diff --git a/.github/config/en-custom.txt b/.github/config/en-custom.txt index 53eff00f9..9c387f88b 100644 --- a/.github/config/en-custom.txt +++ b/.github/config/en-custom.txt @@ -946,4 +946,6 @@ XRay PodSpec ConfigMap CRD -composable \ No newline at end of file +composable +gatewaydemo +tlsdemo diff --git a/docs/content/guides/author-apps/networking/howto-gateways/demo-screenshot.png b/docs/content/guides/author-apps/networking/howto-gateways/demo-screenshot.png new file mode 100644 index 000000000..81a3c1dcc Binary files /dev/null and b/docs/content/guides/author-apps/networking/howto-gateways/demo-screenshot.png differ diff --git a/docs/content/guides/author-apps/networking/howto-gateways/index.md b/docs/content/guides/author-apps/networking/howto-gateways/index.md new file mode 100644 index 000000000..53ab87eee --- /dev/null +++ b/docs/content/guides/author-apps/networking/howto-gateways/index.md @@ -0,0 +1,75 @@ +--- +type: docs +title: "How To: Configure a gateway for routing internet traffic" +linkTitle: "Gateways" +description: "Learn how to expose a service to the internet via a gateway" +weight: 300 +slug: 'gateways' +categories: "How-To" +--- + +This guide will walk you through how to setup a gateway for routing internet traffic to a service. + +## Prerequisites + +- [rad CLI]({{< ref "/guides/tooling/rad-cli/overview" >}}) +- [Radius environment]({{< ref "getting-started" >}}) + +## Step 1: Define a container + +Begin by defining the service you wish to expose to the internet in a new file named `app.bicep`. This example uses the Radius demo container: + +{{< rad file="snippets/app.bicep" embed=true marker="//FRONTEND" >}} + +## Step 2: Add a gateway + +Next, add a gateway to `app.bicep`, routing traffic to the root path ("/") to the frontend container. Note that when a hostname is not specified one is generated automatically. + +{{< rad file="snippets/app.bicep" embed=true marker="//GATEWAY" >}} + +## Step 3: Deploy the app + +Deploy the application with [`rad deploy`]({{< ref "rad_run" >}}): + +```bash +rad deploy app.bicep -a gatewaydemo +``` + +The gateway endpoint will be printed at the end of the deployment: + +``` +Building app.bicep... + Deploying template './app.bicep' for application 'gatewaydemo' and environment 'default' from workspace 'default'... + + Deployment In Progress... + + Completed gateway Applications.Core/gateways + Completed frontend Applications.Core/containers + + Deployment Complete + + Resources: + gateway Applications.Core/gateways + frontend Applications.Core/containers + + Public endpoint http://1.1.1.1.nip.io/ +``` + +## Step 4: Interact with the application + +Visit the endpoint to interact with the demo Radius container: + +Screenshot of te demo application + +## Done + +Cleanup the application with ['rad app delete']({{< ref rad_application_delete >}}): + +```bash +rad app delete gatewaydemo -y +``` + +## Further reading + +- [Networking overview]({{< ref "/guides/author-apps/networking/overview" >}}) +- [Gateway reference]({{< ref "/reference/resource-schema/core-schema/gateway" >}}) diff --git a/docs/content/guides/author-apps/networking/howto-gateways/snippets/app.bicep b/docs/content/guides/author-apps/networking/howto-gateways/snippets/app.bicep new file mode 100644 index 000000000..7a8e392a1 --- /dev/null +++ b/docs/content/guides/author-apps/networking/howto-gateways/snippets/app.bicep @@ -0,0 +1,36 @@ +//FRONTEND +import radius as rad + +@description('The application ID being deployed. Injected automtically by the rad CLI') +param application string + +resource frontend 'Applications.Core/containers@2023-10-01-preview' = { + name: 'frontend' + properties: { + application: application + container: { + image: 'radius.azurecr.io/tutorials/webapp:edge' + ports: { + web: { + containerPort: 3000 + } + } + } + } +} +//FRONTEND + +//GATEWAY +resource gateway 'Applications.Core/gateways@2023-10-01-preview' = { + name: 'gateway' + properties: { + application: application + routes: [ + { + path: '/' + destination: 'http://${frontend.name}:3000' + } + ] + } +} +//GATEWAY diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/certificate.png b/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/certificate.png deleted file mode 100644 index 3b902fbf1..000000000 Binary files a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/certificate.png and /dev/null differ diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/index.md b/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/index.md deleted file mode 100644 index 348212552..000000000 --- a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/index.md +++ /dev/null @@ -1,112 +0,0 @@ ---- -type: docs -title: "How To: TLS termination with cert-manager and Let's Encrypt" -linkTitle: "How-To: TLS with cert-manager" -description: "Learn about how to use Radius to deploy HTTPS-enabled application with a TLS certificate" -weight: 900 -slug: 'tls-cert-manager' -categories: "How-To" -tags: ["https"] ---- - -This guide will show you how to integrate Radius with cert-manager and Let's Encrypt to enable HTTPS for your application. - -## Prerequisites - -- [rad CLI]({{< ref getting-started >}}) -- [kubectl CLI](https://kubernetes.io/docs/tasks/tools/) -- Domain name + DNS A-record: In order to setup TLS communication to Radius you will need to make sure you have a domain name and DNS A-record pointing to your Kubernetes cluster's IP address. This is required for Let's Encrypt to issue a certificate and for traffic to be routed to your application. - - If running Radius on an Azure Kubernetes Service (AKS) cluster you can optionally use a [DNS label](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#dns-name-label) to create a DNS A-record pointing to your cluster. Refer to the [tips and tricks](#using-an-azure-dns-label) section for more information. - - If running Radius on an Elastic Kubernetes Service (EKS) cluster you can optionally leverage [Application Load Balancer](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for a hosted DNS name and record. - -## Step 1: Initialize a Radius environment - -Begin by running `rad init` to initialize the Radius environment. - -```sh -rad init -``` - -## Step 2: Set up domain - -You'll next need a DNS record to point to your Kubernetes cluster and service in order to issue the certificate and allow traffic to your application. - -1. Run the following command and copy the EXTERNAL-IP field: - ```sh - $ kubectl get svc -n radius-system contour-envoy - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - contour-envoy LoadBalancer 10.0.10.1 80:31734/TCP,443:32517/TCP 67m - ``` - -1. Configure your DNS server with an A record for your domain name and external IP address. Refer to your DNS provider for instructions on how to configure this. - -## Step 3: Install cert-manager - -Next, run the following command to install [cert-manager](https://cert-manager.io/): - -```sh -kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml -``` - -> You can also use other supported installation methods, such as Helm, to install cert-manager. [Instructions here](https://cert-manager.io/docs/installation/#getting-started). - -## Step 4: Set up HTTP-01 Challenge - -To use Let's encrypt, you need to configure the [ACME Issuer](https://cert-manager.io/docs/configuration/acme/) using cert-manager. This how-to uses an [HTTP-01 Challenge](https://cert-manager.io/docs/configuration/acme/http01/) to verify that a client owns a domain. - -Here is what your HTTP-01 ACME ClusterIssuer resource should look like: - -{{< rad file="snippets/clusterissuer-http01.yaml" embed=true >}} - -> Note that this guide shows how to set up a certificate using Let's Encrypt prod. For testing purposes you can change this to the [staging endpoint](https://letsencrypt.org/docs/staging-environment/), but you may get validation errors in your browser. - -## Step 5: Create a Certificate resource - -1. Create a file `certificate.yaml` with the following data, replacing the placeholders as necessary: - - {{< rad file="snippets/certificate.yaml" embed=true >}} - -1. Then create `tls-delegation.yaml` with the following data. - - {{< rad file="snippets/delegation.yaml" embed=true >}} - -1. Run the following commands to create the certificate resource and authorize Radius to access the resource: - - ```sh - kubectl apply -f certificate.yaml - kubectl apply -f tls-delegation.yaml - ``` - - You may need to wait a minute or two for cert-manager to authorize with Let's Encrypt and create the secret on the cluster. Once this process completes, you should see a secret called `demo-secret` in the default namespace. This secret is managed by cert-manager. - -## Step 6: Define a Radius application and gateway - -Create a file named `app.bicep` with the following contents. Note that we reference the `demo-secret` and reference the Secret Store in the Gateway to enable TLS termination. - -{{< rad file="snippets/app.bicep" embed=true >}} - -## Step 7: Deploy the application - -Deploy the application to your environment with `rad deploy`: - -```sh -rad deploy app.bicep -``` - -Once the deployment is complete the public endpoint of your application will be printed. Navigate to this public endpoint to access the application via HTTPS. You can view the certificate to see it has a Let's Encrypt issuer: - -Screenshot of the certificate information showing a Lets Encrypt issuer - -## Tips and tricks - -### Using an Azure DNS label - -If you are running Radius on an Azure Kubernetes Service (AKS) cluster you can use a [DNS label](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#dns-name-label) to create a DNS A-record pointing to your cluster. This is useful if you don't have a domain name or don't want to use a subdomain for your dev/test environments. - -To setup a DNS label for your AKS cluster: - -1. Open the Azure portal to the subscription where your AKS cluster is deployed. -1. Open the resource group, prefixed with `MC_`, that contains your AKS cluster. (_i.e. `MC_myrg-mycluster_westus3`_) -1. Select the Public IP address prefixed with `kubernetes-` (_i.e. `kubernetes-a6925d5f55dfa41419c3c93648dbb30a`_) -1. Select 'Configuration' and add a DNS name label. Click save to create the DNS A-record. -1. Update your Radius gateway to use the DNS label as the `fullyQualifiedHostname` value. diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/app.bicep b/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/app.bicep deleted file mode 100644 index e81beabb2..000000000 --- a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/app.bicep +++ /dev/null @@ -1,63 +0,0 @@ -import radius as radius - -@description('ID of the Radius environment. Passed in automatically via the rad CLI') -param environment string - -resource demoApplication 'Applications.Core/applications@2023-10-01-preview' = { - name: 'demo-application' - properties: { - environment: environment - } -} - -resource demoSecretStore 'Applications.Core/secretStores@2023-10-01-preview' = { - name: 'demo-secretstore' - properties: { - application: demoApplication.id - type: 'certificate' - - // Reference the existing default/demo-secret Kubernetes secret - // Created automatically by cert-manager - resource: 'default/demo-secret' - data: { - // Make the tls.crt and tls.key secrets available to the application - 'tls.crt': {} - 'tls.key': {} - } - } -} - -resource demoGateway 'Applications.Core/gateways@2023-10-01-preview' = { - name: 'demo-gateway' - properties: { - application: demoApplication.id - hostname: { - fullyQualifiedHostname: 'YOUR_DOMAIN' // Replace with your domain name. - } - routes: [ - { - path: '/' - destination: 'http://${demoContainer.name}:3000' - } - ] - tls: { - certificateFrom: demoSecretStore.id - minimumProtocolVersion: '1.2' - } - } -} - -resource demoContainer 'Applications.Core/containers@2023-10-01-preview' = { - name: 'demo-container' - properties: { - application: demoApplication.id - container: { - image: 'radius.azurecr.io/tutorial/webapp:edge' - ports: { - web: { - containerPort: 3000 - } - } - } - } -} diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/certificate.yaml b/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/certificate.yaml deleted file mode 100644 index e213577c2..000000000 --- a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/certificate.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: demo-certificate -spec: - commonName: YOUR_DOMAIN - dnsNames: - - YOUR_DOMAIN - issuerRef: - name: demo-issuer - kind: ClusterIssuer - secretName: demo-secret diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/clusterissuer-http01.yaml b/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/clusterissuer-http01.yaml deleted file mode 100644 index 4b143bbc8..000000000 --- a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/clusterissuer-http01.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: demo-issuer -spec: - acme: - email: YOUR_EMAIL - privateKeySecretRef: - name: letsencrypt-prod - server: https://acme-v02.api.letsencrypt.org/directory - solvers: - - http01: - ingress: - class: contour diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/delegation.yaml b/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/delegation.yaml deleted file mode 100644 index d63969ddc..000000000 --- a/docs/content/guides/author-apps/networking/howto-tls-termination-cert-manager/snippets/delegation.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: projectcontour.io/v1 -kind: TLSCertificateDelegation -metadata: - name: demo-delegation - namespace: default -spec: - delegations: - - secretName: demo-secret - targetNamespaces: - - "*" diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination/index.md b/docs/content/guides/author-apps/networking/howto-tls-termination/index.md deleted file mode 100644 index 8044740f1..000000000 --- a/docs/content/guides/author-apps/networking/howto-tls-termination/index.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -type: docs -title: "How To: TLS termination with your own TLS certificate" -linkTitle: "How-To: TLS with a custom certificate" -description: "Learn about how to use Radius to deploy HTTPS-enabled application with a TLS certificate" -weight: 800 -slug: 'tls-termination' -categories: "How-To" -tags: ["https"] ---- - -This guide will show you: - -- How to model and use Secret Stores for a bring-your-own certificate scenario -- How to model and use Gateways for a Radius Gateway TLS termination scenario. - -## Prerequisites - -- [rad CLI]({{< ref getting-started >}}) -- [Supported Kubernetes cluster]({{< ref kubernetes-install >}}) - -## Step 1: Initialize a Radius environment - -Begin by running `rad init` to initialize Radius and create an environment: - -```sh -rad init -``` - -## Step 2: Define an Application, Secret Store, and Gateway - -Begin by creating a file named `app.bicep`. You can either provide the certificate data directly in the Bicep file, or reference an existing Kubernetes secret with your certificate data. - -{{< tabs "Certificate Data" "Kubernetes Secret" >}} - -{{% codetab %}} - -{{< rad file="snippets/tls-termination-data.bicep" embed=true >}} - -{{% /codetab %}} - -{{% codetab %}} - -{{< rad file="snippets/tls-termination-k8s-secret.bicep" embed=true >}} - -{{% /codetab %}} - -{{< /tabs >}} - -## Step 3: Deploy the application - -```sh -rad deploy app.bicep -p tlscrt= -p tlskey= -``` - -Once the deployment is complete, you should see a public endpoint displayed at the end. Navigating to this public endpoint should show you your application that is accessed via HTTPS, assuming that you have a valid TLS certificate. - -View TLS certificate diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination/snippets/tls-termination-data.bicep b/docs/content/guides/author-apps/networking/howto-tls-termination/snippets/tls-termination-data.bicep deleted file mode 100644 index c4cbf1869..000000000 --- a/docs/content/guides/author-apps/networking/howto-tls-termination/snippets/tls-termination-data.bicep +++ /dev/null @@ -1,72 +0,0 @@ -import radius as radius - -@description('ID of your Radius environment. Passed in automatically by rad CLI') -param environment string - -@description('TLS certificate data') -@secure() -param tlscrt string - -@description('TLS certificate key') -@secure() -param tlskey string - -resource httpsApplication 'Applications.Core/applications@2023-10-01-preview' = { - name: 'https-application' - properties: { - environment: environment - } -} - -resource httpsSecretStore 'Applications.Core/secretStores@2023-10-01-preview' = { - name: 'https-secretstore' - properties: { - application: httpsApplication.id - type: 'certificate' - data: { - 'tls.crt': { - encoding: 'base64' - value: tlscrt - } - 'tls.key': { - encoding: 'base64' - value: tlskey - } - } - } -} - -resource httpsGateway 'Applications.Core/gateways@2023-10-01-preview' = { - name: 'https-gateway' - properties: { - application: httpsApplication.id - hostname: { - fullyQualifiedHostname: 'YOUR_DOMAIN' // Replace with your domain name. - } - routes: [ - { - path: '/' - destination: 'http://${httpsContainer.name}:3000' - } - ] - tls: { - certificateFrom: httpsSecretStore.id - minimumProtocolVersion: '1.2' - } - } -} - -resource httpsContainer 'Applications.Core/containers@2023-10-01-preview' = { - name: 'https-container' - properties: { - application: httpsApplication.id - container: { - image: 'radius.azurecr.io/tutorial/webapp:edge' - ports: { - web: { - containerPort: 3000 - } - } - } - } -} diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination/snippets/tls-termination-k8s-secret.bicep b/docs/content/guides/author-apps/networking/howto-tls-termination/snippets/tls-termination-k8s-secret.bicep deleted file mode 100644 index 11afc947b..000000000 --- a/docs/content/guides/author-apps/networking/howto-tls-termination/snippets/tls-termination-k8s-secret.bicep +++ /dev/null @@ -1,61 +0,0 @@ -import radius as radius - -@description('ID of your Radius environment. Passed in automatically by rad CLI') -param environment string - -resource httpsApplication 'Applications.Core/applications@2023-10-01-preview' = { - name: 'https-application' - properties: { - environment: environment - } -} - -resource httpsSecretStore 'Applications.Core/secretStores@2023-10-01-preview' = { - name: 'https-secretstore' - properties: { - application: httpsApplication.id - type: 'certificate' - // Reference the existing default/tls-certificate Kubernetes secret - resource: 'default/tls-certificate' - data: { - // Make the tls.crt and tls.key secrets available to the application - 'tls.crt': {} - 'tls.key': {} - } - } -} - -resource httpsGateway 'Applications.Core/gateways@2023-10-01-preview' = { - name: 'https-gateway' - properties: { - application: httpsApplication.id - hostname: { - fullyQualifiedHostname: 'YOUR_DOMAIN' // Replace with your domain name. - } - routes: [ - { - path: '/' - destination: 'http://${httpsContainer.name}:3000' - } - ] - tls: { - certificateFrom: httpsSecretStore.id - minimumProtocolVersion: '1.2' - } - } -} - -resource httpsContainer 'Applications.Core/containers@2023-10-01-preview' = { - name: 'https-container' - properties: { - application: httpsApplication.id - container: { - image: 'radius.azurecr.io/tutorial/webapp:edge' - ports: { - web: { - containerPort: 3000 - } - } - } - } -} diff --git a/docs/content/guides/author-apps/networking/howto-tls-termination/https-app.png b/docs/content/guides/author-apps/networking/howto-tls/https-app.png similarity index 100% rename from docs/content/guides/author-apps/networking/howto-tls-termination/https-app.png rename to docs/content/guides/author-apps/networking/howto-tls/https-app.png diff --git a/docs/content/guides/author-apps/networking/howto-tls/index.md b/docs/content/guides/author-apps/networking/howto-tls/index.md new file mode 100644 index 000000000..9b67eea2f --- /dev/null +++ b/docs/content/guides/author-apps/networking/howto-tls/index.md @@ -0,0 +1,117 @@ +--- +type: docs +title: "How To: Add TLS termination to a gateway" +linkTitle: "HTTPS/TLS" +description: "Learn how to deploy HTTPS-enabled application with a TLS certificate" +weight: 400 +slug: 'tls' +categories: "How-To" +--- + +This guide will show you how to add TLS and HTTPS to an application with a gateway. + +## Prerequisites + +- [rad CLI]({{< ref getting-started >}}) +- [Radius environment]({{< ref getting-started >}}) +- Domain name + DNS A-record pointing to your Kubernetes cluster + - If running Radius on an Azure Kubernetes Service (AKS) cluster you can optionally use a [DNS label](https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses#dns-name-label) to create a DNS A-record pointing to your cluster. + - If running Radius on an Elastic Kubernetes Service (EKS) cluster you can optionally leverage an [Application Load Balancer](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for a hosted DNS name and record. + +## Step 1: Define a container + +Begin by creating a file named `app.bicep`. Add a container which will be exposed to the internet: + +{{< rad file="snippets/app-existing.bicep" marker="//FRONTEND" embed=true >}} + +## Step 2: Add a secret store + +TLS certificates need to be referenced via a Radius [secret store]({{< ref "/guides/author-apps/secrets" >}}). You can either reference an existing secret, or define a new one with certificate data. + +{{< tabs "Reference existing secrets" "Define new secrets" >}} + +{{< codetab >}} + +{{< alert title="Managing certificates in Kubernetes" color="info" >}} +[cert-manager](https://cert-manager.io/docs/) is a great way to manage certificates in Kubernetes and make them available as a Kubernetes secret. This example uses a Kubernetes secret that was setup by cert-manager +{{< /alert >}} + + +{{< rad file="snippets/app-existing.bicep" marker="//SECRETS" embed=true >}} + +{{< /codetab >}} + +{{% codetab %}} + +{{< rad file="snippets/app-new.bicep" marker="//SECRETS" embed=true >}} + +{{% /codetab %}} + +{{< /tabs >}} + +## Step 3: Add a gateway + +Now that your certificate data is ready add a gateway and reference the secret store: + +{{< rad file="snippets/app-new.bicep" marker="//GATEWAY" embed=true >}} + +## Step 4: Deploy the application + +{{< tabs "Reference existing secrets" "Define new secrets" >}} + +{{% codetab %}} + +```sh +rad deploy app.bicep -a tlsdemo +``` +{{% /codetab %}} + +{{% codetab %}} + +```sh +rad deploy app.bicep -a tlsdemo -p tlscrt= -p tlskey= +``` +{{% /codetab %}} + +{{< /tabs >}} + +You should see the application deploy successfully, with the public endpoint printed automatically: + +``` +Building app.bicep... + Deploying template './app.bicep' for application 'tlsdemo' and environment 'default' from workspace 'default'... + + Deployment In Progress... + + Completed gateway Applications.Core/gateways + Completed frontend Applications.Core/containers + Completed secretstore Applications.Core/secretstores + + Deployment Complete + + Resources: + gateway Applications.Core/gateways + secretstore Applications.Core/secretstores + frontend Applications.Core/containers + + Public endpoint https://MYDOMAIN/ +``` + +## Step 5: Access HTTPS endpoint + +Once the deployment is complete you should see a public endpoint displayed at the end. Navigating to this public endpoint should show you your application that is accessed via HTTPS, assuming that you have a valid TLS certificate: + +View TLS certificate + +## Done + +You've successfully deployed an application with TLS termination. Make sure to cleanup your resources: + +```bash +rad app delete tlsdemo -y +``` + +## Further reading + +- [Networking overview]({{< ref "/guides/author-apps/networking/overview" >}}) +- [Gateway reference]({{< ref "/reference/resource-schema/core-schema/gateway" >}}) diff --git a/docs/content/guides/author-apps/networking/howto-tls/snippets/app-existing.bicep b/docs/content/guides/author-apps/networking/howto-tls/snippets/app-existing.bicep new file mode 100644 index 000000000..bd5f93a6b --- /dev/null +++ b/docs/content/guides/author-apps/networking/howto-tls/snippets/app-existing.bicep @@ -0,0 +1,62 @@ +//FRONTEND +import radius as rad + +@description('The application ID being deployed. Injected automtically by the rad CLI') +param application string + +resource frontend 'Applications.Core/containers@2023-10-01-preview' = { + name: 'frontend' + properties: { + application: application + container: { + image: 'radius.azurecr.io/tutorials/webapp:edge' + ports: { + web: { + containerPort: 3000 + } + } + } + } +} +//FRONTEND + +//SECRETS +resource secretstore 'Applications.Core/secretStores@2023-10-01-preview' = { + name: 'secretstore' + properties: { + application: application + type: 'certificate' + // Reference the existing tls-certificate Kubernetes secret in the default namespace + // Change this if your Kubernetes secret is in a different namespace or is named differently + resource: 'default/tls-certificate' + data: { + // Make the tls.crt and tls.key secrets available to the application + // Change these if your secrets are named differently + 'tls.crt': {} + 'tls.key': {} + } + } +} +//SECRETS + +//GATEWAY +resource gateway 'Applications.Core/gateways@2023-10-01-preview' = { + name: 'gateway' + properties: { + application: application + hostname: { + fullyQualifiedHostname: 'YOUR_DOMAIN' // Replace with your domain name. + } + tls: { + certificateFrom: secretstore.id + minimumProtocolVersion: '1.2' + } + routes: [ + { + path: '/' + destination: 'http://${frontend.name}:3000' + } + ] + } +} +//GATEWAY diff --git a/docs/content/guides/author-apps/networking/howto-tls/snippets/app-new.bicep b/docs/content/guides/author-apps/networking/howto-tls/snippets/app-new.bicep new file mode 100644 index 000000000..7987ff602 --- /dev/null +++ b/docs/content/guides/author-apps/networking/howto-tls/snippets/app-new.bicep @@ -0,0 +1,71 @@ +//FRONTEND +import radius as rad + +@description('The application ID being deployed. Injected automtically by the rad CLI') +param application string + +resource frontend 'Applications.Core/containers@2023-10-01-preview' = { + name: 'frontend' + properties: { + application: application + container: { + image: 'radius.azurecr.io/tutorials/webapp:edge' + ports: { + web: { + containerPort: 3000 + } + } + } + } +} +//FRONTEND + +//SECRETS +@description('TLS certificate data') +@secure() +param tlscrt string + +@description('TLS certificate key') +@secure() +param tlskey string + +resource secretstore 'Applications.Core/secretStores@2023-10-01-preview' = { + name: 'secretstore' + properties: { + application: application + type: 'certificate' + data: { + 'tls.crt': { + encoding: 'base64' + value: tlscrt + } + 'tls.key': { + encoding: 'base64' + value: tlskey + } + } + } +} +//SECRETS + +//GATEWAY +resource gateway 'Applications.Core/gateways@2023-10-01-preview' = { + name: 'gateway' + properties: { + application: application + hostname: { + fullyQualifiedHostname: 'YOUR_DOMAIN' // Replace with your domain name. + } + tls: { + certificateFrom: secretstore.id + minimumProtocolVersion: '1.2' + } + routes: [ + { + path: '/' + destination: 'http://${frontend.name}:3000' + } + ] + } +} +//GATEWAY diff --git a/docs/content/guides/author-apps/secrets/overview/index.md b/docs/content/guides/author-apps/secrets/overview/index.md index 6344490b5..512e7f807 100644 --- a/docs/content/guides/author-apps/secrets/overview/index.md +++ b/docs/content/guides/author-apps/secrets/overview/index.md @@ -34,5 +34,4 @@ Additional use-cases will be added in upcoming releases. ## Further reading -- [How To: TLS termination with your own TLS certificate]({{< ref howto-tls-termination >}}) -- [How To: TLS termination with a certificate from Let's Encrypt]({{< ref howto-tls-termination-cert-manager >}}) +- [How To: gateway TLS termination]({{< ref howto-tls >}})