Azure Kubernetes Service Gateway API for Containers (Backend MTLS)

Background

Application Gateway for Containers is a new feature offering for Azure Kubernetes Service that encompasses native capabilities and extends the use of services by implementing a Application Load Balancer controller to facilitate operations. Options of going more native to Kubernetes is really a strong suit of Azure that the operations that allows your organization to extend choices of either bring your own controller or use managed application load balancer in the previous article I’ve started showing how to get started this is the second iteration of that demonstration of backend MTLS.

For this blog post we will demonstrate the backend MTLS functionality with use of the Gateway API. Following along with the quickstart its good exercise to understand how the functionality works further feel free to explore as I don’t have the icons for the new application gateway for containers I’ll eventually put up the diagram demonstrating the functionality further to assist visually on implementation. Let’s jump into the code/yaml manifests we will need and get going.

Start with our deployment following along with the docs listed below is the YAML manifest.

kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/end-to-end-ssl-with-backend-mtls/deployment.yaml
RESOURCE_GROUP='aks-west-prod'
RESOURCE_NAME='alb-test'

RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)
FRONTEND_NAME='test-frontend-aks'

Now we create a gateway using the YAML file below notice we are referencing the resource_id. Use the example above to assist with the extraction of this, mind you the previous post we created the resource so it resides in the aks-west-prod.

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway-01
  namespace: test-infra
  annotations:
    alb.networking.azure.io/alb-id: $RESOURCE_ID
spec:
  gatewayClassName: azure-alb-external
  listeners:
  - name: https-listener
    port: 443
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: Same
    tls:
      mode: Terminate
      certificateRefs:
      - kind : Secret
        group: ""
        name: frontend.com
  addresses:
  - type: alb.networking.azure.io/alb-frontend
    value: $FRONTEND_NAME
EOF
kubectl get gateway gateway-01 -n test-infra -o yaml

This is showing that our gateway is accepted and valid now we go with a HTTPRoute

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: https-route
  namespace: test-infra
spec:
  parentRefs:
  - name: gateway-01
  rules:
  - backendRefs:
    - name: mtls-app
      port: 443
EOF

Now we can run kubectl get httproute -n test-infra

If we run the following kubectl get httproute -n test-infra -o yaml

Now we will create the BackendTLSPolicy using the docs for this one feel free to edit.

kubectl apply -f - <<EOF
apiVersion: alb.networking.azure.io/v1
kind: BackendTLSPolicy
metadata:
  name: mtls-app-tls-policy
  namespace: test-infra
spec:
  targetRef:
    group: ""
    kind: Service
    name: mtls-app
    namespace: test-infra
  default:
    sni: backend.com
    ports:
    - port: 443
    clientCertificateRef:
      name: gateway-client-cert
      group: ""
      kind: Secret
    verify:
      caCertificateRef:
        name: ca.bundle
        group: ""
        kind: Secret
      subjectAltName: backend.com
EOF

kubectl get backendtlspolicy -n test-infra mtls-app-tls-policy -o yaml

To send traffic we are going to start to define a Fully Qualified Domain Name by grabbing it with the following command

export fqdn=$(kubectl get gateway gateway-01 -n test-infra -o jsonpath='{.status.addresses[0].value}’)

Now we will send our request and test the Application Gateway.

curl --insecure https://$fqdn/

You’ve now deployed a gateway using the Application Load Balancer Controller!!

Notice above we run the kubectl get services -A and see what is running we can see LoadBalancer for our test-infra.

Summary

In summary, we’ve created a gateway resource, httproute and backendtlspolicy in the following then we’ve used the FQDN to get a response. Hopefully this illustrates further the use of Layer 7 capabilities along with showing the primitives of using YAML for the process in a way that should be familiar for those who want more of simplicity in regards to abstraction of Azure. Of course, this is just one piece of the puzzle of this offering and I’ll be exploring these further. Get familiar with this if you are thinking about adoption of Gateway for Containers really exciting to see the documentation is robust and clear with many examples to get you going.

Reference: https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/how-to-backend-mtls-gateway-api?tabs=byo