Kubernetes has lots of Ingress Controller implementations,I've been using ingress-nginx for a long time, this ingress controller works great. In AWS EKS environment, it create a classic ELB to work in layer 4 , all the incomming request will be forward to nginx and do layer 7 dispatch. such that if you want to provide https support, you have manage the SSL/TSL certificate by your own.

aws-alb-ingress-controller

We are fully operated on AWS infrastructure and AWS Certificate Manager could help us to manage the SSL/TSL certificate in an efficient way. but the problem is that the public certificate would never go out of AWS infrastructure, and you could never download the certificated and load it for ingress-nginx, luckly, aws has it's own ingress controller implementation AWS ALB Ingress Controller. it will create an Application Load Balancer(ALB) and work on layer 7 to forward request to the kubernetes service directly, the ALB could also work with AWS Certificate Manager out of box to support HTTPS. there are already article to describe how to deploy ALB ingress controller into EKS, you could read the details if you are interested in, I will not repeat them. I want to point out some tips when I'm actually working on it

  • in the alb-ingress-controller.yaml there are 3 parameter must be proviced
    • --cluster-name=my-eks-cluster-name : ALB will use this to identify which EKS this ALB should connect to
    • --aws-vpc-id=vpc-my-vpc-id: used to detect which VPC the ALB should be deployed to
    • --aws-region=xxx: used to determine where the ALB should be created to
  • after the 2048 games application get deployed, I want to serve the application in my own domain name over https, I could use use AWS Certificate Manager to help me to manage SSL certificate
    • in my ACM, I have a domain named vipmind.me registered, ACM will provide me an ARN e.g: arn:aws:acm:us-east-1:myaccount:certificate/xxxxxxxxxxxxxxxxxxx
    • in my ingress.yaml file, I could use annotation alb.ingress.kubernetes.io/certificate-arn to declare my ACM ARN so that ALB could use the SSL/TSL provided by ACM
    • annotation kubernetes.io/ingress.class:alb is important when you have multiple ingress controllers in one EKS, this will indicate that ALB ingress controller would react on this ingress config
    • annotation alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' will force ALB to create listen on https port
    • annotatiton alb.ingress.kubernetes.io/scheme: internet-facing will make sure this ALB is exposed to internet, it will also need the EKS public subnet is tagged with kubernetes.io/role/elb=1
    • The full yaml config file could looks like below
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "2048-ingress"
  namespace: "2048-game"
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    # ACM certificate ARN for your SSL domain
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:myaccount:certificate/xxxxxxxxxxxxxxxxxxx
  labels:
    app: 2048-ingress
spec:
  rules:
    - host: 2048.vipmind.me
      http:
        paths:
          - path: /*
            backend:
              serviceName: "service-2048"
              servicePort: 80

After the ingress is deployed, an ALB will be createtd in AWS, it may take about 5 mins to provision the ALB. then we could grab the dns name for this ALB, let's assume it's ffggsss-2048game-2048ingr-6fa0-xxxxxxx.us-east-1.elb.amazonaws.com, open Route53's domain config, add a new entry 2048.vipmind.me set the CNAME value to ffggsss-2048game-2048ingr-6fa0-xxxxxxx.us-east-1.elb.amazonaws.com.

I could access the 2048 games via url https://2024.vipmind.me over https and aws will take care of all the SSL complexity for me

aws-acm-certificate

There are still some limitation in ALB

  • the ingress could not reference service across namespaces, so the ingress have to stay same namespace with the service
  • echo ingress yaml file will create a new ALB, this some times is confusing and not expected , because AWS also have limitaiton on ALB number per account per region. if you have lots of service to expose, you will have problem on ALB number limitation under your account
  • keep eye on this github issue to track this limitation https://github.com/kubernetes-sigs/aws-alb-ingress-controller/issues/298