ayan.poddar/eShopOnContainers
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Page: AKS TLS
Pages
00. Dev machine requirements 01. Roadmap and Milestones for future releases 02. Setting eShopOnContainers in a Visual Studio 2017 environment 03. Setting the eShopOnContainers solution up in a Windows CLI environment (dotnet CLI, Docker CLI and VS Code) 04. Setting eShopOnContainer solution up in a Mac, VS for Mac or with CLI environment (dotnet CLI, Docker CLI and VS Code) 05. Deploying eShopOnContainers to a Docker Host Production environment 06. (Optional) Setting the Web SPA application up 07. Setting up the Xamarin mobile apps 08. Setting up and Deploying eShopOnContainers to Windows Containers 10. Deploying to Kubernetes (AKS and local) using Helm Charts 10.1 Using Azure Dev Spaces and AKS 11. Setting the solution up in Service Fabric 12. Deploying the infrastructure resources into Azure (DB, Cache, Service Bus, etc.) 13. Using HealthChecks in eShopOnContainers 14. Using Application Insights in eShopOnContainers 15. Implementing API Gateways with Ocelot in eShopOnContainers 16. Using Azure KeyVault to manage secrets of eShopOnContainers 17. Using Webhooks in eShopOnContainers 18. Centralized Structured Logging in eShopOnContainers 19. Logging using ELK stack 20. Azure Devops pipelines 99. FAQ (Frequently Asked Questions) AKS TLS API gateways Application Insights Architecture Asynchronous messaging Azure Dev Spaces Azure DevOps pipelines Azure Key Vault BFF implementation Backlog Build eShopOnContainers Building Cloud Native eBook changelog Code Flow Databases and containers Deploy to Azure Kubernetes Service (AKS) Archived Deploy to Azure Kubernetes Service (AKS) Deploy to Local Kubernetes Archived Deploy to Local Kubernetes Deploy to Windows containers Deploying Azure resources Deployment With GitHub Actions Deployment DevOps Docker compose deployment files Docker configuration Docker host ELK stack Explore the application Explore the code Frequent errors GitHub Actions Home Identity Server Load testing Mac setup Microservices Architecture eBook changelog Microservices DevOps eBook changelog Other Deployment Scenarios RabbitMQ Readme files Release notes Resiliency and Service Mesh Roadmap Serilog and Seq Simplified CQRS and DDD System requirements Unit and integration testing Using Azure resources Using HealthChecks Webhooks Windows setup Xamarin setup eBooks gRPC unauthorized_client error on Login
Clone
2
AKS TLS
Miguel Veloso edited this page 2021-06-22 14:56:02 +01:00
Table of Contents

Enabling TLS on AKS

eShopOnContainers supports the use of TLS for enabling https on ingress endpoints. You can provide your own TLS certificate or let the system auto-generate one certificate using Let's encrypt.

Auto Generating certificates using Let's Encrypt

Using cert-manager is possible to auto retrieve a TLS certificate generate by Let's Encrypt.

Installing cert-manager on the cluster

You must install cert-manager in the cluster. This is an administrative action, needed to be performed only once.

The script /deploy/k8s/enable-tls.ps1 installs cert-manager on the current cluster. The script uses kubectl to install the cert-manager version 0.11.0 (the minimum required by eShopOnContainers) in the cluster. By default cert-manager is installed on the current kubectl context, but you can use the parameters aksRg and aksName to set a specific AKS to use.

.\enable-tls.ps1 -aksName eshopmesh -aksRg eshop-mesh

Cert-Manager installed

Deploying the cert-manager issuer

Once cert-manager is installed on the cluster you have to install the issuer that will be used to generate the certificates. There are two issuers provided:

  • Let's Encrypt staging server
  • Let's Encrypt production server

Staging server do not generate valid TLS certificates, but allows you to test the whole process is valid. Let's Encrypt has severe ratio calls on its production server to avoid abuses. Let's Encrypt staging server uses the "Fake LE Intermediate X1" CA to sign the certificates.

To deploy the selected issuer (you can deploy both) use helm to install the chart tls-support and pass the file values-staging.yaml or values-prod.yaml. For example, following command (run from /deploy/k8s/helm folder) will install the Let's Encrypt staging issuer:

helm install .\tls-support -f .\tls-support\values-staging.yaml -n tls-staging

Note: You can retrieve the installed issuers using kubectl get issuers command.

Using an ingress controller other than Http Application Routing

If you are using other ingress controller rather than Http Application Routing, you must edit the issuer values file (values-staging.yaml or values-prod.yaml) and set the value of ingressClass accordingly before installing the issuer.

Deploying using deploy-all.ps1

To deploy eShopOnContainers to use Let's Encrypt, just add following parameter to deploy-all.ps1 script:

  • sslSupport: Set to prod or staging depending the issuer you want to use.

You must set a DNS when using TLS (set exteralDns to aks to infer the Http Application Routing DNS).

Deploy with a custom certificate

If deploying with a custom certificate, you don't need to install cert-manager nor any issuer. You must:

Once the secret is installed you can install eShopOnContainers adding following parameters to deploy-all.ps1:

  • sslSupport set to custom
  • tlsSecretName with the name of the Kubernetes secret that contains the TLS certificate (defaults to eshop-tls-custom).

Notes on TLS support

TLS support can't be enabled on the local Kubernetes provided by Docker Desktop.

eShopOnContainers

Getting started

FREQUENT ERRORS

Explore

Deployment

Local

Production (generic)

Cloud

Other Deployment Scenarios

DevOps