appgw-ssl-certificate.md

Prerequisites

NOTE: Application Gateway for Containers has been released, which introduces numerous performance, resilience, and feature changes. Please consider leveraging Application Gateway for Containers for your next deployment.

This documents assumes you already have the following Azure tools and resources installed:

• AKS with Advanced Networking enabled
• App Gateway v2 in the same virtual network as AKS
• AAD Pod Identity installed on your AKS cluster
• Cloud Shell is the Azure shell environment, which has az CLI, kubectl, and helm installed. These tools are required for the commands below.

Please use Greenfield Deployment to install nonexistents.

To use the new feature, make sure the AGIC version is at least at 1.2.0-rc3

helm install oci://mcr.microsoft.com/azure-application-gateway/charts/ingress-azure -f helm-config.yaml --version 1.7.5 --generate-name

Create a certificate and configure the certificate to AppGw

The certificate below should only be used for testing purpose.

appgwName=""
resgp=""

# generate certificate for testing
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -out test-cert.crt \
  -keyout test-cert.key \
  -subj "/CN=test"

openssl pkcs12 -export \
  -in test-cert.crt \
  -inkey test-cert.key \
  -passout pass:test \
  -out test-cert.pfx

# configure certificate to app gateway
az network application-gateway ssl-cert create \
  --resource-group $resgp \
  --gateway-name $appgwName \
  -n mysslcert \
  --cert-file test-cert.pfx \
  --cert-password "test"

Configure certificate from Key Vault to AppGw

To configfure certificate from key vault to Application Gateway, an user-assigned managed identity will need to be created and assigned to AppGw, the managed identity will need to have GET secret access to KeyVault.

# Configure your resources
appgwName=""
resgp=""
vaultName=""
location=""
aksClusterName=""
aksResourceGroupName=""
appgwName=""

# IMPORTANT: the following way to retrieve the object id of the AGIC managed identity
# only applies when AGIC is deployed via the AGIC addon for AKS

# get the resource group name of the AKS cluster
nrg=$(az aks show --name $aksClusterName --resource-group $aksResourceGroupName --query nodeResourceGroup --output tsv)

# get principalId of the AGIC managed identity
identityName="ingressapplicationgateway-$aksClusterName"
agicIdentityPrincipalId=$(az identity show --name $identityName --resource-group $nrg --query principalId --output tsv)

# One time operation, create Azure key vault and certificate (can done through portal as well)
az keyvault create -n $vaultName -g $resgp --enable-soft-delete -l $location

# One time operation, create user-assigned managed identity
az identity create -n appgw-id -g $resgp -l $location
identityID=$(az identity show -n appgw-id -g $resgp -o tsv --query "id")
identityPrincipal=$(az identity show -n appgw-id -g $resgp -o tsv --query "principalId")

# One time operation, assign AGIC identity to have operator access over AppGw identity
az role assignment create --role "Managed Identity Operator" --assignee $agicIdentityPrincipalId --scope $identityID

# One time operation, assign the identity to Application Gateway
az network application-gateway identity assign \
  --gateway-name $appgwName \
  --resource-group $resgp \
  --identity $identityID

# One time operation, assign the identity GET secret access to Azure Key Vault
az keyvault set-policy \
-n $vaultName \
-g $resgp \
--object-id $identityPrincipal \
--secret-permissions get

# For each new certificate, create a cert on keyvault and add unversioned secret id to Application Gateway
az keyvault certificate create \
--vault-name $vaultName \
-n mycert \
-p "$(az keyvault certificate get-default-policy)"
versionedSecretId=$(az keyvault certificate show -n mycert --vault-name $vaultName --query "sid" -o tsv)
unversionedSecretId=$(echo $versionedSecretId | cut -d'/' -f-5) # remove the version from the url

# For each new certificate, Add the certificate to AppGw
az network application-gateway ssl-cert create \
-n mykvsslcert \
--gateway-name $appgwName \
--resource-group $resgp \
--key-vault-secret-id $unversionedSecretId # ssl certificate with name "mykvsslcert" will be configured on AppGw

Testing the key vault certificate on Ingress

Since we have certificate from Key Vault configured in Application Gateway, we can then add the new annotation appgw.ingress.kubernetes.io/appgw-ssl-certificate: mykvsslcert in Kubernetes ingress to enable the feature.

# install an app
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: aspnetapp
  labels:
    app: aspnetapp
spec:
  containers:
  - image: "mcr.microsoft.com/dotnet/samples:aspnetapp"
    name: aspnetapp-image
    ports:
    - containerPort: 80
      protocol: TCP

---

apiVersion: v1
kind: Service
metadata:
  name: aspnetapp
spec:
  selector:
    app: aspnetapp
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80

---

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: aspnetapp
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/appgw-ssl-certificate: mykvsslcert
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          service:
            name: aspnetapp
            port:
              number: 80
        pathType: Exact
EOF