Search code examples
azure-aksnginx-ingress

Nginx Ingress Controller (MS AKS app routing add-on) - Multiple Hosts with Different TLS settings on 1 Ingress

I'm wanting to have 1 ingress IP but multiple hosts but with different ssl/tls configs. So below, I started with abc.com which has its own certificate AND does TLS-MA. I want to add def.com with a different certificate AND no TLS-MA (or perhaps different TLS-MA authority).

Is this possible?

Just adding def.com below does TLA-MA against the same authority as abc.com and gives me the Kubernetes Fake Certificate. I need to somehow make the annotations only applicable to 1 host so I can have multiple different ssl/tls configs but I don't know if this is possible.

TIA.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # Server cert pulled from keyvault
    kubernetes.azure.com/tls-cert-keyvault-uri: https://myvault.vault.azure.net/certificates/mycert/b36bc0840bc23423432837c450d9
    # Enable client cert auth
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    # CA & INT cert within this secret.  Must be named ca.crt within secret.
    nginx.ingress.kubernetes.io/auth-tls-secret: mynamespace/ca-secret
    # Pass cert upstream
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
  name: myingress
  namespace: mynamespace
spec:
  ingressClassName: webapprouting.kubernetes.azure.com
  rules:
  - host: abc.com
    http:
      paths:
      - backend:
          service:
            name: abc
            port:
              number: 8080
        path: /
        pathType: Prefix
  - host: def.com
    http:
      paths:
      - backend:
          service:
            name: def
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - abc.com
    secretName: keyvault-certificate
Solution

  • For the Nginx Ingress Controller in AKS, while you can have multiple hosts with different SSL/TLS certificates in a single Ingress by specifying different entries under the tls field, you cannot have different TLS Mutual Authentication (TLS-MA) configurations for each host within a single Ingress resource. The reason is that annotations apply to the entire Ingress resource and cannot be scoped to individual hosts or paths.

    If you need different TLS-MA configurations (e.g., one host with TLS-MA and another without), you will have to create separate Ingress resources for each host with its specific annotations.

    The workaround solution would be:

    1. Maintain separate Ingress resources for each host that requires a unique TLS-MA configuration.
    2. Ensure that each Ingress resource points to the same Ingress controller, which can be achieved by using the same ingressClassName.
    3. Configure different tls sections within each Ingress resource to point to the appropriate SSL/TLS certificates.

    Here is an example setup:

    Ingress for abc.com with TLS-MA

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: abc-ingress
  namespace: mynamespace
  annotations:
    kubernetes.azure.com/tls-cert-keyvault-uri: https://myvault.vault.azure.net/certificates/abccert/...
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-secret: mynamespace/abc-ca-secret
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
  ingressClassName: webapprouting.kubernetes.azure.com
  rules:
  - host: abc.com
    http:
      paths:
      - backend:
          service:
            name: abc-service
            port:
              number: 8080
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - abc.com
    secretName: abc-tls-secret

    enter image description here

    Ingress for def.com without TLS-MA

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: def-ingress
  namespace: mynamespace
  annotations:
    kubernetes.azure.com/tls-cert-keyvault-uri: https://myvault.vault.azure.net/certificates/defcert/...
    # No TLS-MA annotations for def.com
spec:
  ingressClassName: webapprouting.kubernetes.azure.com
  rules:
  - host: def.com
    http:
      paths:
      - backend:
          service:
            name: def-service
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - def.com
    secretName: def-tls-secret

    enter image description here

    In these examples, each Ingress has its own set of annotations appropriate to its TLS configuration. The secretName under the tls section must reference a Kubernetes Secret containing the TLS certificate for the host. Just modify the service name and secret path according to your environment.

    enter image description here

    By setting up your Ingress resources this way, you can have a single IP address (managed by the Ingress controller) serving multiple hosts with different TLS configurations, including the presence or absence of TLS-MA.