Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set up kubernetes NGINX ingress in AWS and SSL termination

Tags:

I set up a kubernetes cluster in AWS using KOPS; now I want to set up an NGINX ingress controller and terminate TLS with AWS managed certificate. The topology in my understanding is AWS ELB is facing the internet and terminates TLS, forwards unencrypted to ingress service which then does dispatches.

I've deployed ingress controller from https://github.com/kubernetes/ingress/tree/master/examples/aws/nginx

Except I used annotations as described on top of https://github.com/kubernetes/ingress/issues/71 to add the certificate.

I add the route to Route53 and open my browser to https address and get a 400 response from NGINX with message "The plain HTTP request was sent to HTTPS port"

What am I doing wrong?

This is my ingress resource:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: dispatcher
  namespace: test
spec:
  rules:
  - host: REDACTED
    http:
      paths:
      - backend:
          serviceName: REDACTED
          servicePort: 80
        path: /api/v0
like image 769
Lev Kuznetsov Avatar asked Jun 07 '17 19:06

Lev Kuznetsov


People also ask

How does nginx ingress controller work in AWS?

By default, the NGINX Ingress controller will listen to all the ingress events from all the namespaces and add corresponding directives and rules into the NGINX configuration file. This makes it possible to use a centralized routing file which includes all the ingress rules, hosts, and paths.

What is SSL termination in ingress?

SSL termination describes the transition process when data traffic becomes encrypted and unencrypted. This happens at the server end of a secure socket layer (SSL) connection.


2 Answers

I managed to get this done largely using the ingress here: https://github.com/kubernetes/kops/tree/master/addons/ingress-nginx except for the ingress service I added service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation pointing to my certificate ARN and set targetPort of both the ports to 80

like image 113
Lev Kuznetsov Avatar answered Oct 01 '22 05:10

Lev Kuznetsov


https://github.com/kubernetes/ingress/tree/master/controllers/nginx#https

TL;DR

1) create a secret with your ssl public/private in your namespace

2) add the tls block to your ingress (referencing the secret)

like image 22
Brett Wagner Avatar answered Oct 01 '22 05:10

Brett Wagner