Configuring HTTPS for an internal IP on Azure Kubernetes

1
votes

I have deployed a Kubernetes cluster to a custom virtual network on Azure using acs-engine. There is an ASP.NET Core 2.0 Kestrel app running on the agent VMs and the app is accessed over VPN through a Service of the Azure internal load balancer type. Now I would like to enable HTTPS on the service. I have already obtained a domain name and a certificate but have no idea how to proceed. Apparently configuring Kestrel to use HTTPS and copying the certificate to each container is not the way to go.

I have checked out tutorials such as ingress on k8s using acs and configure Nginx Ingress Controller for TLS termination on k8s on Azure but both of them end up exposing a public external IP and I want to keep the IP internal and not accessible from the internet. Is this possible? Can it be done without ingresses and their controllers?

2
azurekubernetesazure-container-service
not sure about the endpoint, as for the IP question. you ever heard about DNS?4c74356b41
Yes, can be done internal: Look into using the nginx ingress controller and just adjust the service.Norbert van Nobelen

2 Answers

1
votes

While for some reason I still can't access the app through the ingress I was able to create an internal ingress service with the IP I want with the following configuration:

apiVersion: v1
kind: Service
metadata:
  annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  name: nginx-ingress-svc
spec:
  type: LoadBalancer
  ports:
  - port: 443
    targetPort: 443
  loadBalancerIP: 130.10.1.9
  selector:
    k8s-app: nginx-ingress-controller
0
votes

The tutorial you linked is a bit outdated, at least the instructions have you go to a 'examples' folder in the GitHub repo they link but that doesn't exist. Anyhow, a normal nginx ingress controller consists of several parts: the nginx deployment, the service that exposes it and the default backed parts. You need to look at the yamls they ask you to deploy, look for the second part of what I listed - the ingress service - and change type from LoadBalancer to ClusterIP (or delete type altogether since ClusterIP is the default)