I have an AKS cluster running running Internal nginx ingress + cert-manager which generates lets encrypt for ssl terminations.
I would like to include application gateway as an entry point, where I expect that SSL internet traffic hits Applicatiom Gateway and traffic is forwarded to the nginx ingress, then to my application. I do not mind if SSL offloading is done at Appgw level or on the AKS cluster itself.
One of my biggest headaches is that Application gateway requires a certificate when an https listener is created. Since the certifiate is generated automatically on the AKS cluster I do not see the benefit of supplying an SSL certificate to the Application Gateway neither do I want to go through the extra work of generating a certificate and storing it keyvault etc etc.
What is the neatest way to tackle this problem? Potential solutions I have considered are
- Configure Application Gateway to passthrough SSL to the AKS cluster
- Somehow configure cert-manager to store the certificate in keyvault
The only options I see are (but I like neither are)
- Purchase a certificate and store it in keyvault (however I prefer using Lets Encrypt)
- Generate the SSL certificate on a cluster and then write a script which scrapes the certificate and stores it in Azure Key Vault
Any help will be appreciated
2
Answers
Since the above hasn't solution hasn't really helped me, I had decided to write an aks cron job which syncs certificates to azure keyvault.
If anyone is interested, I would be able to open source it.
As per this tutorial here you can use cert-manager an AKS add-on that automates the creation and management of certificates.
You can also go through this tutorial which uses Azure automation runbook to automate certificate rotation for ApGw.