1

I have an AKS cluster with the add-on AGIC enabled (will try and convert it into Helm based AGIC in the near future). At the moment I have an application on this cluster with the Ingress set to the Application Gateway. This works perfectly on port 80 at the moment.

If I want to enable SSL, do I just need to add the certificate at the App Gateway and then reference that in deployment as such? (example taken from https://thewindowsupdate.com/2021/10/19/what-does-it-mean-for-the-application-gateway-ingress-controller-agic-to-assume-full-ownership/

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: aspnetapp
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/appgw-ssl-certificate: <name of your certificated added to Application Gateway>
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: aspnetapp
          servicePort: 80

Although the service port is set to 80 above, will the App GW apply TLS automatically? Should the service port above be 80 or 443? Or does it not matter since the SSL Redirect is set? Also what aspects does this encrypt automatically?

  • External -> App GW ?
  • App GW -> Ingress ?

Also, do I need another certificate for the external side of App GW as well? Or do I need just the one cert?

JakeUT
  • 359
  • 1
  • 4
  • 16

1 Answers1

2

AGIC will create:

  • 2 listeners: HTTP on port 80 and HTTPS on port 443. The HTTPS listener will be configured with the SSL certificate from appgw.ingress.kubernetes.io/appgw-ssl-certificate
  • 2 routing rules: one to redirect the http listener traffic to the https listener. The https listener will be configure to target your backend on AKS.

By default AGIC will do TLS termination so the traffic between app gateway and the aks cluster will be using HTTP (not HTTPS) protocol. The port configured will be the port configured in the targetPort of your service.

On another note, you should have seen this warning before:

extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress

You should update AGIC to use latest version and change your manifest to use networking.k8s.io/v1 Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: aspnetapp
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/appgw-ssl-certificate: "<name of your certificate added to Application Gateway>"
spec:
  rules:
...
PålOliver
  • 2,502
  • 1
  • 23
  • 27
Thomas
  • 24,234
  • 6
  • 81
  • 125
  • Thanks Thomas! So if I want end-to-end encryption, for the internal leg I would need to use another certificate in AKS for the backend endpoint. Is that correct? – JakeUT Jun 02 '22 at 23:35
  • Do you have nginx on top of your webapp or app gateway talking directly to your webapp ? The trick will be to install the certificate inside the container i would say. do you have any specific reason to want ssl termination inside your app ? – Thomas Jun 02 '22 at 23:54
  • No, the app gateway communicates directly with the webapp. The SSL termination inside the app is just to be fully secure on the communication from the App GW internal IP to the Pod IP. But I will research this. Thanks for your input! – JakeUT Jun 03 '22 at 19:03
  • Hey @JakeUT , i also have a similar issue. however my servicePort is 443 and hence i have a tls section intersetingly the appgw creates only an https listener. and i believe because of this the health checks are failing my question posted here : https://stackoverflow.com/questions/76685914/why-isnt-agic-able-to-configure-http-health-check-for-azure-appgateway any comments on this please? – caxefaizan Jul 17 '23 at 13:40