By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

TLS/SSL certificates

0

Hi Team,

we are trying to use EKS/farget with ALB ingress controller. Here we want our host to be deployed as HTTPS.

Can you please give us some information on how can we achieve this and is there way to create TLS and SSL certificate as apart of terraform

Thanks

Topics
ContainersSecurity, Identity, & Compliance
Tags
Amazon Elastic Kubernetes ServiceAWS Certificate Manager
Language
English
rePost-User-6156787
asked 2 years ago464 views
1 Answer
0

To enable HTTPS on the ALB, you need to create an SSL/TLS certificate and associate it with the ALB listener. You can create an SSL/TLS certificate using Amazon Certificate Manager (ACM). https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

You can create the certificate using Terraform with aws_acm_certificate resource and associate it with the ALB listener using aws_lb_listener_certificate. Reference links with example below. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_certificate

With the certificate in place, your ALB ingress controller can route HTTPS traffic to your EKS/Fargate pods. Note that you will need to configure your pods to listen on the appropriate port and respond to HTTPS requests.

AWS
Fizza_A
answered 2 years ago
  • rePost-User-6156787
    2 years ago

    I have also done the same setup where I am using one certificate from ACM and adding all the necessary annotations in ingress and service for our deployment. Here are the snippets, ingress: annotations = { "alb.ingress.kubernetes.io/certificate-arn" = "arn:aws:acm:us-east-1:036937938941:certificate/499b9cca-8c07-4a73-9ee9-e5263d3ec7ec" # TODO: Fill in the listening ports. # Set HTTP to HTTPS redirects. Every HTTP listener configured will be redirected to below mentioned port over HTTPS. "alb.ingress.kubernetes.io/listen-ports" = "[{"HTTPS":443}]" "alb.ingress.kubernetes.io/actions.ssl-redirect" = "{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}" "alb.ingress.kubernetes.io/ssl-policy" = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" "alb.ingress.kubernetes.io/group.name" = local.name "alb.ingress.kubernetes.io/group.priority" = "99" "alb.ingress.kubernetes.io/scheme" = "internal" "alb.ingress.kubernetes.io/target-type" = "ip" "alb.ingress.kubernetes.io/healthcheck-port" = "3000" "alb.ingress.kubernetes.io/healthcheck-path" = "/api/health" "alb.ingress.kubernetes.io/subnets" = data.aws_ssm_parameter.subnet_compute_ids.value }

    I don't have listener for http but still requests are showing as "not secure". Hope we can spend some time to resolve this part.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content