Managing ingress controller certificate through Azure Key Vault

Tanul 1,281 Reputation points
2020-10-06T11:55:17.613+00:00

Hello,

I'm trying to setup a tls enable ingress controller on aks using nginx but I have to control certificate from Azure Key vault. I have few queries here:

  1. Should we add details of secret provider class volumes and volume mounts in nginx yaml or ingress rule yaml. Is
    there any template available. I don't know if ingress rule and ingress controller(nginx) merge in the end because if
    they are, then I think details can be added anywhere.
  2. Does ingress controller accept password protected certificate. If not, then should we upload the password free key
    file separately as secret type category in key vault. But, this link says that there should be a single pem file which
    should have all the certificates in one.
    30354-untitled.png
  3. How to merge certificate with the trusted chain of CA and private key in one pem file. Can anyone share the
    format

Can anyone help me on this. Thank you

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,309 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,141 questions
{count} votes

Accepted answer
  1. prmanhas-MSFT 17,906 Reputation points Microsoft Employee
    2020-10-07T14:39:46.997+00:00

    @Tanul Apologies for the delay in response and all the inconvenience caused because of the issue.

    You can secure an Ingress by specifying a Secret that contains a TLS private key and certificate. The Ingress resource only supports a single TLS port, 443, and assumes TLS termination at the ingress point (traffic to the Service and its Pods is in plaintext). If the TLS configuration section in an Ingress specifies different hosts, they are multiplexed on the same port according to the hostname specified through the SNI TLS extension (provided the Ingress controller supports SNI). The TLS secret must contain keys named tls.crt and tls.key that contain the certificate and private key to use for TLS. For example:

    apiVersion: v1  
    kind: Secret  
    metadata:  
      name: testsecret-tls  
      namespace: default  
    data:  
      tls.crt: base64 encoded cert  
      tls.key: base64 encoded key  
    type: kubernetes.io/tls  
    

    Referencing this secret in an Ingress tells the Ingress controller to secure the channel from the client to the load balancer using TLS. You need to make sure the TLS secret you created came from a certificate that contains a Common Name (CN), also known as a Fully Qualified Domain Name (FQDN) for https-example.foo.com.

    tls-example-ingress.yaml file will look something like this:

    apiVersion: networking.k8s.io/v1  
    kind: Ingress  
    metadata:  
      name: tls-example-ingress  
    spec:  
      tls:  
      - hosts:  
          - https-example.foo.com  
        secretName: testsecret-tls  
      rules:  
      - host: https-example.foo.com  
        http:  
          paths:  
          - path: /  
            pathType: Prefix  
            backend:  
              service:  
                name: service1  
                port:  
                  number: 80  
    

    You can find more information here.

    This functionality is pretty new so after digging more found this documentation which will be great source of information.

    This article is step by step method for integration of AKS with KeyVault with TLS.

    You can refer to this article as well. All this answers which YAML file to use and where you need to store them.

    Hope it helps!!!

    Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.