bug: harden deploy-azd ingress readiness and class detection

Author: Cataldir

.github/workflows/deploy-azd.yml

@@ -75,46 +75,46 @@ jobs:
 
           CHANGED_FILES=$(git diff --name-only "origin/$DEFAULT_BRANCH...HEAD")
 
-            mapfile -t AGENT_SERVICES < <(python3 - <<'PY'
-            import re
-
-            with open('azure.yaml', encoding='utf-8') as f:
-              lines = f.readlines()
-
-            in_services = False
-            current_service = None
-            current_host = None
-            services = []
-
-            for raw in lines:
-              line = raw.rstrip('\n')
-              if not in_services:
-                if re.match(r'^services:\s*$', line):
-                  in_services = True
-                continue
-
-              if re.match(r'^[^\s]', line):
-                break
-
-              service_match = re.match(r'^  ([a-z0-9\-]+):\s*$', line)
-              if service_match:
-                if current_service and current_host == 'aks' and current_service != 'crud-service':
-                  services.append(current_service)
-                current_service = service_match.group(1)
-                current_host = None
-                continue
-
-              host_match = re.match(r'^    host:\s*(\S+)\s*$', line)
-              if host_match:
-                current_host = host_match.group(1)
-
-            if current_service and current_host == 'aks' and current_service != 'crud-service':
-              services.append(current_service)
-
-            for service in services:
-              print(service)
-            PY
-            )
+          mapfile -t AGENT_SERVICES < <(python3 - <<'PY'
+import re
+
+with open('azure.yaml', encoding='utf-8') as f:
+  lines = f.readlines()
+
+in_services = False
+current_service = None
+current_host = None
+services = []
+
+for raw in lines:
+  line = raw.rstrip('\n')
+  if not in_services:
+    if re.match(r'^services:\s*$', line):
+      in_services = True
+    continue
+
+  if re.match(r'^[^\s]', line):
+    break
+
+  service_match = re.match(r'^  ([a-z0-9\-]+):\s*$', line)
+  if service_match:
+    if current_service and current_host == 'aks' and current_service != 'crud-service':
+      services.append(current_service)
+    current_service = service_match.group(1)
+    current_host = None
+    continue
+
+  host_match = re.match(r'^    host:\s*(\S+)\s*$', line)
+  if host_match:
+    current_host = host_match.group(1)
+
+if current_service and current_host == 'aks' and current_service != 'crud-service':
+  services.append(current_service)
+
+for service in services:
+  print(service)
+PY
+          )
 
           CRUD_CHANGED=false
           if echo "$CHANGED_FILES" | grep -Eq '^apps/crud-service/'; then
@@ -453,14 +453,60 @@ jobs:
             --query "identityProfile.kubeletidentity.clientId" -o tsv)
           echo "WORKLOAD_AZURE_CLIENT_ID=${AKS_MI_CLIENT_ID}" >> "$GITHUB_ENV"
 
-      - name: Deploy CRUD service
+      - name: Resolve ingress class
+        shell: bash
         run: |
-          if ! azd deploy --service crud-service --no-prompt -e "${{ inputs.environment }}"; then
-            echo "Initial CRUD deploy failed; retrying once after short wait..."
-            sleep 60
-            azd deploy --service crud-service --no-prompt -e "${{ inputs.environment }}"
+          set -euo pipefail
+          kubectl get ingressclass -o wide || true
+
+          if [ -n "${INGRESS_CLASS_NAME:-}" ] && kubectl get ingressclass "${INGRESS_CLASS_NAME}" >/dev/null 2>&1; then
+            echo "Using preconfigured ingress class: ${INGRESS_CLASS_NAME}"
+            echo "INGRESS_CLASS_NAME=${INGRESS_CLASS_NAME}" >> "$GITHUB_ENV"
+            exit 0
           fi
+
+          for cls in webapprouting.kubernetes.azure.com nginx azure-application-gateway; do
+            if kubectl get ingressclass "$cls" >/dev/null 2>&1; then
+              echo "Using detected ingress class: $cls"
+              echo "INGRESS_CLASS_NAME=$cls" >> "$GITHUB_ENV"
+              exit 0
+            fi
+          done
+
+          echo "No supported IngressClass found. Enable AKS Web App Routing or provide INGRESS_CLASS_NAME." >&2
+          exit 1
+
+      - name: Deploy CRUD service
+        timeout-minutes: 25
+        shell: bash
+        run: |
+          set -euo pipefail
+          max_attempts=4
+
+          for attempt in $(seq 1 "$max_attempts"); do
+            echo "Deploy attempt ${attempt}/${max_attempts}"
+            if azd deploy --service crud-service --no-prompt -e "${{ inputs.environment }}"; then
+              echo "CRUD deploy succeeded."
+              exit 0
+            fi
+
+            echo "Attempt ${attempt} failed; collecting ingress diagnostics..."
+            kubectl get ingressclass -o wide || true
+            kubectl get ingress -n holiday-peak -o wide || true
+            kubectl get pods -n app-routing-system -o wide || true
+            kubectl get pods -n ingress-nginx -o wide || true
+
+            if [ "$attempt" -eq "$max_attempts" ]; then
+              echo "CRUD deploy failed after ${max_attempts} attempts." >&2
+              exit 1
+            fi
+
+            backoff=$((attempt * 45))
+            echo "Retrying after ${backoff}s..."
+            sleep "$backoff"
+          done
         env:
+          INGRESS_CLASS_NAME: ${{ env.INGRESS_CLASS_NAME }}
           AZURE_CLIENT_ID: ${{ env.WORKLOAD_AZURE_CLIENT_ID }}
           AZURE_TENANT_ID: ${{ env.AZURE_TENANT_ID }}
           PROJECT_ENDPOINT: ${{ needs.provision.outputs.PROJECT_ENDPOINT }}

.infra/azd/hooks/render-helm.ps1

@@ -7,6 +7,9 @@ $namespace = if ($env:K8S_NAMESPACE) { $env:K8S_NAMESPACE } else { "holiday-peak
 $imagePrefix = if ($env:IMAGE_PREFIX) { $env:IMAGE_PREFIX } else { "ghcr.io/azure-samples" }
 $imageTag = if ($env:IMAGE_TAG) { $env:IMAGE_TAG } else { "latest" }
 $kedaEnabled = if ($env:KEDA_ENABLED) { $env:KEDA_ENABLED } else { "false" }
+$ingressEnabled = if ($env:INGRESS_ENABLED) { $env:INGRESS_ENABLED } else { "true" }
+$ingressClassName = if ($env:INGRESS_CLASS_NAME) { $env:INGRESS_CLASS_NAME } else { "webapprouting.kubernetes.azure.com" }
+$canaryEnabled = if ($env:CANARY_ENABLED) { $env:CANARY_ENABLED } else { "false" }
 $readinessPath = "/ready"
 
 if ($ServiceName -eq "crud-service") {
@@ -48,7 +51,13 @@ $helmArgs = @(
   '--set',
   "image.tag=$imageTag",
   '--set',
-  "keda.enabled=$kedaEnabled"
+  "keda.enabled=$kedaEnabled",
+  '--set',
+  "ingress.enabled=$ingressEnabled",
+  '--set-string',
+  "ingress.className=$ingressClassName",
+  '--set',
+  "canary.enabled=$canaryEnabled",
   '--set',
   "probes.readiness.path=$readinessPath"
 )

.infra/azd/hooks/render-helm.sh

@@ -8,6 +8,7 @@ IMAGE_PREFIX="${IMAGE_PREFIX:-ghcr.io/azure-samples}"
 IMAGE_TAG="${IMAGE_TAG:-latest}"
 KEDA_ENABLED="${KEDA_ENABLED:-false}"
 INGRESS_ENABLED="${INGRESS_ENABLED:-true}"
+INGRESS_CLASS_NAME="${INGRESS_CLASS_NAME:-webapprouting.kubernetes.azure.com}"
 CANARY_ENABLED="${CANARY_ENABLED:-false}"
 READINESS_PATH="/ready"
 
@@ -48,6 +49,7 @@ HELM_ARGS="$HELM_ARGS --set image.repository=$IMAGE_PREFIX"
 HELM_ARGS="$HELM_ARGS --set image.tag=$IMAGE_TAG"
 HELM_ARGS="$HELM_ARGS --set keda.enabled=$KEDA_ENABLED"
 HELM_ARGS="$HELM_ARGS --set ingress.enabled=$INGRESS_ENABLED"
+HELM_ARGS="$HELM_ARGS --set-string ingress.className=$INGRESS_CLASS_NAME"
 HELM_ARGS="$HELM_ARGS --set canary.enabled=$CANARY_ENABLED"
 HELM_ARGS="$HELM_ARGS --set probes.readiness.path=$READINESS_PATH"
 

.kubernetes/chart/templates/ingress.yaml

@@ -10,7 +10,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  ingressClassName: webapprouting.kubernetes.azure.com
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className | quote }}
+  {{- end }}
   {{- if .Values.ingress.tls }}
   tls:
     {{- range .Values.ingress.tls }}
@@ -53,7 +55,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  ingressClassName: webapprouting.kubernetes.azure.com
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className | quote }}
+  {{- end }}
   rules:
     {{- if .Values.ingress.host }}
     - host: {{ .Values.ingress.host | quote }}

.kubernetes/chart/values.yaml

@@ -10,6 +10,7 @@ service:
 # Ingress configuration for AKS Web Application Routing (NGINX-based add-on)
 ingress:
   enabled: true
+  className: "webapprouting.kubernetes.azure.com"
   host: ""  # Leave empty for path-based routing, or set hostname for host-based
   path: ""  # Defaults to /{serviceName}
   pathType: "Prefix"

docs/implementation/README.md

@@ -155,6 +155,8 @@ Target: **100%**
 - App deployments in `deploy-azd` are now strictly changed-only (CRUD, UI, and agent matrix entries are deployed only when their app paths change).
 - Post-deploy hooks (`sync-apim-agents` and `ensure-foundry-agents`) consume these lists through `CHANGED_SERVICES` and run only for changed services.
 - Foundry readiness verification in deployment workflow is scoped to changed agent services under changed-only mode.
+- CRUD deployment now preflights `IngressClass` availability and passes `INGRESS_CLASS_NAME` into Helm rendering to avoid class/controller drift.
+- CRUD deployment retries are now bounded with diagnostics (`kubectl get ingressclass`, ingress, and controller pods) to improve root-cause visibility for endpoint readiness delays.
 
 ---