Managing ingress controller certificate through Azure Key Vault

Tanul 1,246 Reputation points


I'm trying to setup a tls enable ingress controller on aks using nginx but I have to control certificate from Azure Key vault. I have few queries here:

  1. Should we add details of secret provider class volumes and volume mounts in nginx yaml or ingress rule yaml. Is
    there any template available. I don't know if ingress rule and ingress controller(nginx) merge in the end because if
    they are, then I think details can be added anywhere.
  2. Does ingress controller accept password protected certificate. If not, then should we upload the password free key
    file separately as secret type category in key vault. But, this link says that there should be a single pem file which
    should have all the certificates in one.
  3. How to merge certificate with the trusted chain of CA and private key in one pem file. Can anyone share the

Can anyone help me on this. Thank you

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,054 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,789 questions
{count} votes

Accepted answer
  1. prmanhas-MSFT 17,876 Reputation points Microsoft Employee

    @Tanul Apologies for the delay in response and all the inconvenience caused because of the issue.

    You can secure an Ingress by specifying a Secret that contains a TLS private key and certificate. The Ingress resource only supports a single TLS port, 443, and assumes TLS termination at the ingress point (traffic to the Service and its Pods is in plaintext). If the TLS configuration section in an Ingress specifies different hosts, they are multiplexed on the same port according to the hostname specified through the SNI TLS extension (provided the Ingress controller supports SNI). The TLS secret must contain keys named tls.crt and tls.key that contain the certificate and private key to use for TLS. For example:

    apiVersion: v1  
    kind: Secret  
      name: testsecret-tls  
      namespace: default  
      tls.crt: base64 encoded cert  
      tls.key: base64 encoded key  

    Referencing this secret in an Ingress tells the Ingress controller to secure the channel from the client to the load balancer using TLS. You need to make sure the TLS secret you created came from a certificate that contains a Common Name (CN), also known as a Fully Qualified Domain Name (FQDN) for

    tls-example-ingress.yaml file will look something like this:

    kind: Ingress  
      name: tls-example-ingress  
      - hosts:  
        secretName: testsecret-tls  
      - host:  
          - path: /  
            pathType: Prefix  
                name: service1  
                  number: 80  

    You can find more information here.

    This functionality is pretty new so after digging more found this documentation which will be great source of information.

    This article is step by step method for integration of AKS with KeyVault with TLS.

    You can refer to this article as well. All this answers which YAML file to use and where you need to store them.

    Hope it helps!!!

    Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful