How do I terminate HTTPS traffic on Amazon EKS workloads with ACM?

Last updated: 2019-04-22

How do I terminate HTTPS traffic on Amazon Elastic Container Service for Kubernetes (Amazon EKS) workloads with AWS Certificate Manager (ACM)?

Short Description

To terminate HTTPS traffic at the Elastic Load Balancer level for a Kubernetes Service object, you must:

Note: The solution below assumes that you have an active Amazon EKS cluster with associated worker nodes.

Resolution

1.    Identify the ARN of the certificate that you want to use with the load balancer's HTTPS listener.

2.    To identify the nodes registered to your Amazon EKS cluster, run the following command in the environment where kubectl is configured:

$ kubectl get nodes

3.    In your text editor, create a deployment.yaml manifest file with the following code:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: echo-pod
  template:
    metadata:
      labels:
        app: echo-pod
    spec:
      containers:
      - name: echoheaders
        image: k8s.gcr.io/echoserver:1.10
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080

4.    To create a Kubernetes Deployment object, run the following command:

$ kubectl create -f deployment.yaml

5.    To verify that Kubernetes pods are deployed on your Amazon EKS cluster, run the following command:

$ kubectl get pods

Note: The pods are labeled app=echo-pod. You can use this label as a selector for the Service object to identify a set of pods.

6.    In your text editor, create a service.yaml manifest file with the following code:

apiVersion: v1
kind: Service
metadata:
  name: echo-service
  annotations:
    # Note that the backend talks over HTTP.
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    # TODO: Fill in with the ARN of your certificate.
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:{region}:{user id}:certificate/{id}
    # Only run SSL on the port named "https" below.
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
spec:
  selector:
    app: echo-pod
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8080
  type: LoadBalancer

7.    To create a Service object, run the following command:

$ kubectl create -f service.yaml

8.    To return the DNS URL of the service of type LoadBalancer, run the following command:

$ kubectl get service

Note: If you have a lot of active services running in your cluster, be sure to get the URL of the right service of type LoadBalancer from the command output.

9.    Open the Amazon EC2 console, and then choose Load Balancers.

10.    Select your load balancer, and then choose Listeners.

11.    For Listener ID, confirm that your load balancer port is set to 443.

12.    For SSL Certificate, confirm that the SSL certificate that you defined in the YAML file is attached to your load balancer.

13.    In a web browser, test the LoadBalancer URL with the following HTTPS protocol:

https://randomString1-randomString2.{region}.elb.amazonaws.com

A successful response returns a webpage with details about the client, including the hostname, pod information, server values, request information, and request headers.


Did this article help you?

Anything we could improve?


Need more help?