Configuring HTTPS for an internal IP on Azure Kubernetes

Question

I have deployed a Kubernetes cluster to a custom virtual network on Azure using acs-engine. There is an ASP.NET Core 2.0 Kestrel app running on the agent VMs and the app is accessed over VPN through a Service of the Azure internal load balancer type. Now I would like to enable HTTPS on the service. I have already obtained a domain name and a certificate but have no idea how to proceed. Apparently configuring Kestrel to use HTTPS and copying the certificate to each container is not the way to go.

I have checked out tutorials such as ingress on k8s using acs and configure Nginx Ingress Controller for TLS termination on k8s on Azure but both of them end up exposing a public external IP and I want to keep the IP internal and not accessible from the internet. Is this possible? Can it be done without ingresses and their controllers?

not sure about the endpoint, as for the IP question. you ever heard about DNS? — 4c74356b41, Jan 04 '18 at 10:37
Yes, can be done internal: Look into using the nginx ingress controller and just adjust the service. — Norbert, Jan 04 '18 at 17:30

score 2 · Accepted Answer · answered Jan 05 '18 at 12:16

2

While for some reason I still can't access the app through the ingress I was able to create an internal ingress service with the IP I want with the following configuration:

apiVersion: v1
kind: Service
metadata:
  annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  name: nginx-ingress-svc
spec:
  type: LoadBalancer
  ports:
  - port: 443
    targetPort: 443
  loadBalancerIP: 130.10.1.9
  selector:
    k8s-app: nginx-ingress-controller

answered Jan 05 '18 at 12:16

higherer

43
1
8

Ingress on its own won't actually do anything to my knowledge, you need the ingress controller service (like above) in order to actually listen & action the rules. What you have done here is the right thing to do though, I had to do something similar both for internal and external access. – watdo Mar 29 '18 at 19:04

score 0 · Answer 2 · answered Jan 04 '18 at 21:14

0

The tutorial you linked is a bit outdated, at least the instructions have you go to a 'examples' folder in the GitHub repo they link but that doesn't exist. Anyhow, a normal nginx ingress controller consists of several parts: the nginx deployment, the service that exposes it and the default backed parts. You need to look at the yamls they ask you to deploy, look for the second part of what I listed - the ingress service - and change type from LoadBalancer to ClusterIP (or delete type altogether since ClusterIP is the default)

answered Jan 04 '18 at 21:14

Lev Kuznetsov

3,520
5
20
33

Using type ClusterIP gives no external IP of any kind (perhaps I should reword my question). I need an IP like the Azure internal load balancer has, within the virtual network, e.g. 130.10.0.0. – higherer Jan 05 '18 at 07:50
I'm not familiar with Azure, assuming you're able to create a service on the desired CIDR block you should be able to do the same thing here. – Lev Kuznetsov Jan 05 '18 at 10:09

Configuring HTTPS for an internal IP on Azure Kubernetes

2 Answers2