Ingress configuration for supporting multiple ACM issued certificates in Amazon EKS – Part 2

In Part 1, we covered the ingress resource configuration for hosting multiple sites on a single Amazon EKS cluster. In this blog, we will extend that discussion to support Amazon Certificate Manager (ACM) issued certificates for those domains. This will ensure that all sites can be accessed over ‘https’. We will also look into a SSL redirect rule to redirect traffic from http to https. So, let’s get going –

Pre-requisite: ACM certificates have been created and verified for each domain

Amazon Certificate Manager (ACM) Setup:

In order to support multiple ACM certs, we will need to extend the lister-ports annotation to include 443 port i.e.

alb.ingress.kubernetes.io/listen-ports: ‘[{“HTTP”: 80}, {“HTTPS”:443}]’

As per the official documentation, multiple SSL support can be added using this annotation:

alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/cert1,arn:aws:acm:us-west-2:xxxxx:certificate/cert2,arn:aws:acm:us-west-2:xxxxx:certificate/cert3

It also lists the following tip –

If the alb.ingress.kubernetes.io/certificate-arn annotation is not specified, the controller will attempt to add certificates to listeners that require it by matching available certs from ACM with the host field in each listener’s ingress rule.

NOTE: Both the above approaches didn’t work for us. We had to manually add the second certificate through the Amazon UI i.e. EC2->Load Balancers -> Select ALB -> Listeners -> View/Edit certificates for port 443 -> click ‘+’ and select certificate to add.

Redirect traffic from HTTP to HTTPS:

To redirect traffic, we followed the official guide and added the following annotation to the manifest:

alb.ingress.kubernetes.io/actions.ssl-redirect

We also followed the instructions in this note:

the ssl-redirect action must be be first rule(which will be evaluated first by ALB)

Ingress Manifest:

So, here’s the full Ingress manifest that will allow you to host multiple domains with https and also ensure http requests are automatically redirect to https.

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  annotations:

    alb.ingress.kubernetes.io/actions.ssl-redirect: ‘{“Type”: “redirect”, “RedirectConfig”:

      { “Protocol”: “HTTPS”, “Port”: “443”, “StatusCode”: “HTTP_301”}}’

    alb.ingress.kubernetes.io/listen-ports: ‘[{“HTTP”: 80}, {“HTTPS”:443}]’

    alb.ingress.kubernetes.io/scheme: internet-facing

    kubernetes.io/ingress.class: alb

  labels:

    app: coderise-io

  name: ingress

spec:

  rules:

  – host: api.domain1.com

    http:

      paths:

      – backend:

          serviceName: ssl-redirect

          servicePort: use-annotation

        path: /*

      – backend:

          serviceName: domain1-wordpress

          servicePort: 80

        path: /*

  – host: domain2.io

    http:

      paths:

      – backend:

          serviceName: ssl-redirect

          servicePort: use-annotation

        path: /*

      – backend:

          serviceName: domain2-wordpress

          servicePort: 80

        path: /*

Full details on installing WordPress on EKS are detailed here: LINK