Managing ingress controller certificate through Azure Key Vault

Question

Hello,

I'm trying to setup a tls enable ingress controller on aks using nginx but I have to control certificate from Azure Key vault. I have few queries here:

1. Should we add details of secret provider class volumes and volume mounts in nginx yaml or ingress rule yaml. Is
   there any template available. I don't know if ingress rule and ingress controller(nginx) merge in the end because if
   they are, then I think details can be added anywhere.
2. Does ingress controller accept password protected certificate. If not, then should we upload the password free key
   file separately as secret type category in key vault. But, this link says that there should be a single pem file which
   should have all the certificates in one.
   
3. How to merge certificate with the trusted chain of CA and private key in one pem file. Can anyone share the
   format

Can anyone help me on this. Thank you

Answer 1

@Tanul Apologies for the delay in response and all the inconvenience caused because of the issue.

You can secure an Ingress by specifying a Secret that contains a TLS private key and certificate. The Ingress resource only supports a single TLS port, 443, and assumes TLS termination at the ingress point (traffic to the Service and its Pods is in plaintext). If the TLS configuration section in an Ingress specifies different hosts, they are multiplexed on the same port according to the hostname specified through the SNI TLS extension (provided the Ingress controller supports SNI). The TLS secret must contain keys named tls.crt and tls.key that contain the certificate and private key to use for TLS. For example:

apiVersion: v1  
kind: Secret  
metadata:  
  name: testsecret-tls  
  namespace: default  
data:  
  tls.crt: base64 encoded cert  
  tls.key: base64 encoded key  
type: kubernetes.io/tls  

Referencing this secret in an Ingress tells the Ingress controller to secure the channel from the client to the load balancer using TLS. You need to make sure the TLS secret you created came from a certificate that contains a Common Name (CN), also known as a Fully Qualified Domain Name (FQDN) for https-example.foo.com.

tls-example-ingress.yaml file will look something like this:

apiVersion: networking.k8s.io/v1  
kind: Ingress  
metadata:  
  name: tls-example-ingress  
spec:  
  tls:  
  - hosts:  
      - https-example.foo.com  
    secretName: testsecret-tls  
  rules:  
  - host: https-example.foo.com  
    http:  
      paths:  
      - path: /  
        pathType: Prefix  
        backend:  
          service:  
            name: service1  
            port:  
              number: 80  

You can find more information here.

This functionality is pretty new so after digging more found this documentation which will be great source of information.

This article is step by step method for integration of AKS with KeyVault with TLS.

You can refer to this article as well. All this answers which YAML file to use and where you need to store them.

Hope it helps!!!

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics