Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge
Find out how HCI cuts down virtualization costs and complexity

Integrate Let’s Encrypt to Application Gateway and AKS to protect your websites

  • September 9, 2020
  • 6 min read
Florent Appointaire
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.

It’s always better and beautiful to have a secure website, with HTTPS access. To do this, we will use Let’s Encrypt, and the integration with AKS and Application Gateway.

To do this configuration, I have my DNS that are hosted on Azure DNS. So, I will give DNS Zone Contributor right, on the resource group where my DNS are hosted, to the Service Principal of the AKS. If it’s on another subscription, create a new Service principal, with same rights.

Deploy resources and pods, to your cluster:

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.16.0/cert-manager.crds.yaml

kubectl create namespace cert-manager

kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

helm repo add jetstack https://charts.jetstack.io

helm repo update

helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.16.0 --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer

DNS

Now, create a secret, for each subscription where are stored your DNS. In my case, my Azure DNS are stored on 2 different subscriptions, so, I will create 2 secrets, with the password of each service principal:

kubectl create secret generic azuredns-config-sponsorship --from-literal=client-secret=Password -n cert-manager

kubectl create secret generic azuredns-config-fala --from-literal=client-secret=Password -n cert-manager

Azure DNS

Create a file, certmanager-prd.yaml, and paste the following code. Adapts it:

apiVersion: cert-manager.io/v1alpha2

kind: ClusterIssuer

metadata:

  name: letsencrypt-prod

spec:

    acme:

      email: youremail

      server: https://acme-v02.api.letsencrypt.org/directory

      privateKeySecretRef:

        name: issuer-account-key

      solvers:

        - selector:

            dnsZones:

            - florentappointaire.cloud

          dns01:

            azuredns:

              clientID: Client ID that has DNS Contributor right

              clientSecretSecretRef:

                name: azuredns-config-sponsorship

                key: client-secret

              subscriptionID: Subscription ID where the DNS is hosted

              tenantID: Tenant ID

              resourceGroupName: Resource Group Name

              hostedZoneName: florentappointaire.cloud

              # Azure Cloud Environment, default to AzurePublicCloud

              environment: AzurePublicCloud

        - selector:

            dnsZones:

            - falaconsulting.be

          dns01:

            azuredns:

              clientID: Client ID that has DNS Contributor right

              clientSecretSecretRef:

              # The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.

                name: azuredns-config-fala

                key: client-secret

              subscriptionID: Subscription ID where the DNS is hosted

              tenantID: Tenant ID

              resourceGroupName: Resource Group Name

              hostedZoneName: falaconsulting.be

              # Azure Cloud Environment, default to AzurePublicCloud

              environment: AzurePublicCloud

Apply this file:

kubectl apply -f cert-manager-prd.yaml

Apply the file

We will now deploy an application, with HTTPS, with the following template:

apiVersion: apps/v1

kind: Deployment

metadata:

  name: nginx-deployment-https

spec:

  selector:

    matchLabels:

      app: nginxhttps

  replicas: 1

  template:

    metadata:

      labels:

        app: nginxhttps

    spec:

      containers:

      - name: nginx

        image: nginx:1.16.1

        ports:

        - containerPort: 80

---

apiVersion: v1

kind: Service

metadata:

  name: nginx-https

spec:

  ports:

    - name: nginx

      port: 80

      protocol: TCP

      targetPort: 80

  type: ClusterIP

  selector:

    app: nginxhttps

---

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: nginxhttps

  annotations:

    kubernetes.io/ingress.class: azure/application-gateway

    cert-manager.io/cluster-issuer: letsencrypt-prod

spec:

  tls:

    - hosts:

      - starwindhttps.falaconsulting.be

      secretName: starwindhttps-letsencrypt

  rules:

  - host: starwindhttps.falaconsulting.be

    http:

      paths:

      - backend:

          serviceName: nginx-https

          servicePort: 80


After some seconds, the certificate is requested, and deployed:

The certificate is requested

Welcome to nginx

In the last part, we will see how to make this app, highly available 😊

Related materials:

Tags
Hey! Found Florent’s insights useful? Looking for a cost-effective, high-performance, and easy-to-use hyperconverged platform?
Taras Shved
Taras Shved StarWind HCI Appliance Product Manager
Look no further! StarWind HCI Appliance (HCA) is a plug-and-play solution that combines compute, storage, networking, and virtualization software into a single easy-to-use hyperconverged platform. It's designed to significantly trim your IT costs and save valuable time. Interested in learning more? Book your StarWind HCA demo now to see it in action!