Kubernetes EKS Ingress and TLS

Ken J

I'm trying to accomplish a VERY common task for an application:

Assign a certificate and secure it with TLS/HTTPS.

I've spent nearly a day scouring thru documentation and trying multiple different tactics to get this working but nothing is working for me.

Initially I setup nginx-ingress on EKS using Helm by following the docs here: https://github.com/nginxinc/kubernetes-ingress. I tried to get the sample app working (cafe) using the following config:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

The ingress and all supported services/deploys worked fine but there's one major thing missing: the ingress doesn't have an associated address/ELB:

NAME           HOSTS                 ADDRESS   PORTS     AGE
cafe-ingress   cafe.example.com                80, 443   12h

Service LoadBalancers create ELB resources, i.e.:

testnodeapp    LoadBalancer   172.20.4.161     a64b46f3588fe...   80:32107/TCP     13h

However, the Ingress is not creating an address. How do I get an Ingress controller exposed externally on EKS to handle TLS/HTTPS?

Ken J

I've replicated every step necessary to get up and running on EKS with a secure ingress. I hope this helps anybody else that wants to get their application on EKS quickly and securely.

To get up and running on EKS:

  1. Deploy EKS using the CloudFormation template here: Keep in mind that I've restricted access with the CidrIp: 193.22.12.32/32. Change this to suit your needs.

  2. Install Client Tools. Follow the guide here.

  3. Configure the client. Follow the guide here.
  4. Enable the worker nodes. Follow the guide here.

You can verify that the cluster is up and running and you are pointing to it by running:

kubectl get svc

Now you launch a test application with the nginx ingress.

NOTE: Everything is placed under the ingress-nginx namespace. Ideally this would be templated to build under different namespaces, but for the purposes of this example it works.

Deploy nginx-ingress:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml

Fetch rbac.yml from here. Run:

kubectl apply -f rbac.yml

Have a certificate and key ready for testing. Create the necessary secret like so:

kubectl create secret tls cafe-secret --key mycert.key --cert mycert.crt -n ingress-nginx

Copy coffee.yml from here. Copy coffee-ingress.yml from here. Update the domain you want to run this under. Run them like so

kubectl apply -f coffee.yaml
kubectl apply -f coffee-ingress.yaml

Update the CNAME for your domain to point to the ADDRESS for:

kubectl get ing -n ingress-nginx -o wide

Refresh DNS cache and test the domain. You should get a secure page with request stats. I've replicated this multiple times so if it fails to work for you check the steps, config, and certificate. Also, check the logs on the nginx-ingress-controller* pod.

kubectl logs pod/nginx-ingress-controller-*********** -n ingress-nginx

That should give you some indication of what's wrong.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

Kubernetes NGINX Ingress Controller not picking up TLS Certificates

Kubernetes ingress tls

Kubernetes NGINX Ingress TLS issue

Kubernetes ingress in AWS

aws-alb-ingress metrics on eks?

Setting up kubernetes with Let's Encrypt and Ingress - Gnutls_handshake() failed: An unexpected TLS packet was received

Kubernetes ingress-nginx - How can I disable listening on https if no TLS configured?

how to redirect http to https using a kubernetes ingress controller on Amazon EKS

AWS EKS Fargate Ingress Has No Address

traefik ingress with keycloak authentication on AWS EKS

LetsEncrypt not verifying via Kubernetes ingress and loadbalancer in AWS EKS

kubernetes ingress TLS validation and redirection issue

Supporting wildcard domains for TLS: Kubernetes Ingress on GKE

AWS EKS Kubernetes and DockerHub

Are there any versioning for kubernetes ingress?

How does a Network Load Balancer work with an Ingress Controller in Kubernetes (AWS/EKS)?

EKS ingress-nginx and NLB with https redirect

Translating an AWS Cloudformation resource into an EKS ingress configuration?

Traefik doesn't pick TLS certificates secrets from the ingress definition in Kubernetes

NGINX Ingress Controller not working on Amazon EKS

EKS ingress resource

Kubernetes ingress address is empty

AWS EKS service ingress and ALB --no ADDRESS

getting "Your connection is not private" after setting tls in kubernetes ingress

SSL configuration for ingress in aws EKS

EKS Ingress does not show created ALB Address

503 service temporary unavailable ingress EKS

'host' field in kubernetes ingress

EKS - Kubernetes - nginx-ingress-controller-default-ingress-controller - open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied