Setting Up TLS for Kubernetes Ingress and Azure AGIC to Enable HTTPS
⚠️This article is just one part of a comprehensive article on Setting Up Kubernetes (AKS) with Azure Application Gateway Ingress Controller.
Securing your applications with HTTPS is essential. This guide covers setting up TLS for Kubernetes Ingress with Azure Application Gateway Ingress Controller (AGIC) using Azure DNS, a self-signed / azure certificate, and a secret.yaml file.
To enable HTTPS, you’ll add TLS configuration to your Ingress YAML, specifying a Kubernetes secret that securely stores your TLS certificate and key. Once deployed, AGIC uses this configuration to terminate HTTPS traffic, ensuring secure communication between clients and your application.
We need to follow these steps:
1.Register a Domain: Use Azure App Service Domains to purchase a domain (e.g., testaksdns.com). [For test purposes you can skip this step]
2. Set Up DNS Zone: Azure automatically creates a DNS Zone for your domain. Add DNS records to point subdomains (e.g., testaksdns.com) to your AKS Ingress controller’s IP address.
3. Obtain a TLS Certificate: Use a self-signed TLS certificate for your domain. You can also use the Azure App Service Certificate resource. Ensure DNS records are properly configured to pass any DNS challenges.
4. Create and Apply a Secret YAML: Create a secret.yaml file using the Base64-encoded certificate and key
4. Deploy Application on AKS: Deploy your application on AKS. Configure the Ingress controller with your domain name (e.g., testaksdns.com).
5. Secure the Application: Once the TLS certificate is in place, your application can securely serve traffic over HTTPS.
1. Create an Azure App Service Domain
An App Service Domain is a domain registration service provided directly by Azure. When you purchase an App Service Domain, you are buying the rights to use a specific domain name (e.g., testaksdns.com) for a certain period.
Select your resource group, provide a name for your domain, and then create it.
2. Create an Azure DNS Zone and Configure a Domain Name
Select your resource group and provide a name for your DNS zone (e.g., testaksdns.com), and create it.
Configure the Domain Name
- After creating the DNS zone, add an A record that points to the public IP of your Application Gateway. Create one empty record set and you can create one with a subdomain www
3. Obtain a TLS Certificate
You can create a test self-signed cert using the following command:
# interactive
openssl req -x509 -newkey rsa:4096 -keyout tls.key -out tls.crt -sha256 -days 365 -nodesThen, proceed directly to step number 3.
Or you can secure your AKS applications with TLS using Azure-managed certificates, these certificates are stored in Azure Key Vault.
While you can set up a CSI volume in AKS to access these certificates, this can be complex. For simplicity, you can export the certificate from Key Vault and extract the necessary key and certificate files using OpenSSL.
Here’s how:
- Download the Certificate: Use Azure CLI to download the certificate from Key Vault in PFX format:
az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname> --encoding base642. Extract the Key and Certificate: Use OpenSSL to extract the private key and certificate. OpenSSL is available in the git bash console:
openssl pkcs12 -in <certname>.pfx -nocerts -out cert.key -nodes -passin pass:
openssl pkcs12 -in <certname>.pfx -clcerts -nokeys -out cert.crt -passin pass:3. Convert the certificate and key to Base64: Format created tls file using the git bash commands:
base64 -w 0 tls.crt > tls.crt.base64
base64 -w 0 tls.key > tls.key.base644 . Create a Kubernetes Secret for the TLS Certificate
- Create a Secret YAML File named
secret.yamlwith the following content:
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
type: kubernetes.io/tls
data:
tls.crt: <base64 encoded certificate>
tls.key: <base64 encoded key>Replace <base64 encoded certificate> and <base64 encoded key> with the actual base64 content.
- Deploy the Secret to AKS
kubectl apply -f secret.yamlThis secret securely stores your TLS certificate and key in Kubernetes.
4. Configure Kubernetes Ingress with TLS
- Update the Ingress YAML File. Modify your Ingress YAML to reference the TLS secret:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
annotations:
appgw.ingress.kubernetes.io/ssl-certificate: "tls-secret" # Name of the created TLS secret
spec:
ingressClassName: azure-application-gateway
tls:
- hosts:
- testaksdns.com
secretName: tls-secret # Name of the created TLS secret
rules:
- host: testaksdns.com # Name of our domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: aspnetapp # Name of our previously created service
port:
number: 8080- Deploy the Ingress Resource to your AKS cluster:
kubectl apply -f ingress.yaml5. Verify the Setup
- Verify that the Ingress has been correctly configured by checking its status:
kubectl get ingress- The IP address should match the public IP of your AGIC, listening also on port 443 which is for HTTPS.
Access Your Application
- Open a web browser and navigate to
https://www.testaksdns.com. - The browser should display your application over HTTPS, using the self-signed certificate.
What Happens Inside AGIC? 🛞
When you configure TLS in your Ingress, AGIC automatically adds a listener on port 443 to handle HTTPS traffic. This listener uses the SSL certificate specified in your Ingress to securely route traffic to your backend services.
6. (Optional) Test and Troubleshoot
- Test the Setup: Confirm that HTTPS is functioning by visiting your domain. If there are issues, use
kubectl describe ingressandkubectl logsto check for errors.
😉
