2

We need a Kubernetes service that brings up an AWS Load Balancer that supports web-sockets, i.e. not the classic LB. Support for the AWS NLB is in Alpha state - but seems to work well.

The issue we have is with setting the Listener to be TLS and not TCP and attach the ACM SSL Certificate correctly - something that works well with the Classic LB

The annotations we have in the service.yml are:

      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'arn:aws:acm:{{ .Values.certificate.region }}:{{ .Values.certificate.aws_user_id }}:certificate/{{ .Values.certificate.id }}'
      service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb

The result is:

| Listener ID | Security Policy | SSL Certificate | Default Action |
| ---         | ---             | ---             | ---            |
| TCP: 443    | N/A             | N/A             | Forward to: k8s|

Expected:

| Listener ID | Security Policy | SSL Certificate | Default Action |
| ---         | ---             | ---             | ---            |
| TLS: 443    | ELBSecurityPol..| f456ac87d0ed99..| Forward to: k8s|
Gilad Judes
  • 21
  • 1

1 Answers1

1

You can use ingress nginx controller on kubernetes and indirectly it is also make load balancer but handling certificate Renewal with Cert manager will be so easy

So ingress with Cert manager will be best idea for SSL and TLS certificate on kubernetes

https://kubernetes.io/docs/concepts/services-networking/ingress/

For More details of tutorial sharing this link check it out

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102