Deploy Coder on Azure with an Application Gateway
In certain enterprise environments, the Azure Application Gateway is required.
These steps serve as a proof-of-concept example so that you can get Coder running with Kubernetes on Azure. Your deployment might require a separate Postgres server or signed certificates.
The Application Gateway supports:
- Websocket traffic (required for workspace connections)
- TLS termination
Refer to Microsoft's documentation on how to enable application gateway ingress controller add-on for an existing AKS cluster with an existing application gateway. The steps here follow the Microsoft tutorial for a Coder deployment.
Deploy Coder on Azure with an Application Gateway
-
Create Azure resource group:
az group create --name myResourceGroup --location eastus -
Create AKS cluster:
az aks create --name myCluster --resource-group myResourceGroup --network-plugin azure --enable-managed-identity --generate-ssh-keys -
Create public IP:
az network public-ip create --name myPublicIp --resource-group myResourceGroup --allocation-method Static --sku Standard -
Create VNet and subnet:
az network vnet create --name myVnet --resource-group myResourceGroup --address-prefix 10.0.0.0/16 --subnet-name mySubnet --subnet-prefix 10.0.0.0/24 -
Create Azure application gateway, attach VNet, subnet and public IP:
az network application-gateway create --name myApplicationGateway --resource-group myResourceGroup --sku Standard_v2 --public-ip-address myPublicIp --vnet-name myVnet --subnet mySubnet --priority 100 -
Get app gateway ID:
appgwId=$(az network application-gateway show --name myApplicationGateway --resource-group myResourceGroup -o tsv --query "id") -
Enable app gateway ingress to AKS cluster:
az aks enable-addons --name myCluster --resource-group myResourceGroup --addon ingress-appgw --appgw-id $appgwId -
Get AKS node resource group:
nodeResourceGroup=$(az aks show --name myCluster --resource-group myResourceGroup -o tsv --query "nodeResourceGroup") -
Get AKS VNet name:
aksVnetName=$(az network vnet list --resource-group $nodeResourceGroup -o tsv --query "[0].name") -
Get AKS VNet ID:
aksVnetId=$(az network vnet show --name $aksVnetName --resource-group $nodeResourceGroup -o tsv --query "id") -
Peer VNet to AKS VNet:
az network vnet peering create --name AppGWtoAKSVnetPeering --resource-group myResourceGroup --vnet-name myVnet --remote-vnet $aksVnetId --allow-vnet-access -
Get app gateway VNet ID:
appGWVnetId=$(az network vnet show --name myVnet --resource-group myResourceGroup -o tsv --query "id") -
Peer AKS VNet to app gateway VNet:
az network vnet peering create --name AKStoAppGWVnetPeering --resource-group $nodeResourceGroup --vnet-name $aksVnetName --remote-vnet $appGWVnetId --allow-vnet-access -
Get AKS credentials:
az aks get-credentials --name myCluster --resource-group myResourceGroup -
Create Coder namespace:
kubectl create ns coder -
Deploy non-production PostgreSQL instance to AKS cluster:
helm repo add bitnami https://charts.bitnami.com/bitnami helm install coder-db bitnami/postgresql \ --namespace coder \ --set auth.username=coder \ --set auth.password=coder \ --set auth.database=coder \ --set persistence.size=10Gi -
Create the PostgreSQL secret:
kubectl create secret generic coder-db-url -n coder --from-literal=url="postgres://coder:[email protected]:5432/coder?sslmode=disable" -
Deploy Coder to AKS cluster:
helm repo add coder-v2 https://helm.coder.com/v2 helm install coder coder-v2/coder \ --namespace coder \ --values values.yaml \ --version 2.18.5 -
Clean up Azure resources:
az group delete --name myResourceGroup az group delete --name MC_myResourceGroup_myCluster_eastus -
Deploy the gateway - this needs clarification
-
After you deploy the gateway, add the following entries to Helm's
values.yamlfile before you deploy Coder:service: enable: true type: ClusterIP sessionAffinity: None externalTrafficPolicy: Cluster loadBalancerIP: "" annotations: {} httpNodePort: "" httpsNodePort: "" ingress: enable: true className: "azure-application-gateway" host: "" wildcardHost: "" annotations: {} tls: enable: false secretName: "" wildcardSecretName: ""