Prerequisites

NOTE: Application Gateway for Containers has been released, which introduces numerous performance, resilience, and feature changes. Please consider leveraging Application Gateway for Containers for your next deployment.

This documents assumes you already have the following Azure tools and resources installed:

Please use Greenfield Deployment to install nonexistents.

To use the new feature, make sure the AGIC version is at least at 1.2.0-rc3

bash helm install oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure -f helm-config.yaml --version 1.7.5 --generate-name

Create a certificate and configure the certificate to AppGw

The certificate below should only be used for testing purpose.

```bash appgwName="" resgp=""

generate certificate for testing

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -out test-cert.crt \ -keyout test-cert.key \ -subj "/CN=test"

openssl pkcs12 -export \ -in test-cert.crt \ -inkey test-cert.key \ -passout pass:test \ -out test-cert.pfx

configure certificate to app gateway

az network application-gateway ssl-cert create \ --resource-group $resgp \ --gateway-name $appgwName \ -n mysslcert \ --cert-file test-cert.pfx \ --cert-password "test" ```

Configure certificate from Key Vault to AppGw

To configfure certificate from key vault to Application Gateway, an user-assigned managed identity will need to be created and assigned to AppGw, the managed identity will need to have GET secret access to KeyVault.

```bash

Configure your resources

appgwName="" resgp="" vaultName="" location="" aksClusterName="" aksResourceGroupName="" appgwName=""

IMPORTANT: the following way to retrieve the object id of the AGIC managed identity

only applies when AGIC is deployed via the AGIC addon for AKS

get the resource group name of the AKS cluster

nrg=$(az aks show --name $aksClusterName --resource-group $aksResourceGroupName --query nodeResourceGroup --output tsv)

get principalId of the AGIC managed identity

identityName="ingressapplicationgateway-aksClusterName" agicIdentityPrincipalId=(az identity show --name $identityName --resource-group $nrg --query principalId --output tsv)

One time operation, create Azure key vault and certificate (can done through portal as well)

az keyvault create -n $vaultName -g $resgp --enable-soft-delete -l $location

One time operation, create user-assigned managed identity

az identity create -n appgw-id -g $resgp -l location identityID=(az identity show -n appgw-id -g resgp -o tsv --query "id") identityPrincipal=(az identity show -n appgw-id -g $resgp -o tsv --query "principalId")

One time operation, assign AGIC identity to have operator access over AppGw identity

az role assignment create --role "Managed Identity Operator" --assignee $agicIdentityPrincipalId --scope $identityID

One time operation, assign the identity to Application Gateway

az network application-gateway identity assign \ --gateway-name $appgwName \ --resource-group $resgp \ --identity $identityID

One time operation, assign the identity GET secret access to Azure Key Vault

az keyvault set-policy \ -n $vaultName \ -g $resgp \ --object-id $identityPrincipal \ --secret-permissions get

For each new certificate, create a cert on keyvault and add unversioned secret id to Application Gateway

az keyvault certificate create \ --vault-name vaultName \ -n mycert \ -p "(az keyvault certificate get-default-policy)" versionedSecretId=$(az keyvault certificate show -n mycert --vault-name vaultName --query "sid" -o tsv) unversionedSecretId=(echo $versionedSecretId | cut -d'/' -f-5) # remove the version from the url

For each new certificate, Add the certificate to AppGw

az network application-gateway ssl-cert create \ -n mykvsslcert \ --gateway-name $appgwName \ --resource-group $resgp \ --key-vault-secret-id $unversionedSecretId # ssl certificate with name "mykvsslcert" will be configured on AppGw ```

Testing the key vault certificate on Ingress

Since we have certificate from Key Vault configured in Application Gateway, we can then add the new annotation appgw.ingress.kubernetes.io/appgw-ssl-certificate: mykvsslcert in Kubernetes ingress to enable the feature.

```bash

install an app

cat << EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: aspnetapp labels: app: aspnetapp spec: containers: - image: "mcr.microsoft.com/dotnet/samples:aspnetapp" name: aspnetapp-image ports: - containerPort: 80 protocol: TCP


apiVersion: v1 kind: Service metadata: name: aspnetapp spec: selector: app: aspnetapp ports: - protocol: TCP port: 80 targetPort: 80


apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: aspnetapp annotations: kubernetes.io/ingress.class: azure/application-gateway appgw.ingress.kubernetes.io/appgw-ssl-certificate: mykvsslcert spec: rules: - http: paths: - path: / backend: service: name: aspnetapp port: number: 80 pathType: Exact EOF ```