Skip to content

Instantly share code, notes, and snippets.

@bessalahAmar

bessalahAmar/nginx-ingress-controller-secret-from-other-namespace.md

Created June 5, 2024 10:58
Show Gist options
  • Save bessalahAmar/7b8743c25fc190f3aa9a3571ee77d8fd to your computer and use it in GitHub Desktop.
Save bessalahAmar/7b8743c25fc190f3aa9a3571ee77d8fd to your computer and use it in GitHub Desktop.
Download ZIP
in this gist i'm going to provide two workarounds to use tls secret of nginx ingress from another namespace
Raw
nginx-ingress-controller-secret-from-other-namespace.md

workarounds:

  • setup default secret while deploying the nginx ingress controller
  • use AKS secret store driver to create the secret when the pod are deployed :

I) setup default secret while deploying the nginx ingress controller

1) create the secret that will hold the key/cert in namespace "otherns"

kubectl create ns otherns

secret.yaml file :

apiVersion: v1
data:
  tls.crt: BASE64-of-cert
  tls.key: BASE64-of-key
kind: Secret
metadata:
  name: ingress-tls-csi
  namespace: otherns
type: kubernetes.io/tls

kubectl create -f secret.yaml

2 ) deploy nginx ingress controller referencing the default secret for tls

NAMESPACE=ingress-nginx

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

helm install ingress-nginx ingress-nginx/ingress-nginx \
  --create-namespace \
  --namespace $NAMESPACE \
  --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \
 --set controller.extraArgs.default-ssl-certificate="otherns/ingress-tls-csi"

3 ) create a simple application

apiVersion: apps/v1
kind: Deployment
metadata:
  name: aks-helloworld-one
spec:
  replicas: 1
  selector:
    matchLabels:
      app: aks-helloworld-one
  template:
    metadata:
      labels:
        app: aks-helloworld-one
    spec:
      containers:
      - name: aks-helloworld-one
        image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
        ports:
        - containerPort: 80
        env:
        - name: TITLE
          value: "Welcome to Azure Kubernetes Service (AKS)"
---
apiVersion: v1
kind: Service
metadata:
  name: aks-helloworld-one
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    app: aks-helloworld-one

4 ) expose the application using a ingress ( without secret )

it will use the default secret

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: sample-app-ingress
  namespace: default
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - demo.azure.com
  rules:
  - host: "demo.azure.com"
    http:
      paths:
        - pathType: Prefix
          path: "/"
          backend:
            service:
              name: aks-helloworld-one
              port:
                number: 80

II) use AKS secret store driver to create the secret when the pod are deployed :

1) enable CSI secret store provider in your AKS cluster

https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver

2) create cert/key and import them to keyvault :

https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-nginx-tls?view=azure-cli-latest#bind-certificate-to-application

3) Create app that uses the secret store csi driver

https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-nginx-tls?view=azure-cli-latest#bind-certificate-to-application

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-tls
spec:
  provider: azure
  secretObjects:                            # secretObjects defines the desired state of synced K8s secret objects
    - secretName: ingress-tls-csi
      type: kubernetes.io/tls
      data: 
        - objectName: $CERT_NAME
          key: tls.key
        - objectName: $CERT_NAME
          key: tls.crt
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"
    userAssignedIdentityID: <client id>
    keyvaultName: $AKV_NAME                 # the name of the AKV instance
    objects: |
      array:
        - |
          objectName: $CERT_NAME
          objectType: secret
    tenantId: $TENANT_ID                    # the tenant ID of the AKV instance
apiVersion: apps/v1
kind: Deployment
metadata:
  name: aks-helloworld-one
spec:
  replicas: 1
  selector:
    matchLabels:
      app: aks-helloworld-one
  template:
    metadata:
      labels:
        app: aks-helloworld-one
    spec:
      containers:
      - name: aks-helloworld-one
        image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
        ports:
        - containerPort: 80
        env:
        - name: TITLE
          value: "Welcome to Azure Kubernetes Service (AKS)"
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
      volumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: "azure-tls"
---
apiVersion: v1
kind: Service
metadata:
  name: aks-helloworld-one
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    app: aks-helloworld-one

3) create an nginx ingress controller that will use the secret created for the application above

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: sample-app-ingress
  namespace: default
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - demo.azure.com
    secretName: ingress-tls-csi
  rules:
  - host: "demo.azure.com"
    http:
      paths:
        - pathType: Prefix
          path: "/"
          backend:
            service:
              name: aks-helloworld-one
              port:
                number: 80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment