Last-mile TLS for AKS cluster with API People

Last-mile TLS for AKS Cluster

by
AKSAzureDocumentationMuleSoft TechnologyRTF

Installation of Anypoint Runtime Fabric on an Azure Kubernetes Service using the Application Gateway Ingress Controller (Part 3/3)

This is the last part of a series of blog posts related to Azure Kubernetes Services (AKS) and Runtime Fabric (RTF). Previously, we created the AKS cluster (part 1) and installed a basic setup of an RTF with HTTPS until the Ingress Controller (part 2). This part will focus on enabling the last-mile TLS for our RTF APIs, concluding the setup.

Prerequisites

  • OpenSSL CLI to create the internal certificate used by the AKS Ingress Controller and the Mule App.
  • Azure CLI to login into your cluster, get the reference to your Kubernetes cluster, and load the internal certificate. For more installation information, check here.
  • Kubectl CLI to apply Ingress Configuration changes. For more installation information, check here.

Create internal certificate

In this step, we consider that you have completed the previous blog posts related to AKS and RTF. For more information on that, check the intro above or ‘More in this Series’ at the bottom of this page. This post intends to complete the setup for our AKS + RTF cluster, which means setting the end-to-end TLS from the Kubernetes Ingress Controller to the Mule App Pods.‍

To complete this setup, we must have an internal certificate and a private key used by the Mule App and Application Gateway. The certificate can be self-signed as this will only be consumed internally.

Step 1

Create a configuration file, for example, internal-cert.conf, that will be used to create the internal certificate (note: update placeholders to reflect your configurations):

[ req ]
default_bits       = 4096
default_md         = sha256
encrypt_key        = no
default_keyfile    = key.pem
distinguished_name = req_distinguished_name
prompt             = no
x509_extensions    = x509_extensions
[ req_distinguished_name ]
countryName                = Country Name (2 letter code)
stateOrProvinceName        = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = <your-rtf-dns> Common Name (e.g. server FQDN or YOUR
name)
[x509_extensions]
subjectAltName = @alternate_names
[alternate_names]
DNS.1   = <your-rtf-dns>
DNS.2   = <your-star-domain-dns>

Step 2

Run the following command line to create the certificate:

openssl req -config internal.config -newkey rsa -x509 -days 365 -out cert.pem

This will output a private key (key.pem) and a public cert (cert.pem). Both will be used as input to create the Keystore:

openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in cert.pem

The keystore.p12 created will be used in the Mule App to setup the HTTPS in your Mule App. The cert.pem will be loaded to the Azure Application Gateway and referred to in the Ingress Controller.

Create a secret within your AKS cluster

With the public certificate in hand, use the following command line to load the certificate to your application gateway.

#!/bin/bash
# Set variables according to your Azure Environment
applicationGatewayName="<your-app-gw-name>"
resourceGroup="<your-app-gw-resource-group>"
# Command line to add the certificate to your application gateway
az network application-gateway root-cert create 
 --gateway-name $applicationGatewayName 
 --resource-group $resourceGroup 
 --name backend-tls-creds 
 --cert-file cert.pem

This will load the internal certificate to your application gateway and make it available to your Ingress Controller. If completed successfully, you’ll see something similar to the following:

{
         // ....
         "provisioningState": "Succeeded",
         "resourceGroup": "<your-resource-grooup>",
         "type": "Microsoft.Network/applicationGateways/urlPathMaps/pathRules"
       }
     ],
     "provisioningState": "Succeeded",
     "resourceGroup": "<your-resource-grooup>",
     "type": "Microsoft.Network/applicationGateways/urlPathMaps"
   }
 ]
}

Updating the Azure Gateway Ingress Controller

Once the certificate has been added to your application gateway, the Kubernetes Ingress Controller can also be updated. There are some characteristics in this updated file that need to be noted:

appgw.ingress.kubernetes.io/ssl-redirect: "true"

The flag will force the HTTP traffic to be redirected to your HTTPS port.

appgw.ingress.kubernetes.io/backend-protocol: "https"

Indicates the internal traffic for the cluster is HTTPS.

appgw.ingress.kubernetes.io/backend-hostname: "internal.apipeople.com"

This should be the CN, or any of the SANs, used in your certificate.

appgw.ingress.kubernetes.io/appgw-trusted-root-certificate: "backend-tls-creds"

The name of your loaded internal certificate in your App Gw.

number: 8081

By default, the port for TLS in an RTF cluster is 8081 and cannot be changed. Your mule app will need to have a listener on that.

The complete ingress-e2e-tls.yam file will be similar to the following:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rtf-ingress-template
  namespace: rtf
  annotations:
    kubernetes.io/ingress.class: rtf-azure/application-gateway
    appgw.ingress.kubernetes.io/health-probe-status-codes: 200-399,404
    appgw.ingress.kubernetes.io/backend-path-prefix : /
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/backend-protocol: "https"
    appgw.ingress.kubernetes.io/backend-hostname: "<your-internal-hostname>"
    appgw.ingress.kubernetes.io/appgw-trusted-root-certificate: "backend-tls-creds"
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - hosts:
        - <your-external-hostname>
      secretName: ingress-tls
  rules:
    - host: <your-external-hostname>
      http:
        paths:
          - path: /app-name/*
            pathType: Prefix
            backend:
              service:
                name: service
                port:
                  number: 8081

Apply the Ingress Controller to your cluster using the command line:

kubectl apply -f ingress-e2e-tls.yaml

Import a keystore in your mule app

Step 1

To apply the Keystore to your Mule App, open your Anypoint Studio, and click the exchange button.

RTF p3 1 API People

A popup screen will open asking for your credentials to login. You will have to provide your Anypoint credentials.

RTF p3 2 API People

An Exchange page will appear, and you must select Provided by MuleSoft and search by “hello“. Select the Hello World app example.

RTF p3 3 API People

Step 2

Inside the Hello World exchange page, click the Open button as shown on the screen.

RTF p3 4 API People

A new popup will appear to perform an update. Click the Perform update button.

RTF p3 5 API People

Step 3

Now that your app is loaded, right-click the src/main/resources folder and add a new folder.

RTF p3 6 API People

Step 4

Give the name tls for the newly created folder and Finish.

RTF p3 7 API People

Copy the keystore.p12 created previously and paste to the src/main/resources/tls.

RTF p3 8 API People

Step 5

Go back to the src/main/mule/hello-world.xml file and click the Global Elements button.

RTF p3 9 2 API People

Select the HTTP Listener config element and click the Edit button.

RTF p3 10 1 API People

On the popup screen, rename the name of the Global Element to HTTPS_Listener_config, change the Protocol to HTTPS, and ensure the Port is set to 8081.

RTF p3 11 API People

Step 6

Change to the TLS tab and change the TLS Configuration from None to Edit Inline. Under the section Key Store Configuration, select the type PCKS12, pass the path to the keystore file (tls/keystore.p12), and add the previously created Key Password and Password for the Keystore. Click OK and save the file.

RTF p3 11 3 API People

Step 7

Click the Message Flow, select the Listener, and check the properties, especially the Connector configuration pointing to the right Global Configuration.

RTF p3 12 1 API People

Run the application and make sure the status of the application is deployed.

RTF p3 13 API People

Run the request to validate the app works fine.

RTF p3 14 API People

Deploy your mule app to RTF

Step 1

Now that the application is running locally correctly, you can update the demo app loaded previously. Go to Anypoint Platform → Runtime Manager →Applications → <app-name>.

RTF p3 15 API People

Under the app page, select the Choose file → Upload file.

RTF p3 16 API People

Step 2

Go to your project folder and open the target folder. Inside of that, you should have a JAR file. Load the hello world JAR file.

RTF p3 17 API People

Once loaded, Apply Changes.

RTF p3 18 API People

Step 3

The application will be redeployed, and if everything is good, you could query the API through your address and receive the standard response.

#Change the URL to match your application
curl --location 'https://rtf.azure.apipeople.com/hello-app/helloWorld'

The response for that should be:

Hello World!

This concludes the tutorial. For the previous posts of this series, check More in this Series below.

Important note

The internal certificate can also be loaded to your Azure Key Vault or auto-generated there with no need to generate it locally. This makes it possible to auto-renew the certificate, but it will need to be updated in your app.

More in this series

References

Tags: No tags

Guilherme is an Integration Solution Architect at API People. Based in Curitiba, Paraná, Brazil, he has over 10 years experience in different spaces, from VoIP-embedded systems and network switches to MuleSoft APIs/Integrations. He is a MuleSoft Certified Developer 4, MuleSoft Certified Integration Architect, and a certified Azure Date Engineer..

Comments are closed.