AWS EKS setup SSL Service
Introduction
This post is about exposing a web application to a public domain from a AWS EKS cluster.
Prerequisite
- AWS EKS cluster is setup
- A web application is running in the cluster with at lease two replicas
kubectl get pods- A domain name
- Helm setup
SSL Certificate
It is easier to just get the certificate from AWS since everything else is running here anyways. Request a public certificate from AWS ACN for your domain. Remember to note down the arn from the aws console once the certificate is created and DNS validation is done.
LoadBalancer
Example taken from https://aws.amazon.com/premiumsupport/knowledge-center/terminate-https-traffic-eks-acm
apiVersion: v1
kind: Service
metadata:
name: lbsvc_name
annotations:
# Note that the backend talks over HTTP.
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
# TODO: Fill in with the ARN of your certificate.
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: certificate-arn
# Only run SSL on the port named "https" below.
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
spec:
selector:
app: application_name_from_pod_deployment_definition
ports:
- name: http
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8080
type: LoadBalancerOnce you deploy this new configuration via helm upgrade you should see the lbsvc_name name in kubectl get svc output.
Setup Domain DNS
Note down the External-IP from kubectl get svc output for lbsvc_name. Create a CNAME record for your domain’s DNS that points to this aws address. With this setup both http and https sites will work. To restrict http delete the port 80 listener from load balancer.