Setting up TLS with Nginx Ingress
This guide provides a step-by-step tutorial on setting up TLS with Nginx Ingress on AWS EKS clusters using Let’s-Encrypt
Expose a Kubernetes service with TLS using NGINX Ingress on AWS EKS
Step 1: Create an AWS EKS Cluster
AWS EKS Kubernetes Cluster using “eksctl” Command
1: Install AWS CLI (Mac OS)
Download the AWS CLI binary
curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
2: Install
sudo installer -pkg ./AWSCLIV2.pkg -target /
3: Verify the installation
which aws
aws --version
4: Configure AWS CLI
Login to AWS console as root / Admin privileged IAM user
Create IAM user
username: kubedeveloper
No AWS console access, only programmatic access
5: Create Access and Secret Access Key
Select the IAM user kubedeveloper
Navigate to Security Credentials
Click Create Access Key
Select Use case: Command Line Interface (CLI) & check the Confirmation
Set description tag — optional and Click Create
6: Configure AWS CLI on Mac OS command line
aws configure
7: Install eksctl on Mac OS
To download the latest release, run on Mac OS (arm64 architecture):
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_Darwin_arm64.tar.gz"
tar -xzvf eksctl_Darwin_arm64.tar.gz
sudo mv ./eksctl /usr/local/bin
Ref: https://www.weave.works/oss/eksctl/
8: Creating an AWS EKS Kubernetes Cluster using eksctl
Create Cluster configuration YAML file
vi cluster-config.yamlapiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: kubelancer-cluster-2
region: us-east-1
nodeGroups:
- name: ng-1
instanceType: t4g.small
desiredCapacity: 2
volumeSize: 10
ssh:
allow: falseLet’s create an EKS Cluster on AWS using eksctl command
eksctl create cluster -f cluster-config.yaml
Use the following command to get kube-config context
aws eks update-kubeconfig --name=kubelancer-cluster-2 --region=us-east-1kubectl get node
Step 2: Deploy the NGINX Ingress Controller
- Create Name space and deploy
kubectl create namespace ingress-nginxkubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yamlPre-flight check
kubectl get pods -n ingress-nginxOutput
List Service
kubectl get svc --namespace=ingress-nginxOutput
Step 3: Deploy a sample application
- Deploy sample app on dev namespace
kubectl create ns devvi kubewebserver.yaml apiVersion: apps/v1
kind: Deployment
metadata:
name: kubewebserver
namespace: dev
labels:
app: kubewebserver
spec:
replicas: 1
selector:
matchLabels:
app: kubewebserver
template:
metadata:
labels:
app: kubewebserver
spec:
containers:
- name: kubewebserver
image: kubelancer/hello-kubelancer:v1
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: kubewebserver-service
namespace: dev
labels:
app: kubewebserver-service
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
app: kubewebserverkubectl apply -f kubewebserver.yamlOutput
kubectl get deploy,svc -n devStep 4: Create ingress without TLS
vi ingress-with-host.yamlapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-with-host-02
namespace: dev
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: webtest.kubelancer.in
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubewebserver-service
port:
number: 80kubectl apply -f ingress-with-host.yamlOutput
kubectl get ingress -n devNote: Create CNAME record on your DNS for name resolution
Output
curl http://webtest.kubelancer.in
curl http://webtest.kubelancer.in
Hello KubelancerLet we perform below steps to access same website using https://
To config SSL, we are going to use Cert-Manager and Let’s Encrypt in this Lab
In simple:
Cert Manager
cert-manager creates TLS certificates for workloads in your Kubernetes, also helps to renew the certificate.
cert-manager obtain certificates from a Let’s Encrypt.
Let’s Encrypt
To enable HTTPS for website, we need to purchase SSL certificate from Certificate Authority, which is costable. For demo or development environment, we have a choice to use free Certificate Authority (CA), that guy is Let’s Encrypt.
Step 5: Deploy cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.yamlOutput
kubectl get pods --namespace cert-managerStep 6: Configure a Let’s Encrypt Issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: dev
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: noreply@gmail.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
ingressClassName: nginxkubectl create -f issuer.yamlkubectl get issuer -n devNote: Ensure the issuer is in Ready State
Step 7: Add TLS snippet on YAML and deploy Ingress Resource
vi ingress-with-host.yamlapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-with-host-02
namespace: dev
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
cert-manager.io/issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- webtest.kubelancer.in
secretName: kubewebserver-tls
rules:
- host: webtest.kubelancer.in
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubewebserver-service
port:
number: 80kubectl apply -f ingress-with-host.yamlkubectl get secret -n devStep 8: Output
Open in browser
