Solved

How to properly Terminate SSL using AWS ALB with ACM

  • 23 August 2021
  • 4 replies
  • 56 views

  • Known Participant
  • 15 replies

GD.cn API's and all endpoints returning empty response when AWS ACM enabled with ingress 

 

 

helm -n ingress-nginx install ingress-nginx ingress-nginx/ingress-nginx \

  --set controller.replicaCount=2 \

  --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:us-east-1:092X09X3X992:certificate/2acb570a-2627-4b66-ac3e-ae2a9cc82a91

 

help me with how to properly terminate  AWS  ACM ALB  

icon

Best answer by Robert Moucha 24 August 2021, 14:28

Hello Ashok,

the Nginx Ingress Controller works well with classical AWS ELB (Elastic load balancer). AWS ALB (Application load balancer) should be controlled by https://github.com/kubernetes-sigs/aws-load-balancer-controller

While it is possible to have ALB in front of NGINX ingress controller deployment (see this issue or more detailed blog post), we recommend to use ELB instead, because it is far more easy to configure.

Using ALB directly is not supported as it lacks some functionality (notably regex processing of paths)

View original

4 replies

Userlevel 1

Hello Ashok,

the Nginx Ingress Controller works well with classical AWS ELB (Elastic load balancer). AWS ALB (Application load balancer) should be controlled by https://github.com/kubernetes-sigs/aws-load-balancer-controller

While it is possible to have ALB in front of NGINX ingress controller deployment (see this issue or more detailed blog post), we recommend to use ELB instead, because it is far more easy to configure.

Using ALB directly is not supported as it lacks some functionality (notably regex processing of paths)

Hi @Robert Moucha  Thanks for response 
I have done changes ingress by default throws 404 across gd.cn services can you please help me 

 

 

 

helm upgrade --install -n ingress-nginx ingress-nginx ingress-nginx/ingress-nginx \
  --set controller.replicaCount=2 \
  --values values-ingress.yaml --wait --timeout 3m \
  --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:us-east-1:01119999222:certificate/2acb570a-2627-4b66-ac3e-ae2a9cc82a41

 

---values-ingress.yaml--

# helm-charts/helmfile-values/values-ingress.yaml
controller:
  service:
    targetPorts:
      http: http
      https: http
    annotations:
      # SSL is terminated on ELB, so HTTP will be used downstram to our services
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http'
      # only 'https' port will use SSL protocol
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 'https'
      # keep connections open upto 1 hour
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
      # Disable TLS1.1 and lower protocols on TLS handshake
      service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: 'ELBSecurityPolicy-TLS-1-2-2017-01'
  publishService:
    enabled: true


---your-org-definition.yaml---

apiVersion: controllers.gooddata.com/v1
kind: Organization
metadata:
  # The namespace-unique name of the custom resource
  name: fctstage-org
spec:
  # The Organization ID
  id: fctstage
  # The UI-friendly Organization name
  name: "FCTDEV, Corp."
  # The DNS name where the Organization will be accessible
  hostname: gdk8sstage.factoreal.info
  # The name of the user group for the Organization administrator
  adminGroup: adminGroup
  # The name of the Organization administrator account
  adminUser: admin
  # The salted hash of the administrator password that you generated earlier at Step 1
  adminUserToken: "$5$6iRG6Yc/Ih51I2MN$/IYHZCzihzyOP3uaHs7FaHBnsLv8.dtsKjiMdAJjxc4"
  # An optional `tls` object that describes how the TLS certificate will be handled
  # For more information, see "TLS Configuration of an Organization" further in this article.
  # tls:
  #   # (Required) The name of the Secret where the certificate and the key are stored
  #   secretName: alpha-org-tls
  #   # (Optional) The name of cert-manager's Issuer or ClusterIssuer, if certificates are
  #   # automatically provisioned by cert-manager
  #   issuerName: letsencrypt-prod
  #   # (Optional) The resource that `issuerName` refers to; can be Issuer (default)
  #   # or ClusterIssuer
  #   issuerType: ClusterIssuer


 

Userlevel 1

Please add the following annotations to respective places in customized-values-gooddata-cn.yaml used for deploying gooddata-cn helm chart:

Keep in mind you need to “merge” these two settings to existing keys.

dex:
ingress:
annotations:
kubernetes.io/ingress.class: nginx

ingress:
annotations:
kubernetes.io/ingress.class: nginx

This change is necessary for a proper operation with the recent versions of ingress-nginx. We will update documentation for version 1.3 and address this issue in the upcoming release.

 

Thankyou  @Robert Moucha it resolved the issue :metal_tone1:

Reply