Installation using Bicep

In this guide we will walk through installing the extension to your Azure Kubernetes Service (AKS) cluster with Bicep.

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

For a full example see our example repo.

Before you begin

• This guide assumes a basic understanding of Kubernetes and Bicep
• If you don't have a AKS cluster setup already you can follow the official documentation to create one.

Review the Bicep file

The Bicep file used to deploy your extension should look something like this:

1@description('The AKS cluster name')
2param clusterName string
3
4@description('clientId of the federatedIdentityCredential')
5param workloadIdentity string
6
7// Get the AKS cluster
8resource aks 'Microsoft.ContainerService/managedClusters@2024-09-01' existing = {
9  name: clusterName
10}
11
12// Install the extension into your AKS cluster
13resource ingressExtension 'Microsoft.KubernetesConfiguration/extensions@2023-05-01' = {
14  name: 'ingress-extension'
15  identity: {
16    type: 'SystemAssigned'
17  }
18  scope: aks
19  plan: {
20    name: 'basic'
21    product: 'ingress-nginx-hsm'
22    publisher: 'stridtech'
23  }
24  properties: {
25    extensionType: 'tech.strid.ingress-nginx-hsm'
26    autoUpgradeMinorVersion: true
27    configurationSettings: {
28      workloadIdentity: workloadIdentity
29      kubernetesNamespace: 'ingress-nginx'
30      controllerReplicaCount: '3' // Default is 1, but we want to have HA
31      defaultBackendReplicaCount: '1'
32    }
33  }
34}

The resource defined in the Bicep file:

• Microsoft.KubernetesConfiguration/extensions

Deploy the Bicep file

Deploy the Bicep file using either Azure CLI

1az deployment group create \
2  --resource-group $RESOURCE_GROUP \
3  --template-file ./main.bicep \
4  --parameters clusterName=<cluster-name> workloadIdentity=<workload-identity>
5

Provide the followwing values in the command:

• Cluster name: The name of your AKS cluster
• Workload identity: The clientId of the federatedIdentityCredential

It takes a couple of minutes to deploy the extension. Wait for it to be deployed before moving on to the next step.

Validate the Bicep deployment

To check what extensions are installed on your AKS cluster, run the following command:

1az k8s-extension list \
2  --cluster-name <cluster-name> \
3  --resource-group <resource-group> \
4  --cluster-type managedClusters

You can also make sure the ingress is running in your cluster by checking the pods in the ingress-nginx namespace.

1kubectl get pods -n ingress-nginx

Next steps

In this guide you added the HSM Ingress Controller extension to your AKS cluster. To use the Ingress to direct traffic to your deployments you need to create an Ingress resource. This will be covered in the next guide.