Skip to content
Ansible deployment of AKS
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
configure-aks Only add istio-gateway as source to external-dns if istio is enabled Jun 27, 2019
examples Add CIC server header modification examples Jul 3, 2019
.gitignore Initial AKS deploy Feb 25, 2019
LICENSE Initial commit Feb 21, 2019 Add Citrix ingress controller information to readme Jun 27, 2019
requirements.txt Add openshift to requirements.txt May 5, 2019



Ansible deployment of AKS


Two playbooks to deploy and configure Azure Kubernetes Service.

Includes the following in Azure:

  • AKS Cluster (RBAC)
  • ContainerInsights (disabled by default)
  • DNS Zone (to be configured with external-dns)
  • Azure Container Registry
  • Not implemented: Azure AD Configuration

Includes the following in Kubernetes:

  • Istio (using istio-operator)
  • cert-manager
  • external-dns
  • goldpinger
  • ark (velero)
  • kubedb (disabled by default)
  • datadog agent (and tracing)

Configure the following files

How to run

TODO: Create Azure AD Application (isn't implemented as of now)

Follow this guide: Integrate Azure Active Directory with Azure Kubernetes Service

Generate service principal for Azure

# Login to Azure
az login

# List subscriptions
az account list --output table

# Select subscription
az account set --subscription "<Subscription Name>"

# Valdiate that the correct subscription is selected
az account list --query "[?isDefault==\`true\`]" --output table

# Create variables with the subscription data
TenantID=$(az account list --query "[?isDefault==\`true\`].tenantId" --output tsv)
SubscriptionID=$(az account list --query "[?isDefault==\`true\`].id" --output tsv)

# Create Service Principal
# Store the password in a safe place and write down that it will expire in a year
# This will make the service principal contributor to the subscription
az ad sp create-for-rbac --name sp-aks
ClientID=$(az ad sp list --query "[?appDisplayName=='sp-aks'].appId" --output tsv)


Deploy AKS

cd deploy-aks
ansible-playbook -i hosts deploy-aks.yml -e "ansible_python_interpreter=<python>" -e AZURE_CLIENT_ID="<ClientID>" -e AZURE_SECRET='"<Secret>"' -e AZURE_SUBSCRIPTION_ID="<SubscriptionID>" -e AZURE_TENANT="<TenantID>" --flush-cache

TODO: AAD Integration: (not included as of now)

ansible-playbook -i hosts-prd deploy-aks.yml -e "ansible_python_interpreter=" -e AZURE_CLIENT_ID="" -e AZURE_SECRET='""' -e AZURE_SUBSCRIPTION_ID="" -e AZURE_TENANT="" -e aksAADClientAppID="" -e aksAADServerAppID="" -e aksAADServerAppSecret='""' -e aksAADTenantID="" --flush-cache

Manual steps:

  • Configure the nameservers of the domain, pointing to the zone created in the resource group. Do this before running configure-aks.

Configure AKS

cd configure-aks
ansible-playbook -i hosts configure-aks.yml -e "ansible_python_interpreter=<python>" -e AZURE_CLIENT_ID="<ClientID>" -e AZURE_SECRET='"<Secret>"' -e AZURE_SUBSCRIPTION_ID="<SubscriptionID>" -e AZURE_TENANT="<TenantID>" -e DATADOG_API_KEY='"<DatadogApiKey>"' --flush-cache

Citrix ingress controller

Citrix has an ingress controller which can be used instead of products like ingress-nginx. You can find more information about it here:

How to use

I've tested it without Istio and haven't tried it together. I recommend disabling istioOperator in configure-aks/roles/configure-aks/defaults/main.yml.

Enable citrixCpx in configure-aks/roles/configure-aks/defaults/main.yml.

When configure-aks has completed, deploy cpx-ingress-apache.yaml to one of your namespaces and verify functionality. Make sure to change the domain names ( to the correct one. I've added a responder to redirect http to https to show how to use that functionality.



kubectl -n goldpinger port-forward $(kubectl -n goldpinger get pod -l app=goldpinger -o jsonpath='{.items[0]}') 8080:80
You can’t perform that action at this time.