Giters

Azure / application-gateway-kubernetes-ingress

This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway to act as the ingress for an AKS cluster.

Home Page:https://azure.github.io/application-gateway-kubernetes-ingress

Repository from Github https://github.comAzure/application-gateway-kubernetes-ingressRepository from Github https://github.comAzure/application-gateway-kubernetes-ingress

SSLProfile Creation, global SSL Policy, and client-cert via AGIC

MichaelChristopherson opened this issue · comments

commented

Is your feature request related to a problem? Please describe.

We have an application gateway today that is fully managed by AGIC after its initial creation EXCEPT the SSLProfile we are using for a listener doing mTLS. We are able to properly reference a created SSLProfile with this annotation without issue:

appgw.ingress.kubernetes.io/appgw-ssl-profile: "<my-profile-name>"

We also want to ensure the SSL Policy for the entire App GW is set to one we specify. We would need toe able to upload CA Certs to the App GW.

Describe the solution you'd like

We would like to be able to create a SSLProfile from AGIC. This would require the ability to upload client Certs to the App GW. The SSL Profile would then be able to name those certificates and also be able to set a listener specific SSL Policy. It would also be good to be able to configure the global SSL Policy for the Application Gateway.

Something along the following would be pretty neat for client Certs:

apiVersion: appgw.ingress.azure.io/v1beta1
kind: AzureApplicationGatewayClientCerts
metadata:
  name: my-client-certs-name
  namespace: my-namespace
spec:
  clientCert:
  - name: CA-Cert1
    certFile: <path-to-file>
  - name: CA-Cert2
    certContent: <base64 encoded cert or something like that>
  - name: CA-Cert3
    someOtherUploadMethod: <content>
  - name: CA-Cert4
    secretName: <secretName>

We could then create an SSL Profile with something like this:

apiVersion: appgw.ingress.azure.io/v1beta1
kind: AzureApplicationGatewaySslProfile
metadata:
  name: my-ssl-profile-name
  namespace: my-namespace
spec:
  clientAuthentication:
  - certName: CA-Cert1
  - certName: CA-Cert2

  sslPolicy:
    enableListenerSpecificPolicy: <true/false, defaults to false>
    type: {Custom, CustomV2, Predefined}
    PolicyName: {AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, AppGwSslPolicy20220101, AppGwSslPolicy20220101S}
    minProtocolVersion: {TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3}
    cipherSuites:
    - TLS_RSA_WITH_AES_256_CBC_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    - etc
commented

This loosely relates to:
#954
#773