'Azure Application Gateway with Let's Encrypt certs for SaaS product

I'm running a Kubernetes cluster in AKS with Traefik as Ingress controller. I have cert-manager to automatically generate and renew certificates from Let's encrypt. It's a SaaS application, so users can choose to configure their own domain names. So for example, the "generic" URL would be mysaas.com, bust customers can choose to use something like customer.com and CNAME that to mysaas.com instead, and cert-manager will generate a cert for customer.com.

I'm currently looking at placing a WAF in front of all of this, and since I'm running in Azure I'm looking at Azure Application Gateway more specifically.

What I'm trying to figure out now, is how to automate configuration of the certs in the Application Gateway as well, so that it can decrypt/encrypt the traffic. These are the things I'm trying to figure out how to do (if they're even possible):

Automate upload of certs to Azure KeyVault and let Application Gateway read them from there

  • Con: Not sure how to do this
  • Pro: Cert management is still handled by cert-manager which I trust

Automate upload of certs directly to Application Gateway

  • Con: Not sure how to do this
  • Pro: Cert management is still handled by cert-manager which I trust

Skip encryption between Application Gateway and the AKS cluster and let Application Gateway handle generation/renewal of certs.

  • I would have to make the cluster private, but I guess that's a good thing.
  • Pro: Nice not having two things depend on the certs (Traefik and Application Gateway)
  • Con: The current setup using cert-manager works fine and I have monitoring in place for that. I'm not sure I can get a setup as nice as that using only Application Gateway, and I don't know if it's even possible.

I know that the Azure Application Gateway Ingress Controller exists, but I really like the setup with Traefik that I have in place today, and frankly there are too many things that scare me a bit about the AGIC.

traefiklets-encryptazure-application-gatewaycert-managerazure-waf


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Mongodb SSL - unable to get issuer certificate

How to proxy both WSGI and ASGI via Uvicorn or Daphne with nginx and SSL proxy?

Letsencrypt with htaccess

NGINX + Let's encrypt: Could not automatically find a matching server block

Traefik Docker with wildcard domain

How to apply LetsEncrypt SSL certificate to WWW domain?

Waiting for HTTP-01 challenge propagation: failed to perform self check GET request

Nginx: [emerg] cannot load certificate after I deleted the certificate

wordpress : How to specify the cause "This site can’t be reached"

letsencrypt certificate not loading outside internal network

Is there a certbot command to display account details?

How to setup Letsencrypt with Kubernetes microk8s using default Ingress?

Letsencrypt certificate READY is False and the STATUS is 'Issuing certificate as Secret does not exist'

Curl says SSL certificate is expired when it is not

How can I query in a bash script which of the haproxy load balancer hosts is currently the primary and which is the secondary?