Ingress Controller in AWS

Only available with GoodData.CN

Note: If you plan to use ExternalDNS with a Helm-deployed NGINX Ingress Controller, make sure to change the value of publishService.enabled=true during the ingress-nginx helm chart installation. Otherwise, the LoadBalancer address will NOT get propagated and ExternalDNS will not work.

To deliver the ACM-provided certificate to ELB, we need to add service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation to Ingress controller. We also want to terminate SSL on ELB, so backend will get plain HTTP.

This is done by adding the following annotation: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'. The common configuration is shown here:

# helm-charts/helmfile-values/values-ingress.yaml
controller:
  config:
    # This resolves possible issue with big headers
    proxy-buffer-size: '16k'
    # Improve performance of requests with large body
    client-body-buffer-size: '1m'
    # use X-Forwarded-* received from ELB - important for proper propagation
    # of LoadBalancer host, port, and schema
    use-forwarded-headers: 'true'
  service:
    targetPorts:
      http: http
      https: http
    annotations:
      # SSL is terminated on ELB, so HTTP will be used downstram to our services
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'
      # only 'https' port will use SSL protocol
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 'https'
      # keep connections open upto 1 hour
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
      # Disable TLS1.1 and lower protocols on TLS handshake
      service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: 'ELBSecurityPolicy-TLS-1-2-2017-01'
  publishService:
    enabled: true

Add the ingress-nginx Helm repository to your local configuration if you have not already done so.

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

And then we can install the chart with specific arn value (update according to your setup):

helm upgrade --install ingress-nginx stable/ingress-nginx --namespace ingress-nginx \
    --values helm-charts/helmfile-values/values-ingress.yaml --wait --timeout 3m \
    --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:eu-west-3:YOURACCOUNT:certificate/YOUR-CERTIFICATE-ID

Cert-manager Integration with Let's Encrypt

OIDC Provider Setup