Search code examples
azurecertificateazure-aksazure-application-gatewayingress-controller

AKS with AGIC and Application Gateway

I have an AKS cluster with the add-on AGIC enabled (will try and convert it into Helm based AGIC in the near future). At the moment I have an application on this cluster with the Ingress set to the Application Gateway. This works perfectly on port 80 at the moment.

If I want to enable SSL, do I just need to add the certificate at the App Gateway and then reference that in deployment as such? (example taken from https://thewindowsupdate.com/2021/10/19/what-does-it-mean-for-the-application-gateway-ingress-controller-agic-to-assume-full-ownership/

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: aspnetapp
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/appgw-ssl-certificate: <name of your certificated added to Application Gateway>
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: aspnetapp
          servicePort: 80

Although the service port is set to 80 above, will the App GW apply TLS automatically? Should the service port above be 80 or 443? Or does it not matter since the SSL Redirect is set? Also what aspects does this encrypt automatically?

  • External -> App GW ?
  • App GW -> Ingress ?

Also, do I need another certificate for the external side of App GW as well? Or do I need just the one cert?

Solution

  • AGIC will create:

    • 2 listeners: HTTP on port 80 and HTTPS on port 443. The HTTPS listener will be configured with the SSL certificate from appgw.ingress.kubernetes.io/appgw-ssl-certificate
    • 2 routing rules: one to redirect the http listener traffic to the https listener. The https listener will be configure to target your backend on AKS.

    By default AGIC will do TLS termination so the traffic between app gateway and the aks cluster will be using HTTP (not HTTPS) protocol. The port configured will be the port configured in the targetPort of your service.

    On another note, you should have seen this warning before:

    extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress

    You should update AGIC to use latest version and change your manifest to use networking.k8s.io/v1 Ingress:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: aspnetapp
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/appgw-ssl-certificate: "<name of your certificate added to Application Gateway>"
spec:
  rules:
...