AKS: Configure TLS termination with the http application routing addon

by Carlos Mendible on 10 Jan 2019 » kubernetes, Azure

When you install a AKS cluster you can configure it to deploy the http application routing addon or you you can update an existing cluster to deploy it.

Either way you end up with an NGINX Ingress Controller running, in the kube-system namespace of your cluster, with the following properties:

  • ingress-class: addon-http-application-routing
  • annotations-prefix: nginx.ingress.kubernetes.io

Does this means that you can use this controller for TLS termination? The answer is yes! And you can also use rate limits, and whitelisting as described in my post Secure your Kubernetes services with NGINX ingress controller, tls and more.

So to try it out, follow steps 2 and 5 of the previous post, but be sure to replace the contents of the ingress_rules.yaml file with the following yaml (Don’t forget to replace the DNS Zone Name):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dni-function
  namespace: default
  annotations:
    kubernetes.io/ingress.class: addon-http-application-routing
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - dni-function.<YOUR CLUSTERS DNS ZONE NAME>
    secretName: tls-secret
  rules:
  - host: dni-function.<YOUR CLUSTERS DNS ZONE NAME>
    http:
      paths:
      - path: /
        backend:
          serviceName: dni-function
          servicePort: 80

Note that the kubernetes.io/ingress.class value must be: addon-http-application-routing

Once you have tls working go ahead and try rate limits and whitelisting!

Hope it helps.

Please download all code and files here and be sure to check the online documentation to learn more about the annotations and other NGINX features.