Replace 'PUBLIC-IP-ADDRESS' with the public IP allocated by Azure
            "nginx.ingress.kubernetes.io/whitelist-source-range": "PUBLIC-IP-ADDRESS/32"
        }
    ),
    spec=kubernetes.networking.v1.IngressSpecArgs(
        rules=[
            kubernetes.networking.v1.IngressRuleArgs(
                host="example.com",
                http=kubernetes.networking.v1.HTTPIngressRuleValueArgs(
                    paths=[
                        kubernetes.networking.v1.HTTPIngressPathArgs(
                            path="/",
                            path_type="Prefix",
                            backend=kubernetes.networking.v1.IngressBackendArgs(
                                service=kubernetes.networking.v1.IngressServiceBackendArgs(
                                    name="example-service",
                                    port=kubernetes.networking.v1.ServiceBackendPortArgs(number=80)
                                )
                            )
                        )
                    ]
                )
            )
        ]
    ),
    opts=pulumi.ResourceOptions(provider=k8s_provider)
)

# Export the Public IP address
pulumi.export("public_ip_address", public_ip.ip_address)
```

This program does the following:

- **Resource Group**: A container that holds related resources for an Azure solution.
- **Public IP Address**: Represents the address that will be exposed to the internet to access the services running on the AKS cluster.
- **Kubernetes Provider**: Specifies the connection to the AKS cluster using its kubeconfig.
- **Ingress Resource**: A Kubernetes resource that manages external access to services in a cluster, typically HTTP.

When using the Ingress with annotations referencing the public IP, replace `'PUBLIC-IP-ADDRESS'` with the actual IP address value allocated by Azure once the public IP is available.

Ensure you have the required permissions and configurations set on your Azure account to create these resources. Also, ensure that the AKS cluster and the Kubernetes provider are properly configured. The `aks_kubeconfig` is assumed to be the kubeconfig file content for the AKS, which allows Pulumi to authenticate against your Kubernetes cluster.

Keep in mind that the specifics of how the Ingress controller uses the public IP may vary depending on the Ingress controller you are using (e.g., nginx, traefik, etc.), and you might need to adjust annotations and configurations accordingly.