This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway to act as the ingress for an AKS cluster.
Is your feature request related to a problem? Please describe.
The AzureIngressProhibitedTarget in theory exists in order to enable the AGIC to work on a shared app gateway. While this works well enough for the example given in the official docs it isn't an extensible solution at all. If I am only ever going to have a "prod" and a "staging" target (as in the example) and one of them is going to be manually configured in the app gateway, while the other will be managed by the AGIC, then sure, a single AzureIngressProhibitedTarget resource stating that the "staging" target should not be managed by the AGIC instance is good enough. But if you generalise this approach to for example multiple clusters - each running their own AGIC instance - then each of those instances must be explicitly told not to try to manage the configurations that the others are responsible for. I.e. it must have full information of deployments that exist completely outside of its own scope.
My expectation of a "shared" app gateway would be that I am instead able to reserve certain targets for a specific AGIC instance, without needing to know which targets are reserved elsewhere.
Describe the solution you'd like
I would like to see an AzureIngressAllowedTarget (or AzureIngressReservedTarget might be a better name) CRD instead of the AzureIngressProhibitedTarget resource we currently have. I would couple this with making all other targets prohibited by default. An AGIC instance must then declare which which target(s) it wants to allow / reserve for its use and not need to know which other targets are in use. If it attempts to reserve a target that is already reserved by another AGIC instance, the attempt fails.
Is your feature request related to a problem? Please describe.
The
AzureIngressProhibitedTargetin theory exists in order to enable the AGIC to work on a shared app gateway. While this works well enough for the example given in the official docs it isn't an extensible solution at all. If I am only ever going to have a "prod" and a "staging" target (as in the example) and one of them is going to be manually configured in the app gateway, while the other will be managed by the AGIC, then sure, a singleAzureIngressProhibitedTargetresource stating that the "staging" target should not be managed by the AGIC instance is good enough. But if you generalise this approach to for example multiple clusters - each running their own AGIC instance - then each of those instances must be explicitly told not to try to manage the configurations that the others are responsible for. I.e. it must have full information of deployments that exist completely outside of its own scope.My expectation of a "shared" app gateway would be that I am instead able to reserve certain targets for a specific AGIC instance, without needing to know which targets are reserved elsewhere.
Describe the solution you'd like
I would like to see an
AzureIngressAllowedTarget(orAzureIngressReservedTargetmight be a better name) CRD instead of theAzureIngressProhibitedTargetresource we currently have. I would couple this with making all other targets prohibited by default. An AGIC instance must then declare which which target(s) it wants to allow / reserve for its use and not need to know which other targets are in use. If it attempts to reserve a target that is already reserved by another AGIC instance, the attempt fails.