Assign a certificate and secure it with TLS HTTPS

0 votes

Initially I setup nginx-ingress on EKS using Helm by following the docs here: https://github.com/nginxinc/kubernetes-ingress. I tried to get the sample app working (cafe) using the following config:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

The ingress and all supported services/deploys worked fine but there's one major thing missing: the ingress doesn't have an associated address/ELB:

NAME           HOSTS                 ADDRESS   PORTS     AGE
cafe-ingress   cafe.example.com                80, 443   12h

Service LoadBalancers create ELB resources, i.e.:

testnodeapp    LoadBalancer   172.20.4.161     a64b46f3588fe...   80:32107/TCP     13h

However, the Ingress is not creating an address. How do I get an Ingress controller exposed externally on EKS to handle TLS/HTTPS?

Sep 28, 2018 in Kubernetes by Hannah
 • 18,570 points 895 views

1 answer to this question.

0 votes

To get your ingress resource working you need to have an ingress controller configured.

For EKS with helm, use the following command:

helm registry install quay.io/coreos/alb-ingress-controller-helm

Next, configure the Ingress resource:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: 'true'
spec:
  rules:
  - host: YOUR_DOMAIN
    http:
      paths:
      - path: /
        backend:
          serviceName: ingress-example-test
          servicePort: 80
  tls:
  - secretName: custom-tls-cert
    hosts:
    - YOUR_DOMAIN

Apply the config:

kubectl create -f ingress.yaml

Next, create the secret with TLS certificates:

kubectl create secret tls custom-tls-cert --key /path/to/tls.key --cert /path/to/tls.crt

and reference to them in the Ingress definition:

tls:
  - secretName: custom-tls-cert
    hosts:
    - YOUR_DOMAIN

The following example of configuration shows how to configure the Ingress controller:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: nginx-ingress-controller
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-controller
    spec:
      # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
      # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
      # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
      # like with kubeadm
      # hostNetwork: true
      terminationGracePeriodSeconds: 60
      containers:
      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.17.1
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
        - --publish-service=$(POD_NAMESPACE)/nginx-ingress-lb

Next, apply the above configuration, then you can check services for External IP exposed:

kubectl get service nginx-controller -n kube-system
answered Oct 8, 2018 by Kalgi
 • 52,360 points

Related Questions In Kubernetes

0 votes
1 answer

Is it possible for containers within a pod to communicate with each other?

Yes, it is possible for containers to ...READ MORE

answered Jul 12, 2019 in Kubernetes by Sirajul
 • 59,230 points 3,534 views
0 votes
2 answers

How do I create a volume in kubernetes so that it doesn't get detroyed when pods die?

if you need to do this is ...READ MORE

answered Jul 26, 2020 in Kubernetes by Akash Gupta
 1,251 views
0 votes
1 answer

Is it possible to access GCP resources using api without a user interaction.?

yes that's totally possible. You'd have to create ...READ MORE

answered Sep 19, 2018 in Kubernetes by Kalgi
 • 52,360 points 425 views
0 votes
1 answer

What's the difference betweena a deployment and a stateful set?

Both the deployments and replication controllers are ...READ MORE

answered Oct 3, 2018 in Kubernetes by ajs3033
 • 7,300 points 4,204 views
+1 vote
1 answer

set up kubernetes NGINX ingress in AWS with SSL termination

Try using ingress itself in this manner except ...READ MORE

answered Oct 10, 2018 in Kubernetes by Kalgi
 • 52,360 points 2,806 views
+6 votes
1 answer

Web UI (Dashboard): https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

Hey @nmentityvibes, you seem to be using ...READ MORE

answered Dec 13, 2018 in Kubernetes by Kalgi
 • 52,360 points 7,046 views
0 votes
1 answer

Nginx routing for kubernetes services

Hey, backend is a service running on ...READ MORE

answered Feb 8, 2019 in Kubernetes by Kalgi
 • 52,360 points 1,140 views
0 votes
3 answers

Nginx reverse proxy URL getting rewritten

Hey @Gopi, try your ingress probably like ...READ MORE

answered Feb 12, 2019 in Kubernetes by Kalgi
 • 52,360 points 4,212 views
0 votes
1 answer

Running a HTTPS SSE server over Kubernetes/Ingress and Google Cloud Platform

Try adding a long time on the ...READ MORE

answered Sep 11, 2018 in Kubernetes by Kalgi
 • 52,360 points 1,844 views
0 votes
1 answer

Running a heterogeneous kubernetes cluster with nodes running in different network using VPN

There is an issue with networking between ...READ MORE

answered Sep 6, 2018 in Kubernetes by Kalgi
 • 52,360 points 2,423 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.