Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSLProfile Creation, global SSL Policy, and client-cert via AGIC #1662

Open
MichaelChristopherson opened this issue Nov 21, 2024 · 1 comment
Open

SSLProfile Creation, global SSL Policy, and client-cert via AGIC #1662

MichaelChristopherson opened this issue Nov 21, 2024 · 1 comment

Comments

@MichaelChristopherson
Copy link

MichaelChristopherson commented Nov 21, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

We have an application gateway today that is fully managed by AGIC after its initial creation EXCEPT the SSLProfile we are using for a listener doing mTLS. We are able to properly reference a created SSLProfile with this annotation without issue:

appgw.ingress.kubernetes.io/appgw-ssl-profile: "<my-profile-name>"

We also want to ensure the SSL Policy for the entire App GW is set to one we specify. We would need toe able to upload CA Certs to the App GW.

Describe the solution you'd like

We would like to be able to create a SSLProfile from AGIC. This would require the ability to upload client Certs to the App GW. The SSL Profile would then be able to name those certificates and also be able to set a listener specific SSL Policy. It would also be good to be able to configure the global SSL Policy for the Application Gateway.

Something along the following would be pretty neat for client Certs:

apiVersion: appgw.ingress.azure.io/v1beta1
kind: AzureApplicationGatewayClientCerts
metadata:
  name: my-client-certs-name
  namespace: my-namespace
spec:
  clientCert:
  - name: CA-Cert1
    certFile: <path-to-file>
  - name: CA-Cert2
    certContent: <base64 encoded cert or something like that>
  - name: CA-Cert3
    someOtherUploadMethod: <content>
  - name: CA-Cert4
    secretName: <secretName>

We could then create an SSL Profile with something like this:

apiVersion: appgw.ingress.azure.io/v1beta1
kind: AzureApplicationGatewaySslProfile
metadata:
  name: my-ssl-profile-name
  namespace: my-namespace
spec:
  clientAuthentication:
  - certName: CA-Cert1
  - certName: CA-Cert2

  sslPolicy:
    enableListenerSpecificPolicy: <true/false, defaults to false>
    type: {Custom, CustomV2, Predefined}
    PolicyName: {AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, AppGwSslPolicy20220101, AppGwSslPolicy20220101S}
    minProtocolVersion: {TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_3}
    cipherSuites:
    - TLS_RSA_WITH_AES_256_CBC_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    - etc
@MichaelChristopherson
Copy link
Author

This loosely relates to:
#954
#773

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MichaelChristopherson