Building on our foundation of AKS, Application Gateway for Containers (AGFC), and Azure DNS, this article tackles the critical step of enabling secure, automated HTTPS for applications. This process uses Cert-Manager and Let’s Encrypt to provide valid, free TLS certificates, eliminating the “insecure connection” warning and securing all traffic.
Introducing Cert-Manager and ClusterIssuer
Achieving automated HTTPS requires two key Kubernetes resources:
- Cert-Manager: This controller watches the cluster for resources that request certificates and communicates with external Certificate Authorities (CAs) like Let’s Encrypt to fulfill those requests.
- ClusterIssuer: A cluster-scoped resource that defines the CA configuration, including the ACME server endpoint (e.g., Let’s Encrypt’s production server) and the contact email for notifications.
This setup ensures that certificates are automatically renewed before their 90-day expiration, providing a hands-off, secure solution.
Installation and Deployment
The deployment process involves three main steps:
- Install Cert-Manager: The controller is installed into the cluster, typically via Helm. It is crucial to enable the Gateway API feature during installation so Cert-Manager is aware of and can interact with the Gateway resources.
- Deploy ClusterIssuer: A
ClusterIssuerresource is created, configured to use the production endpoint for Let’s Encrypt. The configuration specifies theHTTP01solver, which defines how Cert-Manager proves domain ownership. - The HTTP01 Challenge: When a certificate is requested, Cert-Manager uses the
HTTP01challenge. It temporarily provisions a specific HTTP route that exposes a unique validation file. Let’s Encrypt validates this file via the public domain name, proving ownership before issuing the certificate.
Enabling HTTPS on the Gateway
With Cert-Manager ready, the Kubernetes Gateway resource must be updated to expose a secure listener:
- A new listener is added to the
Gatewayresource, explicitly configured for Port 443 and the HTTPS protocol. - This listener configuration must reference the hostnames (e.g.,
traffic.example.com) and point to the KubernetesSecretwhere the certificate and key will be stored by Cert-Manager.
Requesting and Routing Certificates
The final step is to request the certificates and ensure traffic is correctly routed:
- Create Certificate Resources: A
Certificateresource is deployed for each domain (e.g., for Nginx and Traefik). This resource links the domain name to the deployedClusterIssuerand specifies the name of theSecretthat will hold the final certificate. - Automatic Provisioning: Cert-Manager immediately takes over, executes the HTTP01 challenge via the Gateway, and populates the secret with the valid TLS certificate.
- HTTPRoute Utilization: Since the routing rules are already defined in the
HTTPRouteresources (created in Part 3), no further modification is needed for the application side. Traffic arriving on the new 443 listener is seamlessly routed to the correct backend service.
Conclusion
Part 5 successfully brings robust security to the AKS environment. By integrating Cert-Manager and Let’s Encrypt with the Azure Application Gateway for Containers via the Kubernetes Gateway API, we achieve fully automated, end-to-end HTTPS encryption. The ability to automatically obtain and renew valid TLS certificates is a cornerstone of maintaining a secure and professional cloud-native application landscape.
What’s Next?
While the current setup supports specific domain names, the next part of the series will address advanced scenarios:
- Part 6: Extending the ClusterIssuer to support Wildcard Certificates, requiring integration with Azure DNS for the necessary DNS-01 challenge.
You can find all the code sample on GitHub.
This post was AI-generated based on the transcript of the video “Cert-Manager Automated HTTPS for everyone on AKS - Part 5” and reviewed by me.
Comments powered by Disqus.