Cannot apply SSL cert to Kubernetes LoadBalancing Service on Kubernetes

Question

Issue

I am having trouble applying TLS to the DNS name of my LoadBalancer service for my Kubernetes cluster, and I am at a bit of a loss.

This is the first time I have worked with Kubernetes as well as Azure's Manage Container Services. For reasons that are out of my control this api is required to run on Azure's Managed Container Services.

Environment

Cluster is running on Azure using Managed Container Services (preview). I created my environment by following the steps here: https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-deploy-cluster

I created a static IP in Azure to use in the yaml for the loadbalancer service. Furthermore, I created a myprefix.cloudapp.azure.com DNS name for the IP using the following commands (https://learn.microsoft.com/en-us/azure/aks/static-ip)

IP="XX.XX.XX.XX"

DNSNAME="myprefix"

RESOURCEGROUP=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[resourceGroup]" --output tsv)

PIPNAME=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[name]" --output tsv)

az network public-ip update --resource-group $RESOURCEGROUP --name $PIPNAME --dns-name $DNSNAME

Deployment

This is the yaml I am using for my deployment:

apiVersion: apps/v1beta1 kind: Deployment metadata: name: my-node-express-api-deployment spec: replicas: 2 strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 minReadySeconds: 5 template: metadata: labels: app: my-node-express-api spec: containers: - name: my-node-express-api-container image: myrepo/my-node-express-api-image:latest ports: - containerPort: 3000 volumes: - name: tls secret: secretName: my-tls-secret

Service

This is the yaml for my LoadBalancing Service

apiVersion: v1 kind: Service metadata: name: my-node-express-api-loadbalancer spec: loadBalancerIP: 52.176.148.91 type: LoadBalancer ports: - port: 80 targetPort: 3000 port: 443 targetPort: 3000 selector: app: my-node-express-api

Secret

Yaml for secret

apiVersion: v1 kind: Secret metadata: name: my-tls-secret namespace: default data: tls.crt: (base64 for myprefix.cloudapp.azure.com.crt) tls.key: (base64 for myprefix.cloudapp.azure.com.key)

Note:

Everything works correctly over http when I remove the Secret from my deployment and remove port 443 from the LoadBalancer Service.

score 1 · Answer 1 · answered Apr 06 '18 at 01:41

On Azure, if you need TLS termination on kubernetes, you can use Nginx Ingress controller(Now, Microsoft working with Azure ingress controller which uses Application gateway).

To archive this, we can follow those steps:
1 Deploy the Nginx Ingress controller
2 Create TLS certificates
3 Deploy test http service
4 configure TLS termination

More information about configure Nginx ingress controller for TLS termination on kubernetes on Azure, please refer to this blog.