-
You could use the certificates which are present in ACM / IAM. No accidental certificate key exposure at kubernetes / worker node level.
-
NLB will do the heavy lifting of TLS Termination, Improved performance for worker nodes.
-
HTTP to HTTPS redirection at nginx ingress controller as the controller will be participating in dataplane traffic routing.
-
Download the lastest nginx ingress deployment manifest file. Please note that at the time of writing this article, the controller version which I have used is v0.44.0
-
Under the Annotation of "# Source: ingress-nginx/templates/controller-service.yaml" Replace the all existing annotation content in that section with the following annotation.
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "xxxxxxxARN\_\_HERExxxxxx"
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
-
Configure appropriate Certificate ARN on
service.beta.kubernetes.io/aws-load-balancer-ssl-cert
field. -
Now under the
# Source: ingress-nginx/templates/controller-deployment.yaml
section in the downloaded manifest, change the kind from Deployment to DaemonSet to avoid any SPOF -
Search for "proxy-real-ip-cidr" in the manifest and remove that line or configure appropriate value incase if you require the same.
-
Now the manifest is ready to get deployed to spin up Nginx Ingress controller, use
kubectl apply -f modified-file-name.yaml
-
In addition to the above steps, I have attached the complete modified version of the configuration yaml file which I have used in my environment, In the attached file, The certificate ARN content has been omitted intentionally, Please feel free to use the file after configuring the ARN value.
-
A diff check screenshot on what has been changed to a existing manifest which has been downloaded also attached for future reference.
Once, the modified manifest file applied, you could proceed further with creating ingress object in the respective namespaces to associate with your services.
- Network Loadbalancer with nginx ingress controller - https://aws.amazon.com/blogs/opensource/network-load-balancer-nginx-ingress-controller-eks/
- Discussion on Enabling TLS offloading at NLB with type Loadbalancer - kubernetes/kubernetes#73297
- Ingres-nginx - https://kubernetes.github.io/ingress-nginx/deploy/#aws