search

Azure / application-gateway-kubernetes-ingress

This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway to act as the ingress for an AKS cluster.
https://azure.github.io/application-gateway-kubernetes-ingress
MIT License
678 stars 423 forks source link

SSLProfile Creation, global SSL Policy, and client-cert via AGIC #1662

Open MichaelChristopherson opened 1 day ago

MichaelChristopherson commented 1 day ago

Is your feature request related to a problem? Please describe.

We have an application gateway today that is fully managed by AGIC after its initial creation EXCEPT the SSLProfile we are using for a listener doing mTLS. We are able to properly reference a created SSLProfile with this annotation without issue:

appgw.ingress.kubernetes.io/appgw-ssl-profile: "<my-profile-name>"

We also want to ensure the SSL Policy for the entire App GW is set to one we specify. We would need toe able to upload CA Certs to the App GW.

Describe the solution you'd like

We would like to be able to create a SSLProfile from AGIC. This would require the ability to upload client Certs to the App GW. The SSL Profile would then be able to name those certificates and also be able to set a listener specific SSL Policy. It would also be good to be able to configure the global SSL Policy for the Application Gateway.

Something along the following would be pretty neat for client Certs:

apiVersion: appgw.ingress.azure.io/v1beta1
kind: AzureApplicationGatewayClientCerts
metadata:
  name: my-client-certs-name
  namespace: my-namespace
spec:
  clientCert:
  - name: CA-Cert1
    certFile: <path-to-file>
  - name: CA-Cert2
    certContent: <base64 encoded cert or something like that>
  - name: CA-Cert3
    someOtherUploadMethod: <content>
  - name: CA-Cert4
    secretName: <secretName>

We could then create an SSL Profile with something like this:

apiVersion: appgw.ingress.azure.io/v1beta1
kind: AzureApplicationGatewaySslProfile
metadata:
  name: my-ssl-profile-name
  namespace: my-namespace
spec:
  clientAuthentication:
  - certName: CA-Cert1
  - certName: CA-Cert2

  sslPolicy:
    enableListenerSpecificPolicy: <true/false, defaults to false>
    type: {Custom, CustomV2, Predefined}
    PolicyName: {AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, AppGwSslPolicy20220101, AppGwSslPolicy20220101S}
    minProtocolVersion: {TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3}
    cipherSuites:
    - TLS_RSA_WITH_AES_256_CBC_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    - etc
MichaelChristopherson commented 1 day ago

This loosely relates to: https://github.com/Azure/application-gateway-kubernetes-ingress/issues/954 https://github.com/Azure/application-gateway-kubernetes-ingress/issues/773