Ingress nginx with TLS on NLB for childrens

David Fernández
2 min readJan 16, 2021

--

Ingress nginx, most used controller on Kubernetes. In this post, I tell you how to configure ingress nginx with NLB using TLS with AWS Certificate Manager.

Is true,there are other solutions for TLS with Ingress nginx, such as certmanager with letsencrypt, lets not stop on this. First, we need to create a certificate with AWS certificate manager, in this is case of a wildcard type. In the console, you search the certificate as “arn:numberofaccout:name-of-cert”, this “arn” you will we write this arn as annotations in the service, for example:

metadata:annotations:service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:xxxxxx:certificate/xxxx-xxx-xxxx-xxxx-xxxxxxservice.beta.kubernetes.io/aws-load-balancer-ssl-ports: “443”service.beta.kubernetes.io/aws-load-balancer-type: nlb

Ok, but is that all?, now do I have all configured? . The answer is not, we have to configure the load balancer to work with the http protocol and not TCP as by default. We configure that the following way:

service.beta.kubernetes.io/aws-load-balancer-backend-protocol: “http”

For a limitation of the load balancer product of AWS, ELB, like NLB, does not support https-type communication between LB and controller. Then we configure the target port as http:

spec:
ports:
— name: https
port: 443
protocol: TCP
targetPort: http

And inside of ingress nginx’s configmaps, set the variable use-proxy-protocol as “false” and ssl-redirect as”true”.

Without use-proxy-protocol:”false” , ingress nginx will return code 301 https → https not found. With ssl-redirect, force redirect http to https, because the single annotations for ingress are not found via Load Balancer with certificate.

Following this How To, you can configure your ingress with TLS on LB.

For more information : https://github.com/kubernetes/ingress-nginx/issues/1624

--

--