Azure: How to Configure SSL Using Cert-Manager with (AGIC) Application Gateway Ingress Controller
ahmad bayhaqi
Posted on April 3, 2023
Kubernetes has a lot of support and open-source tools to contribute to the cloud-native project. one of the scopes is the ingress, k8s has a support ingress, you might concern nginx ingress that a very famous ingress in k8s. azure has ingress to work well with an azure cloud environment, that is Application Gateway. The Application Gateway Ingress Controller allows Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service aka AKS cluster.
In this guide, you'll learn how to configure Secure HTTP with Cert-Manager and AGIC. Before getting starting you should have the following requirements.
- AKS Cluster
- Azure Subscriptions
- kubectl installed on your local machine
Step 1 -- Create application gateway
Create public ip to used by application gateway as front end IP.
az network public-ip create -n myPublicIp -g myResourceGroup --allocation-method Static --sku Standard
Create new subnet within AKS vnet.
az network vnet subnet create -g MyResourceGroup --vnet-name MyVnet -n MySubnet --address-prefixes 10.226.0.0/24
Create Application gateway within AKS vnet, with different subnet. this guide you will create application gateway with Tier Standard, which is isn't act as WAF.
az network application-gateway create -n myApplicationGateway -l eastus -g myResourceGroup --sku Standard_v2 --public-ip-address myPublicIp --vnet-name myVnet --subnet mySubnet --priority 100
Step 2 -- Enable add-ons to AKS
after success create app gateway, you need to enable the application gateway with AKS cluster,
appgwId=$(az network application-gateway show -n myApplicationGateway -g myResourceGroup -o tsv --query "id")
az aks enable-addons -n myCluster -g myResourceGroup -a ingress-appgw --appgw-id $appgwId
Step 2 -- Deploy sample app
Create deployment and service app, you will deploy sample HTML 5 game.
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: clumsy-bird
name: clumsy-bird
spec:
selector:
matchLabels:
app: clumsy-bird
replicas: 2
template:
metadata:
labels:
app: clumsy-bird
spec:
containers:
- name: clumsy-bird
image: bayhaqisptr/clumsy-bird:latest
ports:
- containerPort: 8001
---
apiVersion: v1
kind: Service
metadata:
name: clumsy-service
labels:
run: clumsy-service
spec:
type: ClusterIp
ports:
- port: 8001
protocol: TCP
selector:
app: clumsy-bird
Step 3 -- Create Ingress
Create ingress, you might notice the annotations kubernetes.io/ingress.class
make sure its use azure/application-gateway
to tell AKS to use application gateway as Ingress.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: clumsy-agic
annotations:
kubernetes.io/ingress.class: azure/application-gateway
spec:
tls:
- hosts:
- appgw-test.example.test
secretName: clumsy-tls
rules:
- host: appgw-test.example.test
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: clumsy-service
port:
number: 8001
Step 4 -- Create Issuer (Staging)
Create Issuer staging with Let's Encrypt with cert-manager
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: user@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: azure/application-gateway
Step 5 -- Create Issuer (Prod)
Create Issuer staging with Let's Encrypt with cert-manager
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: user@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: azure/application-gateway
Step 6 -- Ingress TLS
after success create issuer with cert-manager, you can enable https connection to handle acme challenge.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mokita-agic
annotations:
kubernetes.io/ingress.class: azure/application-gateway
cert-manager.io/issuer: letsencrypt-prod-agic
cert-manager.io/acme-challenge-type: http01
acme.cert-manager.io/http01-edit-in-place: "true"
spec:
tls:
- hosts:
- appgw-test-16769.southeastasia.cloudapp.azure.com
secretName: mokita-agic
rules:
- host: appgw-test-16769.southeastasia.cloudapp.azure.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: mokita-service
port:
number: 80
Conclusion
In Cloud Native world has many project available to explore. for example k8s has many ingress support to use, link nginx ingress, ingress nginx, kong, agic, etc.
This guide cover some step to configure let's encrypt with agic ingress
Posted on April 3, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
October 13, 2021
April 28, 2021