Ingress Application Gateway
Getting started
To create an ingress using the application gateway, use the following annotation:
kubernetes.io/ingress.class: azure/application-gateway
With annotations, you can configure the application gateway the way you need to get you service working. Annotations are optional but the most important ones are:
appgw.ingress.kubernetes.io/use-private-ip: <boolean>
Expose your service to the private ip, defaults to false.appgw.ingress.kubernetes.io/health-probe-path: <string>
This annotation allows specifically define target URI path to be used for AGW health probe.
Full Annotation List:
https://azure.github.io/application-gateway-kubernetes-ingress/annotations
Example ingress:
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/use-private-ip: "true" # Optional: force usage of private ip
appgw.ingress.kubernetes.io/health-probe-path: "/api/" # Optional: Set healt probe path, defaults to /
spec:
rules:
- host: test.agic.contoso.com
http:
paths:
- path: /
backend:
service:
name: test-service
port:
number: 80
pathType: Prefix
TLS Certificates
Certificate stored in Kubernetes Secrets
-
Create Certificate and key
openssl req -newkey rsa:4096 \ -x509 \ -sha256 \ -days 3650 \ -nodes \ -out example.crt \ -keyout example.key -
Create Kubernetes Secret
kubectl create secret tls <secret-name> --key <path-to-key> --cert <path-to-cert> -
Configure Ingress
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: test-ingress annotations: kubernetes.io/ingress.class: azure/application-gateway spec: tls: - secretName: <secret-name> rules: - http: paths: - backend: serviceName: frontend servicePort: 80
Certificate stored in Key Vault
-
Convert cert and key to pfx
openssl pkcs12 -export -in example.crt -inkey example.key -out example.pfx -
Upload pfx to key vault
az keyvault certificate import --vault-name <key-vault-name> -n example-cert -f example.pfx -
Deploy Secret Provider Class
apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-tls spec: provider: azure secretObjects: # secretObjects defines the desired state of synced K8s secret objects - secretName: ingress-tls-csi type: kubernetes.io/tls data: - objectName: example-cert key: tls.key - objectName: example-cert key: tls.crt parameters: usePodIdentity: "false" useVMManagedIdentity: "true" userAssignedIdentityID: <client_id> keyvaultName: <key-vault-name> # the name of the AKV instance objects: | array: - | objectName: example-cert objectType: secret tenantId: <tenant-id> # the tenant ID of the AKV instance -
Configure Deployment
Add the secret class to the pod to provision the secret within the cluster.... containers: - image: docker.io/library/nginx:latest name: azure-files-pod-test ports: - containerPort: 80 protocol: TCP volumeMounts: - name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true volumes: - name: secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "azure-tls" -
Configure Ingress
Add the provisioned secret to the ingressapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: test-ingress annotations: kubernetes.io/ingress.class: azure/application-gateway spec: tls: - secretName: ingress-tls-csi rules: - http: paths: - path: / backend: service: name: test-service port: number: 80 pathType: Prefix
Last modified July 3, 2023: + Improved nginx version in deployment example (a8ba98a)