Ingress Controller in AWS
Note: If you plan to use ExternalDNS with a Helm-deployed NGINX Ingress Controller, make sure to change the value of
publishService.enabled=true during the ingress-nginx helm chart installation. Otherwise, the LoadBalancer
address will NOT get propagated and ExternalDNS will not work.
To deliver the ACM-provided certificate to ELB, we need to add service.beta.kubernetes.io/aws-load-balancer-ssl-cert
annotation to Ingress controller. We also want to terminate SSL on ELB, so backend will get plain HTTP.
This is done by adding the following annotation: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'.
The common configuration is shown here:
# helm-charts/helmfile-values/values-ingress.yaml
controller:
service:
targetPorts:
http: http
https: http
annotations:
# SSL is terminated on ELB, so HTTP will be used downstram to our services
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'
# only 'https' port will use SSL protocol
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 'https'
# keep connections open upto 1 hour
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
# Disable TLS1.1 and lower protocols on TLS handshake
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: 'ELBSecurityPolicy-TLS-1-2-2017-01'
publishService:
enabled: true
Add the ingress-nginx Helm repository to your local configuration if you have not already done so.
$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
And then we can install the chart with specific arn value (update according to your setup):
$ helm upgrade --install ingress-nginx stable/ingress-nginx --namespace ingress-nginx \
--values helm-charts/helmfile-values/values-ingress.yaml --wait --timeout 3m \
--set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:eu-west-3:YOURACCOUNT:certificate/YOUR-CERTIFICATE-ID