Integrating Let's Encrypt to Application Gateway and AKS

It’s always better and beautiful to have a secure website, with HTTPS access. To do this, we will use Let’s Encrypt, and the integration with AKS and Application Gateway.

To do this configuration, I have my DNS that are hosted on Azure DNS. So, I will give DNS Zone Contributor right, on the resource group where my DNS are hosted, to the Service Principal of the AKS. If it’s on another subscription, create a new Service principal, with same rights.

Deploy resources and pods, to your cluster:

kubectl apply -f <a href="https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.crds.yaml">https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.crds.yaml</a>

kubectl create namespace cert-manager

kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

helm repo add jetstack <a href="https://charts.jetstack.io">https://charts.jetstack.io</a>

helm repo update

helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.16.0 --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer

kubectl apply -f <a href="https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.crds.yaml">https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.crds.yaml</a>

kubectl create namespace cert-manager

kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

helm repo add jetstack <a href="https://charts.jetstack.io">https://charts.jetstack.io</a>

helm repo update

helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.16.0 --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer

Now, create a secret, for each subscription where are stored your DNS. In my case, my Azure DNS are stored on 2 different subscriptions, so, I will create 2 secrets, with the password of each service principal:

kubectl create secret generic azuredns-config-sponsorship --from-literal=client-secret=Password -n cert-manager

kubectl create secret generic azuredns-config-fala --from-literal=client-secret=Password -n cert-manager

kubectl create secret generic azuredns-config-sponsorship --from-literal=client-secret=Password -n cert-manager

kubectl create secret generic azuredns-config-fala --from-literal=client-secret=Password -n cert-manager

Create a file, certmanager-prd.yaml, and paste the following code. Adapts it:

apiVersion: cert-manager.io/v1alpha2

kind: ClusterIssuer

metadata:

  name: letsencrypt-prod

spec:

    acme:

      email: youremail

      server: https://acme-v02.api.letsencrypt.org/directory

      privateKeySecretRef:

        name: issuer-account-key

      solvers:

        - selector:

            dnsZones:

            - florentappointaire.cloud

          dns01:

            azuredns:

              clientID: Client ID that has DNS Contributor right

              clientSecretSecretRef:

                name: azuredns-config-sponsorship

                key: client-secret

              subscriptionID: Subscription ID where the DNS is hosted

              tenantID: Tenant ID

              resourceGroupName: Resource Group Name

              hostedZoneName: florentappointaire.cloud

              # Azure Cloud Environment, default to AzurePublicCloud

              environment: AzurePublicCloud

        - selector:

            dnsZones:

            - falaconsulting.be

          dns01:

            azuredns:

              clientID: Client ID that has DNS Contributor right

              clientSecretSecretRef:

              # The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.

                name: azuredns-config-fala

                key: client-secret

              subscriptionID: Subscription ID where the DNS is hosted

              tenantID: Tenant ID

              resourceGroupName: Resource Group Name

              hostedZoneName: falaconsulting.be

              # Azure Cloud Environment, default to AzurePublicCloud

              environment: AzurePublicCloud

apiVersion: cert-manager.io/v1alpha2

kind: ClusterIssuer

metadata:

spec:

acme:

email: youremail

server: https://acme-v02.api.letsencrypt.org/directory

privateKeySecretRef:

solvers:

- selector:

dnsZones:

- florentappointaire.cloud

dns01:

azuredns:

clientID: Client ID that has DNS Contributor right

clientSecretSecretRef:

key: client-secret

subscriptionID: Subscription ID where the DNS is hosted

tenantID: Tenant ID

resourceGroupName: Resource Group Name

hostedZoneName: florentappointaire.cloud

# Azure Cloud Environment, default to AzurePublicCloud

environment: AzurePublicCloud

- selector:

dnsZones:

- falaconsulting.be

dns01:

azuredns:

clientID: Client ID that has DNS Contributor right

clientSecretSecretRef:

# The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.

key: client-secret

subscriptionID: Subscription ID where the DNS is hosted

tenantID: Tenant ID

resourceGroupName: Resource Group Name

hostedZoneName: falaconsulting.be

# Azure Cloud Environment, default to AzurePublicCloud

environment: AzurePublicCloud

Apply this file:

kubectl apply -f cert-manager-prd.yaml

1	kubectl apply -f cert-manager-prd.yaml

We will now deploy an application, with HTTPS, with the following template:

apiVersion: apps/v1

kind: Deployment

metadata:

  name: nginx-deployment-https

spec:

  selector:

    matchLabels:

      app: nginxhttps

  replicas: 1

  template:

    metadata:

      labels:

        app: nginxhttps

    spec:

      containers:

      - name: nginx

        image: nginx:1.16.1

        ports:

        - containerPort: 80

---

apiVersion: v1

kind: Service

metadata:

  name: nginx-https

spec:

  ports:

    - name: nginx

      port: 80

      protocol: TCP

      targetPort: 80

  type: ClusterIP

  selector:

    app: nginxhttps

---

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: nginxhttps

  annotations:

    kubernetes.io/ingress.class: azure/application-gateway

    cert-manager.io/cluster-issuer: letsencrypt-prod

spec:

  tls:

    - hosts:

      - starwindhttps.falaconsulting.be

      secretName: starwindhttps-letsencrypt

  rules:

  - host: starwindhttps.falaconsulting.be

    http:

      paths:

      - backend:

          serviceName: nginx-https

          servicePort: 80

100

101

102

103

104

105

apiVersion: apps/v1

kind: Deployment

metadata:

spec:

selector:

matchLabels:

app: nginxhttps

replicas: 1

template:

metadata:

labels:

app: nginxhttps

spec:

containers:

- name: nginx

image: nginx:1.16.1

ports:

- containerPort: 80

---

apiVersion: v1

kind: Service

metadata:

spec:

ports:

- name: nginx

port: 80

protocol: TCP

targetPort: 80

type: ClusterIP

selector:

app: nginxhttps

---

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

annotations:

kubernetes.io/ingress.class: azure/application-gateway

cert-manager.io/cluster-issuer: letsencrypt-prod

spec:

tls:

- hosts:

- starwindhttps.falaconsulting.be

secretName: starwindhttps-letsencrypt

rules:

- host: starwindhttps.falaconsulting.be

http:

paths:

- backend:

serviceName: nginx-https

servicePort: 80

After some seconds, the certificate is requested, and deployed:

In the last part, we will see how to make this app, highly available 😊

Integrate Let’s Encrypt to Application Gateway and AKS to protect your websites