5

I set up a kubernetes cluster in AWS using KOPS; now I want to set up an NGINX ingress controller and terminate TLS with AWS managed certificate. The topology in my understanding is AWS ELB is facing the internet and terminates TLS, forwards unencrypted to ingress service which then does dispatches.

I've deployed ingress controller from https://github.com/kubernetes/ingress/tree/master/examples/aws/nginx

Except I used annotations as described on top of https://github.com/kubernetes/ingress/issues/71 to add the certificate.

I add the route to Route53 and open my browser to https address and get a 400 response from NGINX with message "The plain HTTP request was sent to HTTPS port"

What am I doing wrong?

This is my ingress resource:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: dispatcher
  namespace: test
spec:
  rules:
  - host: REDACTED
    http:
      paths:
      - backend:
          serviceName: REDACTED
          servicePort: 80
        path: /api/v0
Lev Kuznetsov
  • 3,520
  • 5
  • 20
  • 33

2 Answers2

3

I managed to get this done largely using the ingress here: https://github.com/kubernetes/kops/tree/master/addons/ingress-nginx except for the ingress service I added service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation pointing to my certificate ARN and set targetPort of both the ports to 80

Lev Kuznetsov
  • 3,520
  • 5
  • 20
  • 33
  • This works for me, but also means traffic from the ELB to the application is unencrypted. Presumably your ELB is in a VPC with your cluster so that should be safe. – monty0 Sep 01 '17 at 21:10
  • I don't think it's possible to get between ELB and the service outside AWS. This is a standard setup in AWS, elastic beanstalk had been set up this way for years and noone ever complained about this after millions of hours of production loads – Lev Kuznetsov Sep 02 '17 at 16:33
  • Hi, did you use Helm for this? Can you please post your scripts in this answer? I'm having the same problem at the moment.. – wild_nothing Apr 24 '18 at 09:54
0

https://github.com/kubernetes/ingress/tree/master/controllers/nginx#https

TL;DR

1) create a secret with your ssl public/private in your namespace

2) add the tls block to your ingress (referencing the secret)

Brett Wagner
  • 1,134
  • 2
  • 10
  • 18
  • I want the ELB to terminate SSL. I'm using AWS managed certs, they don't actually give you the cert; there are only a few services you can use them with and ELB is one such service – Lev Kuznetsov Jun 07 '17 at 21:17