Jx: Make TLS work in AWS EKS cluster

Created on 13 Feb 2019  路  3Comments  路  Source: jenkins-x/jx

Summary

ATM, there is only one listener created on AWS NLB controlled by --http=true|false option for jx install --provider eks command.

So, I basically installed Jx in EKS with TCP 80 listener on NLB and then tried to do jx upgrade ingress --cluster to upgrade to TLS. It failed, of course, because there was no TCP 443 listener on NLB.

Then, I decided to hack jxing-nginx-ingress-controller service by adding https port with its own node port next to http port.

  ports:
  - name: http
    nodePort: 31682
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    nodePort: 31683
    port: 443
    protocol: TCP
    targetPort: https

So, this actually worked and AWS automatically created TCP 443 listener, created target group and opened nodeport to forward encrypted traffic into Nginx https port.

I also had to fix security group for target group EC2 instances to allow traffic from AWS NLB to Nginx controller exposed on NodePort for https traffic, because AWS does not add security rules automatically.

After that, I was able to upgrade ingresses with TLS termination on Nginx.

I found this comment // we can only enable one port for NLBs right now in https://github.com/jenkins-x/jx/blob/4645bf3537b740472013f0a515c191967655b65d/pkg/jx/cmd/init.go#L586 left some time ago.

My question is if there still a good reason not to enable both listeners for TCP 80 and 443 ports OOB?

Hope, this helps folks to enable TLS in EKS.

Steps to reproduce the behavior

Expected behavior

Actual behavior

Jx version

The output of jx version is:

$ jx version
NAME               VERSION
jx                 1.3.862
jenkins x platform 0.0.3321
Kubernetes cluster v1.11.5-eks-6bad6d
kubectl            v1.13.3
helm client        v2.12.2+g7d2b0c7
helm server        v2.12.2+g7d2b0c7
git                git version 2.18.0.windows.1
Operating System   Windows 10 Pro 1803 build 17134

Jenkins type

  • [x] Classic Jenkins
  • [ ] Serverless Jenkins

Kubernetes cluster

jx create cluster eks --skip-installation

jx install --provider=eks --no-default-environments

Operating system / Environment


Windows 10 Gitbash

areeks areingress arejenkins kinbug prioritimportant-longterm
Source
picture igdianov
👍3

All 3 comments

Specifically, what steps did you take to apply those changes to the jxing-nginx-ingress-controller service?

affixalex picture affixalex on 17 Feb 2019

The workaround explained by @igdianov worked for

Jenkins X Version:
 NAME               VERSION
jx                 2.0.271
jenkins x platform 2.0.330
Kubernetes cluster v1.11.6
kubectl            v1.14.3
helm client        Client: v2.14.1+g5270352
git                git version 2.22.0
Operating System   Mac OS X 10.14.4 build 18E226

but, it seems like a regression in the jx: I have downloaded the source code for your version 2.0.271 and it actually contains this fix. So, it is expected to work without applying any workaround.

Note: Specifically provisioning Kops on AWS based clusters, not EKS clusters.

carlosrodlop picture carlosrodlop on 24 Jun 2019
👀2

/area jenkins

deanesmith picture deanesmith on 26 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tdcox picture tdcox  路  3Comments
ipv1337 picture ipv1337  路  3Comments
edalford11 picture edalford11  路  5Comments
vgallissot picture vgallissot  路  5Comments
empath picture empath  路  3Comments