Skip to content

Latest commit

 

History

History
62 lines (47 loc) · 2.61 KB

AKS-TLS-LetsEncrypt.md

File metadata and controls

62 lines (47 loc) · 2.61 KB
Raw

Use TLS with Let's Encrypt on AKS

The proprietary protocol of the inference server ensures that request and response data are encrypted. However, you might still want to expose your server under a regular domain name with a standard TLS certificate for better integration in existing ecosystems.

In this example we use a free DNS name from Azure of the form <name>.<location>.cloudapp.azure.com together with free TLS certificates from Let's Encrypt.

First, let's set up the DNS name.

Retrieve the public IP address of the nginx ingress controller:

IP=$(kubectl get service --namespace ingress-nginx ingress-nginx-controller -o=jsonpath='{$.status.loadBalancer.ingress[0].ip}')
echo $IP

Retrieve the Azure ID of the public IP address:

IP_ID=$(az network public-ip list --query "[?contains(ipAddress, '$IP')].[id]" --output tsv)
echo $IP_ID

Set a DNS name for the IP address:

az network public-ip update --ids $IP_ID --dns-name aks-test-mymodel

Make a note of the full DNS name as we will need it soon:

az network public-ip show --ids $IP_ID --query "dnsSettings.fqdn"

Now, we need to update the cluster.

We will install cert-manager for automatically retrieving TLS certificates from Let's Encrypt:

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.11.0/cert-manager.yaml

# Verify the installation and wait until everything is running:
kubectl get pods --namespace cert-manager

Let's Encrypt can now be registered as certificate issuer at cluster level:

kubectl apply -f samples/k8s/lets-encrypt.yaml

Open the values.yaml configuration file and fill in the host entry with the full DNS name, and change letsEncrypt.enable to true.

We are now ready to deploy (or update the existing deployment):

# Adjust --values as required. 
helm template --namespace mymodel --values samples/k8s/values.yaml --output-dir samples/k8s/manifests samples/k8s
kubectl apply --recursive -f samples/k8s/manifests

Open https://name.location.cloudapp.azure.com/mymodel in your browser to see if the certificate got deployed correctly. Note that if you used the staging mode of Let's Encrypt then your browser will notify you that the certificate is from an untrusted certificate authority. Change the mode to production when you are ready and re-run the deployment commands above.

For more details, see: