`azure-gateway.json` schema (`tare gateway install --type azure`)

The JSON config file accepted by tare gateway install --type azure, consumed through the --config flag.

This document describes the JSON config file accepted by:

tare gateway install identity.json --type azure --config azure-gateway.json

The Azure path covers AKS clusters on traditional Azure CNI. The install enables the AGIC ingress-appgw addon (which provisions an Application Gateway in the cluster's MC_<rg>_<cluster>_<region> resource group) and applies an Ingress in tars-dataplane with AGIC's required health-probe annotations. See tare gateway install for the end-to-end flow.

Tip: Use tare gateway config init --type azure to bootstrap a starter file from prompts or flags. The remaining fields documented below are pre-filled with resolver defaults that you can edit in place.

Supported keys

All keys are optional at the JSON level. Required-ness is enforced at install time by the resolver and the Azure pre-flight.

Key	Type	Used for	Required when
`customer`	string	Identifies the customer in the management plane	unless provided by identity / `--customer`
`environment`	string	Optional environment label	required when customer is `saas`
`serveDomain`	string	DNS host the customer points at the AGIC frontend IP	optional but recommended (drives the DNS hint output)
`serveUrl`	string	Public URL the data plane reports to the MP	optional (falls back to identity fields)
`azure.subscriptionId`	string	Azure subscription scoping every `az` call	required for `--apply-prereqs` and the AGIC compat pre-flight
`azure.resourceGroup`	string	Resource group holding the AKS cluster	required for `--apply-prereqs` and the AGIC compat pre-flight
`azure.aksClusterName`	string	AKS cluster name	required for `--apply-prereqs` and the AGIC compat pre-flight
`azure.appGateway.name`	string	Application Gateway name AGIC creates	optional (default: `<aksClusterName>-appgw`)
`azure.appGateway.subnetCidr`	string	Address range for the App Gateway subnet	optional (default: `10.225.0.0/24`)
`azure.skipExisting`	bool	Continue when `az aks enable-addons` reports "already enabled"	optional (`false` default)
`namespaces.dataplane`	string	Dataplane namespace the Ingress lives in	optional (default `tars-dataplane`)
`lint`	object	Per-config rule overrides (shared with the GCP schema)	optional

Example

{
  "customer": "acme",
  "serveDomain": "proxy.acme.tetrate.ai",
  "serveUrl": "https://proxy.acme.tetrate.ai",
  "azure": {
    "subscriptionId": "00000000-0000-0000-0000-000000000000",
    "resourceGroup": "acme-aks-rg",
    "aksClusterName": "acme-aks",
    "appGateway": {
      "name": "acme-aks-appgw",
      "subnetCidr": "10.225.0.0/24"
    },
    "skipExisting": true
  }
}

Field precedence

For most values, precedence is:

explicit CLI flag (--azure-subscription-id, --azure-resource-group, --aks-cluster-name, --appgw-name, --appgw-subnet-cidr)
azure-gateway.json (--config)
resolver defaults (<aksClusterName>-appgw, 10.225.0.0/24)

Why no `staticIpName` / `certificateMap` / `dnsAuthorization`?

These are GCP-specific concepts. On Azure:

Static IP: AGIC auto-provisions the Application Gateway's frontend IP. No name to pin; customer DNS is updated to the dynamically-assigned address surfaced in the Ingress status.
Certificate map / managed certificates: The runbook AGIC path is HTTP-only on port 80 by default. HTTPS termination via AGIC listener TLS is configured separately and is not in scope of this config.
DNS authorization: GCP cert-manager mechanic; no equivalent.

Minimal config (with `--apply-prereqs`)

{
  "customer": "acme",
  "serveDomain": "proxy.acme.tetrate.ai",
  "azure": {
    "subscriptionId": "00000000-0000-0000-0000-000000000000",
    "resourceGroup": "acme-aks-rg",
    "aksClusterName": "acme-aks"
  }
}

Then run:

tare gateway install identity.json \
  --type azure \
  --config azure-gateway.json \
  --apply-prereqs --wait

Cluster compatibility

tare gateway install --type azure requires AGIC-compatible AKS networking:

az aks show -n <cluster> -g <rg> \
  --query 'networkProfile.{plugin: networkPlugin, mode: networkPluginMode, dataplane: networkDataplane}'

The compatible combination is {plugin: "azure", mode: null, dataplane: "azure"}. Anything else (mode overlay, dataplane cilium) is rejected by the pre-flight. AGC (Application Gateway for Containers) is the path for those clusters and is tracked as a follow-up to fraser#3687.

Required Azure roles

The signed-in identity needs:

Azure Kubernetes Service Contributor Role on the AKS resource group: for az aks enable-addons
Network Contributor on the cluster's MC_<rg>_<cluster>_<region> node-RG: for AGIC to manage the Application Gateway

tare gateway install --type azure checks these and prints the exact az role assignment create commands when a role is missing. When the signed-in identity cannot read its own role assignments (Forbidden), the pre-flight degrades gracefully: prints what's required, proceeds, and lets az aks enable-addons surface AuthorizationFailed if applicable.

Where to go next

tare gateway install

Consume this config to enable AGIC and deploy the Azure gateway.

gcp-gateway.json schema

The equivalent config file for the GCP gateway flow.

Supported keys​

Example​

Field precedence​

Why no staticIpName / certificateMap / dnsAuthorization?​

Minimal config (with --apply-prereqs)​

Cluster compatibility​

Required Azure roles​