AWS EKS setup SSL Service

Introduction

This post is about exposing a web application to a public domain from a AWS EKS cluster.

Prerequisite

• AWS EKS cluster is setup
• A web application is running in the cluster with at lease two replicas

kubectl get pods

• A domain name
• Helm setup

SSL Certificate

It is easier to just get the certificate from AWS since everything else is running here anyways. Request a public certificate from AWS ACN for your domain. Remember to note down the arn from the aws console once the certificate is created and DNS validation is done.

LoadBalancer

Example taken from https://aws.amazon.com/premiumsupport/knowledge-center/terminate-https-traffic-eks-acm

apiVersion: v1
kind: Service
metadata:
  name: lbsvc_name
  annotations:
    # Note that the backend talks over HTTP.
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    # TODO: Fill in with the ARN of your certificate.
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: certificate-arn
    # Only run SSL on the port named "https" below.
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
spec:
  selector:
    app: application_name_from_pod_deployment_definition
  ports:
    - name: http
      port: 80
      targetPort: 8080
    - name: https
      port: 443
      targetPort: 8080
  type: LoadBalancer

Once you deploy this new configuration via helm upgrade you should see the lbsvc_name name in kubectl get svc output.

Setup Domain DNS

Note down the External-IP from kubectl get svc output for lbsvc_name. Create a CNAME record for your domain’s DNS that points to this aws address. With this setup both http and https sites will work. To restrict http delete the port 80 listener from load balancer.