For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Trust CenterStatusSupportGet a demoPlatform
DocumentationEvals API ReferenceIntegrations & OTELPlatform SettingsSelf-HostingChangelog
DocumentationEvals API ReferenceIntegrations & OTELPlatform SettingsSelf-HostingChangelog
    • Self-Hosting
    • Security & Compliance
  • AWS Deployment
    • Overview
    • Quickstart
    • Requirements
  • Azure Deployment
    • Overview
    • Quickstart
    • Requirements
      • Prerequisites
      • Configuration
      • Provisioning
      • TLS Certificates
      • Cluster Access
      • Kubernetes Deployment
      • Verification
  • GCP Deployment
    • Overview
    • Quickstart
    • Requirements
LogoLogo
Trust CenterStatusSupportGet a demoPlatform
On this page
  • Overview
  • How TLS works on Azure
  • Verify cert-manager is running
  • Configure a ClusterIssuer
  • Option A: Let’s Encrypt (recommended for internet-facing)
  • Option B: Internal CA or self-signed (for private clusters)
  • DNS preparation
  • Next steps
Azure DeploymentStep-by-step guide

TLS Certificates

Was this page helpful?
Previous

Cluster Access

Next
Built with

Overview

Terraform installed cert-manager in the AKS cluster, which automates TLS certificate issuance and renewal. In this step, you will:

  • Understand how TLS works with NGINX Ingress and cert-manager on Azure
  • Configure a cert-manager ClusterIssuer for certificate provisioning
  • Verify cert-manager is operational
  • Prepare for ingress TLS configuration in later steps

Unlike AWS (which uses ACM), Azure deployments use cert-manager with Let’s Encrypt or your organization’s certificate authority.

If using public AKS mode: If you configured confident_public_aks = true (HTTP-only testing), you can skip this page. Public mode is only recommended for testing, not production.

How TLS works on Azure

The Azure deployment uses a different TLS approach than AWS:

  1. NGINX Ingress Controller handles TLS termination (instead of ALB)
  2. cert-manager automates certificate requests and renewals
  3. Let’s Encrypt (or your CA) issues the certificates
  4. Certificates are stored as Kubernetes Secrets

When a user connects to your domain:

  1. DNS resolves to the Azure Load Balancer IP
  2. Load Balancer forwards traffic to NGINX Ingress
  3. NGINX terminates TLS using the certificate from the Kubernetes Secret
  4. NGINX routes the request to the appropriate backend service

Verify cert-manager is running

cert-manager was installed by Terraform via Helm. Verify it’s operational:

$kubectl get pods -n cert-manager

Expected output:

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-xxx-yyy                       1/1     Running   0          30m
cert-manager-cainjector-xxx-yyy            1/1     Running   0          30m
cert-manager-webhook-xxx-yyy               1/1     Running   0          30m

All three pods should be Running.

cert-manager pods not running?

This sometimes happens when AKS wasn’t fully ready. Try:

$terraform apply

Terraform will retry the failed Helm installation.

Configure a ClusterIssuer

A ClusterIssuer tells cert-manager how to obtain certificates. The most common option is Let’s Encrypt.

Option A: Let’s Encrypt (recommended for internet-facing)

Create a file cluster-issuer.yaml:

1apiVersion: cert-manager.io/v1
2kind: ClusterIssuer
3metadata:
4  name: letsencrypt-prod
5spec:
6  acme:
7    server: https://acme-v02.api.letsencrypt.org/directory
8    email: your-email@yourdomain.com
9    privateKeySecretRef:
10      name: letsencrypt-prod-key
11    solvers:
12      - http01:
13          ingress:
14            class: nginx

Apply it:

$kubectl apply -f cluster-issuer.yaml

Verify the issuer is ready:

$kubectl get clusterissuer letsencrypt-prod

Expected output:

NAME               READY   AGE
letsencrypt-prod   True    30s

Let’s Encrypt requires HTTP-01 challenge validation. This means:

  • The NGINX Ingress must be accessible from the internet (at least temporarily)
  • Let’s Encrypt servers need to reach port 80 on your load balancer
  • If your ingress is internal-only, Let’s Encrypt won’t work—use Option B instead

For testing, use the Let’s Encrypt staging server first to avoid rate limits: https://acme-staging-v02.api.letsencrypt.org/directory. Switch to production once confirmed working.

Option B: Internal CA or self-signed (for private clusters)

If your ingress is internal (not internet-facing), you can’t use Let’s Encrypt. Options:

  1. Corporate CA: Work with your PKI team to issue certificates and create Kubernetes TLS secrets manually
  2. Self-signed: Use cert-manager’s self-signed issuer (browsers will show warnings)

Self-signed issuer example:

1apiVersion: cert-manager.io/v1
2kind: ClusterIssuer
3metadata:
4  name: selfsigned-issuer
5spec:
6  selfSigned: {}

Self-signed certificates cause browser warnings. Users will see “Your connection is not private” errors. This is acceptable for internal testing but not for production use.

DNS preparation

Before certificates can be issued, your DNS must point to the NGINX Ingress load balancer. You’ll configure this fully during the Verification step, but you can check the load balancer IP now:

$kubectl get svc -n ingress-nginx ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

This returns the Azure Load Balancer IP that your DNS records should point to.

Azure Load Balancer uses IP addresses (not hostnames like AWS ALB). You’ll create A records (not CNAME records) pointing your domains to this IP.

Next steps

After cert-manager is operational and a ClusterIssuer is configured, proceed to Cluster Access to configure kubectl access and verify infrastructure components.