Ingress Controller in AWS

Release Notice

GoodData.CN ready for Kubernetes will be published during May 2021. Stay tuned and watch GoodData Developers website.

TODO - these pages need to be revisited and updated after TLS and Organizations updates.

Note: If you plan to use ExternalDNS with Helm-deployed NGINX Ingress Controller, make sure you changed value publishService.enabled=true during ingress-nginx helm chart installation. Otherwise the LoadBalancer address will NOT get propagated and ExternalDNS will not work. To deliver ACM-provided certificate to ELB, we need to add service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation to Ingress controller. We also want to terminate SSL on ELB, so backend will get plain HTTP. This is done by adding annotation: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'. The common configuration is shown here:

# helm-charts/helmfile-values/values-ingress.yaml
controller:
  service:
    targetPorts:
      http: http
      https: http
    annotations:
      # SSL is terminated on ELB, so HTTP will be used downstram to our services
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'
      # only 'https' port will use SSL protocol
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 'https'
      # keep connections open upto 1 hour
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
      # Disable TLS1.1 and lower protocols on TLS handshake
      service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: 'ELBSecurityPolicy-TLS-1-2-2017-01'
  publishService:
    enabled: true

Add ingress-nginx Helm repository to your local configuration, if you didn’t do it before:

$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

And then we can install the chart with specific arn value:

$ helm upgrade --install ingress-nginx stable/ingress-nginx --namespace ingress-nginx \
    --values helm-charts/helmfile-values/values-ingress.yaml --wait --timeout 3m \
    --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:eu-west-3:441851189095:certificate/5e44b0ab-fbc6-4cd2-9c45-1252ce1f9b71

Telemetry

Secrets Management