Now that you have the prerequisites met, follow the steps below to create the TLS certificates that Azure Application Gateway will serve for clients connecting to your web app as well as the AKS Ingress Controller. If you already have access to appropriate certificates or can procure them from your organization, consider doing so and skipping the certificate generation steps. The following will describe using self-signed certs for instructive purposes only.
-
Generate a client-facing self-signed TLS certificate.
📖 Fabrikam Drone Delivery needs to procure a CA certificate for the website. As this is going to be a user-facing site, they purchase an EV cert from their CA. This will serve in front of the Azure Application Gateway. They will also procure another one, a standard cert, to be used with the AKS Ingress Controller. This one is not EV, as it will not be user-facing.
⚠️ Do not use the certificate created by this script for actual deployments. The use of self-signed certificates are provided for ease of illustration purposes only. For your cluster, use your organization's requirements for procurement and lifetime management of TLS certificates, even for development purposes.Create the certificate for Azure Application Gateway with a common name of
dronedelivery.fabrikam.com.openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out appgw.crt -keyout appgw.key -subj "/CN=dronedelivery.fabrikam.com/O=Fabrikam Drone Delivery" openssl pkcs12 -export -out appgw.pfx -in appgw.crt -inkey appgw.key -passout pass: -
Base64 encode the client-facing certificate.
💡 No matter if you used a certificate from your organization or generated one from above, you'll need the certificate (as
.pfx) to be base 64 encoded for proper storage in Key Vault later.export APP_GATEWAY_LISTENER_CERTIFICATE=$(cat appgw.pfx | base64 | tr -d '\n')
-
Generate the wildcard certificate for the AKS Ingress Controller.
📖 Fabrikam Drone Delivery will also procure another TLS certificate, a standard cert, to be used with the AKS Ingress Controller. This one is not EV, as it will not be user-facing. Finally, the app team decides to use a wildcard certificate of
*.aks-agic.fabrikam.comfor the ingress controller.openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out k8sic.crt -keyout k8sic.key -subj "/CN=*.aks-agic.fabrikam.com/O=Fabrikam Aks Ingress" -
Base64 encode the AKS Ingress Controller certificate.
💡 No matter if you used a certificate from your organization or you generated one from above, you'll need the public certificate (as
.crtor.cer) to be base 64 encoded for proper storage in Key Vault later.export AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64=$(cat k8sic.crt | base64 | tr -d '\n')