Assign a certificate and secure it with TLS HTTPS

0 votes

Initially I setup nginx-ingress on EKS using Helm by following the docs here: https://github.com/nginxinc/kubernetes-ingress. I tried to get the sample app working (cafe) using the following config:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

The ingress and all supported services/deploys worked fine but there's one major thing missing: the ingress doesn't have an associated address/ELB:

NAME           HOSTS                 ADDRESS   PORTS     AGE
cafe-ingress   cafe.example.com                80, 443   12h

Service LoadBalancers create ELB resources, i.e.:

testnodeapp    LoadBalancer   172.20.4.161     a64b46f3588fe...   80:32107/TCP     13h

However, the Ingress is not creating an address. How do I get an Ingress controller exposed externally on EKS to handle TLS/HTTPS?

Sep 28, 2018 in Kubernetes by Hannah
• 18,520 points
1,154 views

1 answer to this question.

0 votes

To get your ingress resource working you need to have an ingress controller configured.

For EKS with helm, use the following command:

helm registry install quay.io/coreos/alb-ingress-controller-helm

Next, configure the Ingress resource:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: 'true'
spec:
  rules:
  - host: YOUR_DOMAIN
    http:
      paths:
      - path: /
        backend:
          serviceName: ingress-example-test
          servicePort: 80
  tls:
  - secretName: custom-tls-cert
    hosts:
    - YOUR_DOMAIN

Apply the config:

kubectl create -f ingress.yaml

Next, create the secret with TLS certificates:

kubectl create secret tls custom-tls-cert --key /path/to/tls.key --cert /path/to/tls.crt

and reference to them in the Ingress definition:

tls:
  - secretName: custom-tls-cert
    hosts:
    - YOUR_DOMAIN

The following example of configuration shows how to configure the Ingress controller:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: nginx-ingress-controller
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-controller
    spec:
      # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
      # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
      # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
      # like with kubeadm
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.17.1
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
        - --publish-service=$(POD_NAMESPACE)/nginx-ingress-lb

Next, apply the above configuration, then you can check services for External IP exposed:

kubectl get service nginx-controller -n kube-system
answered Oct 8, 2018 by Kalgi
• 52,350 points

Related Questions In Kubernetes

0 votes
1 answer

Is it possible for containers within a pod to communicate with each other?

Yes, it is possible for containers to ...READ MORE

answered Jul 12, 2019 in Kubernetes by Sirajul
• 59,230 points
3,895 views
0 votes
1 answer

Is it possible to access GCP resources using api without a user interaction.?

yes that's totally possible. You'd have to create ...READ MORE

answered Sep 19, 2018 in Kubernetes by Kalgi
• 52,350 points
727 views
0 votes
1 answer

What's the difference betweena a deployment and a stateful set?

Both the deployments and replication controllers are ...READ MORE

answered Oct 3, 2018 in Kubernetes by ajs3033
• 7,300 points
4,478 views
+1 vote
1 answer
0 votes
3 answers

Nginx reverse proxy URL getting rewritten

Hey @Gopi, try your ingress probably like ...READ MORE

answered Feb 12, 2019 in Kubernetes by Kalgi
• 52,350 points
4,790 views
0 votes
1 answer

Kubernetes nginx-ingress TLS issue

You have to create a secret named test-secret. ➜ ...READ MORE

answered Sep 11, 2018 in Kubernetes by Kalgi
• 52,350 points
1,994 views
0 votes
1 answer
0 votes
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP