Ingress-nginx: Terminating SSL with AWS Elastic Load Balancer
Hi,
I'm trying to work out how SSL can be terminated at the ELB using the AWS certificates.
The "LoadBalancer" service is able to create the ELB but I'm struggling to understand where I should be "plugging in" the other end. I think its confusing as the Load balancer service seems to bridge Cloud and Kubernetes.
This is perhaps more complicated because I am trying to use kubernetes as a ssl termination proxy for an external AWS Elasticsearch instance which is available on HTTPS. I intend that there is an SSL termination at the ELB,
The load balancer port configuration looks correct:
Port Configuration:
443 (HTTPS, ACM Certificate: f37da686-8a24-47a1-b9e7-9480df912fb7) forwarding to 32329 (HTTP)
My LoadBalancer service looks like this. I've been playing with the ports config.
# controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "Name=prodding-hydra-nginx-ingress-controller"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:476771282763:certificate/f37da686-8a24-47a1-b9e7-9480df912fb7"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
labels:
app: nginx-ingress
chart: nginx-ingress-0.8.9
component: "controller"
heritage: Tiller
release: prodding-hydra
name: prodding-hydra-nginx-ingress-controller
spec:
# clusterIP: ""
ports:
- name: http
port: 80
protocol: TCP
targetPort: 443
# - name: https
# port: 443
# protocol: TCP
# targetPort: 443
selector:
app: nginx-ingress
component: "controller"
release: prodding-hydra
type: "LoadBalancer"
This is the service that I want to expose:
apiVersion: v1
kind: Service
metadata:
name: prodding-hydra-external-elasticsearch-service
spec:
externalName: search-es-REDACTED.eu-west-1.es.amazonaws.com
type: ExternalName
With this Ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/secure-backends: "true"
kubernetes.io/ingress.class: nginx
name: prodding-hydra-ingress
spec:
rules:
- host: dev-andrew.foobar.io
http:
paths:
- backend:
serviceName: prodding-hydra-external-elasticsearch-service
servicePort: 443
path: /
mooperd
All 9 comments
@mooperd please check the required annotations here https://github.com/kubernetes/ingress-nginx/blob/master/deploy/provider/aws/service-l7.yaml
aledbf
on 30 Oct 2017
Thats great! It worked. Is it possible to 301 http:// to https:// ?
Here is the config that is working.
# Source: nginx-ingress/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "Name=prodding-hydra-nginx-ingress-controller"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:476771282763:certificate/f37da686-8a24-47a1-b9e7-9480df912fb7"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
labels:
app: nginx-ingress
chart: nginx-ingress-0.8.9
component: "controller"
heritage: Tiller
release: prodding-hydra
name: prodding-hydra-nginx-ingress-controller
spec:
ports:
# - name: http
# port: 80
# targetPort: http
- name: https
port: 443
targetPort: http
selector:
app: nginx-ingress
component: "controller"
release: prodding-hydra
type: "LoadBalancer"
@mooperd yes you can. Here are the docs on forcing ssl redirection. You can read up more on the AWS setup here. One thing to note though is that due to a change in Kubernetes 1.8, you can't currently terminate TLS in the ELB without customizing the nginx config template. I filed https://github.com/kubernetes/ingress-nginx/issues/1622 to fix this.
erickt
on 30 Oct 2017
@erickt Thanks for the heads up. I'll track those tickets.
The 301 works now that tls is enabled in the ingress. Thanks!
mooperd
on 30 Oct 2017
@mooperd can we close this issue?
aledbf
on 30 Oct 2017
If anyone is using the helm chart nginx-ingress, here are the values that finally worked for me. I'm using the workaround and using "80" instead of "http" until #1622 is fixed. The information in this issue helped a lot. Thanks guys!
nginx-ingress:
controller:
config:
force-ssl-redirect: "true"
service:
targetPorts:
https: 80
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <your AWS cert arn here>
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
iamrandys
on 8 Nov 2017
Note:
at the moment SSL force redirection by ELB only works for HTTP protocol out of the box.
read below for workaround and reasoning:
prageethw
on 28 Dec 2018
i have the same issue, i tried below annotations:
Service:
"annotations": {
"service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "http",
"service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:eu-west-1:5102549432404:certificate/349bdc18-d66e-46ad-aa9b-3eae90fb68d4",
"service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "https",
"service.beta.kubernetes.io/aws-load-balancer-type": "nlb"
}
on Ingress:
"annotations": {
"nginx.ingress.kubernetes.io/force-ssl-redirect": "true"
}
that have ended to redirected you too many times.
FYI i鈥檓 using here NLB
BouchaaraAdil
on 28 Aug 2019
@BouchaaraAdil AWS recently added K8s v1.15 to EKS, which does support NLB SSL termination. Those annotations should work now.
kgriffiths
on 21 Mar 2020
Related issues
briananstett
路
3Comments
silasbw
路
3Comments
c-mccutcheon
路
3Comments
lachlancooper
路
3Comments
natemurthy
路
3Comments
Most helpful comment
If anyone is using the helm chart nginx-ingress, here are the values that finally worked for me. I'm using the workaround and using "80" instead of "http" until #1622 is fixed. The information in this issue helped a lot. Thanks guys!