OpenFaaS on Azure AKS with SSL Ingress (OpenFaaS on AKS Part 2/2)

Eric Stoekl

Today we’ll be continuing from Part 1 in our OpenFaaS on AKS deployment guide. We’ll use LetsEncrypt to associate the ingress port with a SSL Certificate (issued for free as long as you have a domain name). Contour will help us achieve this SSL termination.

Move OpenFaaS to the default namespace

This method only works if your internal service (in our case, the gateway-external service) is in the default namespace. Let’s rebuild OpenFaaS: cd into the faas-netes repo and run the following commands (note that this will delete your existing OpenFaaS deployment and functions).

git clone https://github.com/openfaas/faas-netes
cd faas-netes
helm delete --purge openfaas
kubectl delete ns openfaas
kubectl delete ns openfaas-fn
helm upgrade --install --namespace default --set functionNamespace=default --set async=true --set rbac=false --set serviceType=NodePort openfaas chart/openfaas

Install Contour

First let’s deploy Contour, which acts as a reverse-proxy. We’ll deploy without RBAC because our AKS deployment does not have RBAC enabled.

kubectl apply -f https://j.hept.io/contour-deployment-norbac

Run kubectl get svc -n heptio-contour and you will see the External IP for your new loadbalancer:

$ kubectl get svc -n heptio-contour
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
contour LoadBalancer 10.0.106.23 52.170.87.144 80:32617/TCP,443:30234/TCP 6m

Install Ingress Controller

Next we’ll deploy an ingress controller for OpenFaaS. Copy the following to openfaas-ingress.yml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: of-ingress
annotations:
kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- secretName: of-secret
hosts:
- <your.domain.name>
rules:
- host: <your.domain.name>
http:
paths:
- backend:
serviceName: gateway-external
servicePort: 8080

And apply the ingress controller with:

$ kubectl apply -f openfaas-ingress.yml

Deploy CertManager

Clone the jetstack/cert-manager repository and deploy the no-rbac version:

git clone https://github.com/jetstack/cert-manager
cd cert-manager
kubectl -n cert-manager apply -f docs/deploy/without-rbac/

Next copy the following into a file called clusterissuer-prod.yml:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
email: <your-valid-email@address.com>
http01: {}
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v01.api.letsencrypt.org/directory

And apply this file:

kubectl apply -f clusterissuer-prod.yml

Check that everything is installed

$ kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
of-ingress <your-dns>.com 80, 443 1h
$ kubectl get svc -n heptio-contour
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
contour LoadBalancer 10.0.63.10 52.176.3.125 80:31067/TCP,443:32413/TCP 1h

Point your DNS to the AKS LoadBalancer

Route your DNS name to the External IP output of kubectl get svc -n heptio-contour:

Setting my A Record on AWS Route 53

Now you should be able to access your OpenFaaS deployment with SSL termination.

Verify that you can access your OpenFaaS deployment through the URL endpoint

Conclusion

You are now ready to re-deploy your functions onto the now SSL-enabled OpenFaaS deployment.

Eric Stoekl

Written by

Fan of Open Source and DevOps. OpenFaaS contributor.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade