Assign a certificate and secure it with TLS/HTTPS.

0 votes

Initially I setup nginx-ingress on EKS using Helm by following the docs here: https://github.com/nginxinc/kubernetes-ingress. I tried to get the sample app working (cafe) using the following config:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

The ingress and all supported services/deploys worked fine but there's one major thing missing: the ingress doesn't have an associated address/ELB:

NAME           HOSTS                 ADDRESS   PORTS     AGE
cafe-ingress   cafe.example.com                80, 443   12h

Service LoadBalancers create ELB resources, i.e.:

testnodeapp    LoadBalancer   172.20.4.161     a64b46f3588fe...   80:32107/TCP     13h

However, the Ingress is not creating an address. How do I get an Ingress controller exposed externally on EKS to handle TLS/HTTPS?

Sep 28, 2018 in Kubernetes by Hannah
• 14,040 points
75 views

1 answer to this question.

Your answer

Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.
0 votes

To get your ingress resource working you need to have an ingress controller configured.

For EKS with helm, use the following command:

helm registry install quay.io/coreos/alb-ingress-controller-helm

Next, configure the Ingress resource:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: 'true'
spec:
  rules:
  - host: YOUR_DOMAIN
    http:
      paths:
      - path: /
        backend:
          serviceName: ingress-example-test
          servicePort: 80
  tls:
  - secretName: custom-tls-cert
    hosts:
    - YOUR_DOMAIN

Apply the config:

kubectl create -f ingress.yaml

Next, create the secret with TLS certificates:

kubectl create secret tls custom-tls-cert --key /path/to/tls.key --cert /path/to/tls.crt

and reference to them in the Ingress definition:

tls:
  - secretName: custom-tls-cert
    hosts:
    - YOUR_DOMAIN

The following example of configuration shows how to configure the Ingress controller:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: nginx-ingress-controller
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-controller
    spec:
      # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
      # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
      # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
      # like with kubeadm
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.17.1
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
        - --publish-service=$(POD_NAMESPACE)/nginx-ingress-lb

Next, apply the above configuration, then you can check services for External IP exposed:

kubectl get service nginx-controller -n kube-system
answered Oct 8, 2018 by Kalgi
• 35,640 points

Related Questions In Kubernetes

0 votes
1 answer
0 votes
1 answer

Is it possible to access GCP resources using api without a user interaction.?

yes that's totally possible. You'd have to create ...READ MORE

answered Sep 19, 2018 in Kubernetes by Kalgi
• 35,640 points
20 views
0 votes
1 answer

What's the difference betweena a deployment and a stateful set?

Both the deployments and replication controllers are ...READ MORE

answered Oct 3, 2018 in Kubernetes by ajs3033
• 7,000 points
147 views
0 votes
1 answer
0 votes
1 answer
0 votes
3 answers

Nginx reverse proxy URL getting rewritten

 take a look at  nginx.ingress.kubernetes.io/app-root and  nginx.ingress.kubernetes.io/rewrite-target annotations(https://kubernetes.github.io/.../nginx.../annotations/). I'm not sure ...READ MORE

answered Mar 6 in Kubernetes by Madhu
262 views
0 votes
1 answer

© 2018 Brain4ce Education Solutions Pvt. Ltd. All rights Reserved.
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.