AWS Kubernetes: Selecting SSL Certificate on AWS Load Balancer

2/21/2019

I’m trying to configure SSL for an AWS Load Balancer for my AWS EKS cluster. The load balancer is proxying to a Traefik instance running on my cluster. This works fine over HTTP.

Then I created my AWS Certificate in the Cert Manager, copied the ARN and followed this part of the documentation: Services - Kubernetes

But the certificate is not linked to the Listeners in the AWS Load Balancer. I can’t find further documentations or a working example on the web. Can anyone point me out to one?

The LoadBalancer configuration looks like this:

apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"traefik-ingress-service","namespace":"kube-system"},"spec":{"ports":[{"name":"web","port":80,"targetPort":80},{"name":"admin","port":8080,"targetPort":8080},{"name":"secure","port":443,"targetPort":443}],"selector":{"k8s-app":"traefik-ingress-lb"},"type":"LoadBalancer"}}
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-north-1:000000000:certificate/e386a77d-26d9-4608-826b-b2b3a5d1ec47
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
  creationTimestamp: 2019-01-14T14:33:17Z
  name: traefik-ingress-service
  namespace: kube-system
  resourceVersion: "10172130"
  selfLink: /api/v1/namespaces/kube-system/services/traefik-ingress-service
  uid: e386a77d-26d9-4608-826b-b2b3a5d1ec47
spec:
  clusterIP: 10.100.115.166
  externalTrafficPolicy: Cluster
  ports:
  - name: web
    port: 80
    protocol: TCP
    targetPort: 80
  - name: admin
    port: 8080
    protocol: TCP
    targetPort: 8080
  - name: secure
    port: 443
    protocol: TCP
    targetPort: 80
  selector:
    k8s-app: traefik-ingress-lb
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - hostname: e386a77d-26d9-4608-826b-b2b3a5d1ec47.eu-north-1.elb.amazonaws.com

Kind Regards and looking forward to your answers.

-- Alexander Magnus Partsch
amazon-web-services
aws-load-balancer
kubernetes
ssl

1 Answer

3/26/2020

I had a similar issue since I'm using EKS v1.14 (and nginx-ingress-controller) and a Network Load Balancer, and according to Kubernetes, it's possible since Kubernetes v1.15 - GitHub Issue. And since 10-March-2020 - Amazon EKS now supports Kubernetes version 1.15

So if it's still relevant, read more about it here - How do I terminate HTTPS traffic on Amazon EKS workloads with ACM?.

-- Meir Gabay
Source: StackOverflow