Prerequisites
NOTE: Application Gateway for Containers has been released, which introduces numerous performance, resilience, and feature changes. Please consider leveraging Application Gateway for Containers for your next deployment.
This documents assumes you already have the following Azure tools and resources installed:
- AKS with Advanced Networking enabled
- App Gateway v2 in the same virtual network as AKS
- AAD Pod Identity installed on your AKS cluster
- Cloud Shell is the Azure shell environment, which has
az
CLI,kubectl
, andhelm
installed. These tools are required for the commands below.
Please use Greenfield Deployment to install nonexistents.
To use the new feature, make sure the AGIC version is at least at 1.2.0-rc3
bash
helm install oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure -f helm-config.yaml --version 1.7.5 --generate-name
Create a certificate and configure the certificate to AppGw
The certificate below should only be used for testing purpose.
```bash appgwName="" resgp=""
generate certificate for testing
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -out test-cert.crt \ -keyout test-cert.key \ -subj "/CN=test"
openssl pkcs12 -export \ -in test-cert.crt \ -inkey test-cert.key \ -passout pass:test \ -out test-cert.pfx
configure certificate to app gateway
az network application-gateway ssl-cert create \ --resource-group $resgp \ --gateway-name $appgwName \ -n mysslcert \ --cert-file test-cert.pfx \ --cert-password "test" ```
Configure certificate from Key Vault to AppGw
To configfure certificate from key vault to Application Gateway, an user-assigned managed identity will need to be created and assigned to AppGw, the managed identity will need to have GET secret access to KeyVault.
```bash
Configure your resources
appgwName="" resgp="" vaultName="" location="" aksClusterName="" aksResourceGroupName="" appgwName=""
IMPORTANT: the following way to retrieve the object id of the AGIC managed identity
only applies when AGIC is deployed via the AGIC addon for AKS
get the resource group name of the AKS cluster
nrg=$(az aks show --name $aksClusterName --resource-group $aksResourceGroupName --query nodeResourceGroup --output tsv)
get principalId of the AGIC managed identity
identityName="ingressapplicationgateway-aksClusterName" agicIdentityPrincipalId=(az identity show --name $identityName --resource-group $nrg --query principalId --output tsv)
One time operation, create Azure key vault and certificate (can done through portal as well)
az keyvault create -n $vaultName -g $resgp --enable-soft-delete -l $location
One time operation, create user-assigned managed identity
az identity create -n appgw-id -g $resgp -l location identityID=(az identity show -n appgw-id -g resgp -o tsv --query "id") identityPrincipal=(az identity show -n appgw-id -g $resgp -o tsv --query "principalId")
One time operation, assign AGIC identity to have operator access over AppGw identity
az role assignment create --role "Managed Identity Operator" --assignee $agicIdentityPrincipalId --scope $identityID
One time operation, assign the identity to Application Gateway
az network application-gateway identity assign \ --gateway-name $appgwName \ --resource-group $resgp \ --identity $identityID
One time operation, assign the identity GET secret access to Azure Key Vault
az keyvault set-policy \ -n $vaultName \ -g $resgp \ --object-id $identityPrincipal \ --secret-permissions get
For each new certificate, create a cert on keyvault and add unversioned secret id to Application Gateway
az keyvault certificate create \ --vault-name vaultName \ -n mycert \ -p "(az keyvault certificate get-default-policy)" versionedSecretId=$(az keyvault certificate show -n mycert --vault-name vaultName --query "sid" -o tsv) unversionedSecretId=(echo $versionedSecretId | cut -d'/' -f-5) # remove the version from the url
For each new certificate, Add the certificate to AppGw
az network application-gateway ssl-cert create \ -n mykvsslcert \ --gateway-name $appgwName \ --resource-group $resgp \ --key-vault-secret-id $unversionedSecretId # ssl certificate with name "mykvsslcert" will be configured on AppGw ```
Testing the key vault certificate on Ingress
Since we have certificate from Key Vault configured in Application Gateway, we can then add the new annotation appgw.ingress.kubernetes.io/appgw-ssl-certificate: mykvsslcert
in Kubernetes ingress to enable the feature.
```bash
install an app
cat << EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: aspnetapp labels: app: aspnetapp spec: containers: - image: "mcr.microsoft.com/dotnet/samples:aspnetapp" name: aspnetapp-image ports: - containerPort: 80 protocol: TCP
apiVersion: v1 kind: Service metadata: name: aspnetapp spec: selector: app: aspnetapp ports: - protocol: TCP port: 80 targetPort: 80
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: aspnetapp annotations: kubernetes.io/ingress.class: azure/application-gateway appgw.ingress.kubernetes.io/appgw-ssl-certificate: mykvsslcert spec: rules: - http: paths: - path: / backend: service: name: aspnetapp port: number: 80 pathType: Exact EOF ```