Ingress nginx with TLS on NLB for childrens

Ingress nginx, most used controller on Kubernetes. In this post, I tell you how to configure ingress nginx with NLB using TLS with AWS Certificate Manager.

Is true,there are other solutions for TLS with Ingress nginx, such as certmanager with letsencrypt, lets not stop on this. First, we need to create a certificate with AWS certificate manager, in this is case of a wildcard type. In the console, you search the certificate as “arn:numberofaccout:name-of-cert”, this “arn” you will we write this arn as annotations in the service, for example:

metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:xxxxxx:certificate/xxxx-xxx-xxxx-xxxx-xxxxxx
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: “443”
service.beta.kubernetes.io/aws-load-balancer-type: nlb

Ok, but is that all?, now do I have all configured? . The answer is not, we have to configure the load balancer to work with the http protocol and not TCP as by default. We configure that the following way:

service.beta.kubernetes.io/aws-load-balancer-backend-protocol: “http”

For a limitation of the load balancer product of AWS, ELB, like NLB, does not support https-type communication between LB and controller. Then we configure the target port as http:

spec:
 ports:
 — name: https
 port: 443
 protocol: TCP
 targetPort: http

And inside of ingress nginx’s configmaps, set the variable use-proxy-protocol as “false” and ssl-redirect as”true”.

Without use-proxy-protocol:”false” , ingress nginx will return code 301 https → https not found. With ssl-redirect, force redirect http to https, because the single annotations for ingress are not found via Load Balancer with certificate.

Following this How To, you can configure your ingress with TLS on LB.

For more information : https://github.com/kubernetes/ingress-nginx/issues/1624