I am working on enabling https on AKS hosted .Net 6 webapi. I found various samples online and I have couple questions around it. I am sharing part of relevant code here.Hope someone can help me.
My .Net API has following code.
builder.WebHost.ConfigureKestrel(options =>
{
options.ListenAnyIP(80); // HTTP port
options.ListenAnyIP(443, listenOptions =>
{
listenOptions.UseHttps("/app/cert/tls.crt", "/app/cert/tls.key");
});
});
and I created TLS secret using following command
kubectl create secret tls localhost-tls --cert=path/to/tls.crt --key=path/to/tls.key
and my ingress configuration is as follows
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sslapi
namespace: core
annotations:
kubernetes.io/ingress.class: agic-2
appgw.ingress.kubernetes.io/health-probe-hostname: "localhost"
appgw.ingress.kubernetes.io/health-probe-port: "443"
appgw.ingress.kubernetes.io/health-probe-path: "/sslapi/swagger/index.html"
appgw.ingress.kubernetes.io/use-private-ip: "true"
appgw.ingress.kubernetes.io/override-frontend-port: "10005"
spec:
ingressClassName: agic-2
tls:
- hosts:
- localhost
secretName: localhost-tls
rules:
- http:
paths:
- path: /sslapi/swagger
backend:
service:
name: sslapi
port:
number: 443
pathType: Prefix
- path: /sslapi/GetWeatherForecast
backend:
service:
name: sslapi
port:
number: 443
pathType: Prefix
Questions:
- If we have provided certificate details in ConfigureKestrel method of .Net code why do we need to create localhost-tls secret and add it to ingress configuration? Shouldn’t it be supplied at either in .net code or in ingress? Why at both places?
- If providing certificate details in .Net code is must then how do we supply cert from outside of container so that certificate renewal becomes easy?