This Terraform template is loosely based on this document. It provisions an AKS Cluster with NGINX Ingress Controller and issues LetsEncrypt TLS certificate using cert-manager.
- In order to avoid LetsEncrypt rate limits, we use the Staging endpoint in default certificate. If you'd like to switch to the prod endpoint, change the issuerRef.name to
letsencrypt-prod. - If you've deployed AKS in your own VNET, the NSG must allow inbound traffic on port 80 in order for
cert-managerto successfully perform the HTTP-01 challenge. IP whitelisting is unfortunately not possible because LetsEncrypt doesn't publish them.
resource "azurerm_network_security_rule" "aks_inbound" {
name = "aks-inbound"
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.nsg.name
protocol = "Tcp"
source_port_range = "*"
destination_port_ranges = ["80", "443"]
source_address_prefix = "*"
destination_address_prefix = "*"
access = "Allow"
priority = 1001
direction = "Inbound"
}Once terraform apply has successfully completed, fill the following variable from the Terraform output;
export ingress_fqdn="xxxxxx.westeurope.cloudapp.azure.com"Then;
./smoke_test.sh
The smoke test will create a test deployment, service and ingress in the newly provisioned AKS cluster.