In Part 1, we covered the ingress resource configuration for hosting multiple sites on a single Amazon EKS cluster. In this blog, we will extend that discussion to support Amazon Certificate Manager (ACM) issued certificates for those domains. This will ensure that all sites can be accessed over ‘https’. We will also look into a SSL redirect rule to redirect traffic from http to https. So, let’s get going –
Pre-requisite: ACM certificates have been created and verified for each domain
Amazon Certificate Manager (ACM) Setup
In order to support multiple ACM certs, we will need to extend the lister-ports annotation to include 443 port i.e.
alb.ingress.kubernetes.io/listen-ports: ‘[{“HTTP”: 80}, {“HTTPS”:443}]’
As per the official documentation, multiple SSL support can be added using this annotation:
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/cert1,arn:aws:acm:us-west-2:xxxxx:certificate/cert2,arn:aws:acm:us-west-2:xxxxx:certificate/cert3
It also lists the following tip –
If the
alb.ingress.kubernetes.io/certificate-arnannotation is not specified, the controller will attempt to add certificates to listeners that require it by matching available certs from ACM with thehostfield in each listener’s ingress rule.
NOTE: Both the above approaches didn’t work for us for ingress amazon eks. We had to manually add the second certificate through the Amazon UI i.e. EC2->Load Balancers -> Select ALB -> Listeners -> View/Edit certificates for port 443 -> click ‘+’ and select certificate to add.
Redirect traffic from HTTP to HTTPS
To redirect traffic for ingress amazon eks, we followed the official guide and added the following annotation to the manifest:
alb.ingress.kubernetes.io/actions.ssl-redirect
We also followed the instructions in this note:
the
ssl-redirectaction must be be first rule(which will be evaluated first by ALB)
Ingress Amazon EKS | Ingress Manifest
So, here’s the full Ingress manifest that will allow you to host multiple domains with https and also ensure http requests are automatically redirect to https.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/actions.ssl-redirect: ‘{“Type”: “redirect”, “RedirectConfig”:
{ “Protocol”: “HTTPS”, “Port”: “443”, “StatusCode”: “HTTP_301”}}’
alb.ingress.kubernetes.io/listen-ports: ‘[{“HTTP”: 80}, {“HTTPS”:443}]’
alb.ingress.kubernetes.io/scheme: internet-facing
kubernetes.io/ingress.class: alb
labels:
app: coderise-io
name: ingress
spec:
rules:
– host: api.domain1.com
http:
paths:
– backend:
serviceName: ssl-redirect
servicePort: use-annotation
path: /*
– backend:
serviceName: domain1-wordpress
servicePort: 80
path: /*
– host: domain2.io
http:
paths:
– backend:
serviceName: ssl-redirect
servicePort: use-annotation
path: /*
– backend:
serviceName: domain2-wordpress
servicePort: 80
path: /*
In this blog, we covered Ingress on Amazon EKS configuration with ACM issued certificates.
Full details on installing WordPress on EKS are detailed here
