How to set AzureIngressProhibitedTarget without hostname?

Question

I have 2 AKS clusters with different endpoints hosted on each one. After connecting them to the same gateway via helm chart and setting up prohibited targets, it is still overwriting the gateway with each update within AKS. I have services with endpoints like /example/group/index.html within the health probes path and the same path is formatted as /example/*. How do I specify links formated like this inside the prohibited target file so the services won't get overwritten again?

Answer 1

Managing Routing Conflicts in Azure Kubernetes Service with Prohibited Targets and Helm

Managing AKS (Azure Kubernetes Service) clusters and configuring a shared ingress or gateway with Helm charts can be complex, particularly when it comes to routing management and preventing service conflicts. Utilizing prohibited targets is key to avoiding overwrites.

Defining links like /example/group/index.html in the health probes path and managing wildcard paths such as /example/* in the prohibited target file is essential to prevent service overwrites. It's critical that your configuration accurately reflects these specifications. Helm and AKS support this process by enabling annotations and configurations in your ingress or gateway resource definitions, which help to precisely manage these routing rules and restrictions.

Prohibited Target Configuration: Prohibited targets in Azure Application Gateway enable you to exclude specific paths from management by the Application Gateway Ingress Controller (AGIC). This feature is essential in scenarios where multiple Kubernetes clusters or services share the same Application Gateway but necessitate separate route management.

Wildcards and Path-Based Routing: When your health probes and service paths employ a format with wildcards (e.g., /example/*), it's crucial to configure your prohibited target settings precisely to exclude these paths, thereby preventing AGIC from managing them.

Example Prohibited Target Configuration: A prohibitedTarget resource can be defined in your Helm values file or as a separate Kubernetes manifest. This definition must clearly enumerate the paths or hostnames that AGIC should disregard.

kubectl apply -f prohibited-target.yaml

For paths such as /example/group/index.html, you may either specify the precise path or employ wildcard expressions to encompass a wider array of paths.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
spec:
  rules:
    - http:
        paths:
          - path: /example/group/index.html
            pathType: ImplementationSpecific
          - path: /example/*
            pathType: ImplementationSpecific

Apply the Prohibited Targets:

• Apply the prohibited targets configuration to your Helm chart deployment.
• Use the kubectl apply -f prohibited-targets.yaml command to ensure the changes take effect.

Reference:

https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/aks-application-gateway-ingress-controller/

https://learn.microsoft.com/en-us/azure/aks/kubernetes-helm