Create Ingress With SSL Discovery Via Host¶
TLS certificates for ALB Listeners can be automatically discovered with hostnames from Ingress resources if the alb.ingress.kubernetes.io/certificate-arn
annotation is not specified.
The controller will attempt to discover TLS certificates from the tls
field in Ingress and host
field in Ingress rules.
Note
You need to explicitly specify to use HTTPS
listener with alb.ingress.kubernetes.io/listen-ports
annotation.
The Certificate Discovery can be either via Ingress rule host
or Ingress tls
. In this tutorial, we'll explore certificate discovery using the host
field in Ingress rules.
Prerequisite¶
To follow this tutorial, you'll require a domain and, additionally, an SSL certificate for the domain and its subdomains.
-
Register a Route 53 Domain
Go to AWS Console and register a Route 53 domain. You can opt for a cheaper TLD (top level domain) such as
.link
Note
It usually takes about 10 minutes but it might take about an hour for the registered domain to become available.
-
Request a Public Certificate
Visit AWS Certificate Manager in AWS Console and request a public certificate for your domain and all the subdomains. For example, if you registered for a domain
example.com
then request certificate forexample.com
and*.example.com
Note
Make sure you request the certificate in the region where your EKS cluster is in.
-
Validate the Certificate
Validate the requested certificate by adding
CNAME
records in Route 53. It is a very simple process. Go to the certificate you created and click onCreate records in Route 53
. TheCNAMEs
will be automatically added to Route 53.Note
It usually takes about 5 minutes but it might take about an hour for the certificate to be ready for use.
Now that you have everything you need, let's move on to the demonstration.
Docker Images¶
Here is the Docker Image used in this tutorial: reyanshkharga/nodeapp:v1
Note
reyanshkharga/nodeapp:v1 runs on port 5000
and has the following routes:
GET /
Returns host info and app versionGET /health
Returns health status of the appGET /random
Returns a randomly generated number between 1 and 10
Step 1: Create a Deployment¶
First, let's create a deployment as follows:
Apply the manifest to create the deployment:
Verify deployment and pods:
Step 2: Create a Service¶
Next, let's create a service as follows:
Apply the manifest to create the service:
Verify service:
Step 3: Create Ingress¶
Now that we have the service ready, let's create an Ingress object with SSL discovery via host
field in Ingress rules:
Observe that we have added the host
field to the Ingress rule. SSL certificate discovery will be based on this field. The AWS Load Balancer Controller will examine the host
and search for an available certificate that can be used.
Apply the manifest to create ingress:
Verify ingress:
Step 4: Verify AWS Resources in AWS Console¶
Visit the AWS console and verify the resources created by AWS Load Balancer Controller.
You'll notice that the certificate is attached to the load balancer created by the ingress. We didn't specify the certificate ARN
in the ingress manifest, yet it was attached to the load balancer due to SSL discovery via the host
field in the ingress rules.
Also, verify that the ALB was created by AWS Load Balancer Controller
. You can check the events in the logs as follows:
kubectl logs -f deploy/aws-load-balancer-controller -n aws-load-balancer-controller --all-containers=true
Step 5: Add Record in Route 53¶
Go to AWS Route 53 and add an A
record (e.g api.example.com
) for your domain that points to the Load Balancer. You can use alias to point the subdomain to the load balancer that was created.
Step 6: Access App Using Route 53 DNS¶
Once the load balancer is in Active
state, you can hit the subdomain you created in Route 53 and verify if everything is working properly.
Try accessing the following paths:
# Root path
https://api.example.com/
# Health path
https://api.example.com/health
# Random generator path
https://api.example.com/random
Also, verify that HTTP
is redirected to HTTPS
.
Clean Up¶
Assuming your folder structure looks like the one below:
Let's delete all the resources we created:
Also, go to Route 53 and delete the A
record that you created.
References: