Nginx Ingress Controller (MS AKS app routing add-on) - Multiple Hosts with Different TLS settings on 1 Ingress
I'm wanting to have 1 ingress IP but multiple hosts but with different ssl/tls configs. So below, I started with abc.com which has its own certificate AND does TLS-MA. I want to add def.com with a different certificate AND no TLS-MA (or perhaps different TLS-MA authority).
Is this possible?
Just adding def.com below does TLA-MA against the same authority as abc.com and gives me the Kubernetes Fake Certificate. I need to somehow make the annotations only applicable to 1 host so I can have multiple different ssl/tls configs but I don't know if this is possible.
TIA.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# Server cert pulled from keyvault
kubernetes.azure.com/tls-cert-keyvault-uri: https://myvault.vault.azure.net/certificates/mycert/b36bc0840bc23423432837c450d9
# Enable client cert auth
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# CA & INT cert within this secret. Must be named ca.crt within secret.
nginx.ingress.kubernetes.io/auth-tls-secret: mynamespace/ca-secret
# Pass cert upstream
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
name: myingress
namespace: mynamespace
spec:
ingressClassName: webapprouting.kubernetes.azure.com
rules:
- host: abc.com
http:
paths:
- backend:
service:
name: abc
port:
number: 8080
path: /
pathType: Prefix
- host: def.com
http:
paths:
- backend:
service:
name: def
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- abc.com
secretName: keyvault-certificate
For the Nginx Ingress Controller in AKS, while you can have multiple hosts with different SSL/TLS certificates in a single Ingress by specifying different entries under the tls field, you cannot have different TLS Mutual Authentication (TLS-MA) configurations for each host within a single Ingress resource. The reason is that annotations apply to the entire Ingress resource and cannot be scoped to individual hosts or paths.
If you need different TLS-MA configurations (e.g., one host with TLS-MA and another without), you will have to create separate Ingress resources for each host with its specific annotations.
The workaround solution would be:
- Maintain separate Ingress resources for each host that requires a unique TLS-MA configuration.
- Ensure that each Ingress resource points to the same Ingress controller, which can be achieved by using the same
ingressClassName. - Configure different
tlssections within each Ingress resource to point to the appropriate SSL/TLS certificates.
Here is an example setup:
Ingress for abc.com with TLS-MA
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: abc-ingress
namespace: mynamespace
annotations:
kubernetes.azure.com/tls-cert-keyvault-uri: https://myvault.vault.azure.net/certificates/abccert/...
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: mynamespace/abc-ca-secret
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
ingressClassName: webapprouting.kubernetes.azure.com
rules:
- host: abc.com
http:
paths:
- backend:
service:
name: abc-service
port:
number: 8080
path: /
pathType: Prefix
tls:
- hosts:
- abc.com
secretName: abc-tls-secret
Ingress for def.com without TLS-MA
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: def-ingress
namespace: mynamespace
annotations:
kubernetes.azure.com/tls-cert-keyvault-uri: https://myvault.vault.azure.net/certificates/defcert/...
# No TLS-MA annotations for def.com
spec:
ingressClassName: webapprouting.kubernetes.azure.com
rules:
- host: def.com
http:
paths:
- backend:
service:
name: def-service
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- def.com
secretName: def-tls-secret
In these examples, each Ingress has its own set of annotations appropriate to its TLS configuration. The secretName under the tls section must reference a Kubernetes Secret containing the TLS certificate for the host. Just modify the service name and secret path according to your environment.
By setting up your Ingress resources this way, you can have a single IP address (managed by the Ingress controller) serving multiple hosts with different TLS configurations, including the presence or absence of TLS-MA.
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- BadRequest error on deployment of yaml file
- Ingress controller does not allow snippets
- Kusto query for time between records by group in one result list
- HTTP_PORTS when running ASP.NET 8 container in AKS
- How to connect my pod on AKS to Azure Event Hub with its kafka interface?
- Setting annotation as null for metadata in K8 pod definition
- Upgraded a Containerized .NET App From 6 to 8 and Startup Probe begins to fail in Azure Kubernetes Services
- How to use Workload Identity when configuring external clusters in Argo CD?
- AzureDevOps Pipeline Create Secret Fail
- Kubernetes doesn't schedule pod to the node with less workload
- build docker image in M1 to deploy in aks cluster
- Unable to pass annotations to helm
- Secret for a Kubernetes service accounts is not getting created
- executable kubelogin failed with exit code 1
- Azure AKS : how can i get OpenID Connect Issuer (oidc-issuer) and Workload identity from the PORTAL (not from Azure cli)?
- Istio Ingress does not work - only port forwarding works
- Unable to connect to the server: dial tcp [::1]:8080: connectex: No connection could be made because the target machine actively refused it
- not showing endpoint for service in AKS and label and selectors are mis match
- Not able to browse Kubernetes dashboard for clusters created in Azure
- Comparison between NGINX Ingress Controller v/s Kubernetes ( community) Ingress controller
- How to add a domain into an Ingress controller in helm for a kubernetes deployment?
- Traffic splitting based on weight : Nginx Ingress controller AKS
- a deployed mircoservice in AKS is not able to connect to deployed kafka in AKS
- How to disable port probes for AKS LoadBalancer?
- cert-manager does not seem to work with AKS and Cloudflare
- Terraform implementation for AKS Backup & Restore
- What is the difference betwen Azure Compute Gallery and Azure Container Registry?
- Azure AKS with Managed Identity can not write to Application Insights
- Azure Kubernetes based cronjob completion event