Kubernetes on AWS with NGINX ingress controller and SSL termination

10/17/2017

Having issues configuring SSL termination in my Kubernetes cluster. Attempting to figure out best place for this to happen.

I have been able to get it working following the instructions listed here and then updating the ingress controller service to include the SSL certificate details using service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation:

kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app: ingress-nginx
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:...
spec:
  type: LoadBalancer
  selector:
    app: ingress-nginx
  ports:
  - name: https
    port: 443
    targetPort: 80

I then have ingress rules and services setup similar to:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app1
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - host: app1.foo.bar
    http:
      paths:
      - backend:
          serviceName: app1
          servicePort: 80

---

apiVersion: v1
kind: Service
metadata:
  name: app1
spec:
  type: LoadBalancer
  ports:
  - name: http
    port: 80
    targetPort: 80
  selector:
    app: app1

---

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: app1
spec:
  template:
    metadata:
      labels:
        app: app1
    spec:
      containers:
      - image: nginx
        name: nginx
        ports:
        - containerPort: 80

When going to app1.foo.bar I can see that:

  • http requests are redirected to https
  • the SSL certificate is correctly applied

Originally I was trying to apply the certificate to my individual app services. I could see the certificate being applied to the ELB in AWS but wasn't being passed through. So my question is:

Is this the correct configuration or is there a better solution?

Thank you :)

-- timothyclifford
amazon-web-services
devops
kubernetes
nginx

1 Answer

10/18/2017

I would suggest terminating SSL on the Nginx Ingress Controller exposed with ELB, and use kube-lego for automated SSL certificate management.

https://github.com/kubernetes/ingress-nginx & https://github.com/jetstack/kube-lego

-- Radek 'Goblin' Pieczonka
Source: StackOverflow