AKS: Configure TLS termination with the http application routing addon
When you install a AKS cluster you can configure it to deploy the http application routing addon or you you can update an existing cluster to deploy it.
Either way you end up with an NGINX Ingress Controller running, in the kube-system namespace of your cluster, with the following properties:
- ingress-class: addon-http-application-routing
- annotations-prefix: nginx.ingress.kubernetes.io
Does this means that you can use this controller for TLS termination? The answer is yes! And you can also use rate limits, and whitelisting as described in my post Secure your Kubernetes services with NGINX ingress controller, tls and more.
So to try it out, follow steps 2 and 5 of the previous post, but be sure to replace the contents of the ingress_rules.yaml file with the following yaml (Don’t forget to replace the DNS Zone Name):
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: dni-function namespace: default annotations: kubernetes.io/ingress.class: addon-http-application-routing nginx.ingress.kubernetes.io/rewrite-target: / spec: tls: - hosts: - dni-function.<YOUR CLUSTERS DNS ZONE NAME> secretName: tls-secret rules: - host: dni-function.<YOUR CLUSTERS DNS ZONE NAME> http: paths: - path: / backend: serviceName: dni-function servicePort: 80
Note that the kubernetes.io/ingress.class value must be: addon-http-application-routing
Once you have tls working go ahead and try rate limits and whitelisting!
Hope it helps.