How do I use TLS certificates to activate HTTPS connections for my Amazon EKS applications?

Last updated: 2023-02-17

I want to use Transport Layer Security (TLS) certificates to activate HTTPS connections for my Amazon Elastic Kubernetes Service (Amazon EKS) applications.

Short description

To activate HTTPS connections for your Amazon EKS applications, you must:

  • Get a valid TLS certificate for your custom domain.
  • Expose your Kubernetes service using the load balancer service type, or expose your Kubernetes ingress object using AWS Load Balancer Controller.
  • Associate your custom domain with the DNS of the load balancer.

Resolution

Get a valid TLS certificate for your custom domain:

1.    Request a public AWS Certificate Manager (ACM) certificate for your custom domain, or upload your own TLS certificate to ACM.

2.    Identify the Amazon Resource Name (ARN) of the certificate that you want to use with the load balancer's HTTPS listener.

3.    To create a sample NGINX deployment, run the following command:

$ kubectl create deploy web --image=nginx --port 80 --replicas=3

4.    To verify that Kubernetes pods are deployed on your Amazon EKS cluster, run the following command:

$ kubectl get pods -l app=web

Note: The pods are labeled app=web. Use this label as a selector for the service object to identify a set of pods.

Expose your Kubernetes service using the load balancer service type

Note: To use the ingress object to expose your application, skip to the Expose your Kubernetes service using the ingress object section.

1.    To create a service.yaml manifest file, use the service type LoadBalancer. For example:

cat <<EOF > loadbalancer.yaml
apiVersion: v1
kind: Service
metadata:
  name: lb-service
  annotations:
    # Note that the backend talks over HTTP.
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    # TODO: Fill in with the ARN of your certificate.
    service.beta.kubernetes.io/aws-load-balancer-tls-cert: arn:aws:acm:{region}:{user id}:certificate/{id}
    # Only run TLS on the port named "https" below.
    service.beta.kubernetes.io/aws-load-balancer-tls-ports: "https"
    # By default In-tree controller will create a Classic LoadBalancer if you require a NLB uncomment below annotation.
    # service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
  selector:
    app: web
  ports:
  - name: http
    port: 80
    targetPort: 80
  - name: https
    port: 443
    targetPort: 80
  type: LoadBalancer
EOF

2.    Edit the annotation service.beta.kubernetes.io/aws-load-balancer-tls-cert to include the ACM's ARN.

3.    To apply the loadbalancer.yaml file, run the following command:

$ kubectl create -f loadbalancer.yaml

4.    Skip ahead to the Associate your custom domain with the DNS of the load balancer section.

Expose your Kubernetes service using the ingress object

Note: The following resolution assumes that you've installed AWS Load Balancer Controller in your Amazon EKS cluster.

1.    Create a Kubernetes service of type NodePort based on the following example:

cat  <<EOF  > ingressservice.yaml
apiVersion: v1
kind: Service
metadata:
  name: web-nginx
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: NodePort
  selector:
    app: web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: "web-nginx-ingress"
  annotations:
    # Below annotation is to specify if the loadbalancer is "internal" or "internet-facing"	   
    alb.ingress.kubernetes.io/scheme: internet-facing
    # TODO: Fill in with the ARN of your certificate.
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxx:certificate/xxxxxx
    # TODO: Fill in the listening ports.
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    # Set HTTP to HTTPS redirects. Every HTTP listener configured will be redirected to below mentioned port over HTTPS.
    alb.ingress.kubernetes.io/tls-redirect: '443'
  labels:
    app: web
spec:
  ingressClassName: alb
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: "web-nginx"
                port:
                  number: 80
EOF

Note: The preceding ingress manifest listens on HTTP and HTTPS, then terminates TLS on ALB, and redirects HTTP to HTTPS.

2.    To apply the ingressservice.yaml file, run the following command:

$ kubectl create -f ingressservice.yaml

Associate your custom domain with the DNS of the load balancer

1.    To return the DNS URL of the service of type LoadBalancer, run the following command:

$ kubectl get service

2.    To return the DNS URL of the service of type Ingress, run the following command:

$ kubectl get ingress/web-nginx-ingress

3.    Associate your custom domain name with your load balancer name.

4.    In a web browser, test your custom domain with the following HTTPS protocol:

https://yourdomain.com

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support