How do I terminate HTTPS traffic on Amazon EKS workloads with ACM?

Last updated: 2019-12-10

How do I terminate HTTPS traffic on Amazon Elastic Kubernetes Service (Amazon EKS) workloads with AWS Certificate Manager (ACM)?

Short Description

To terminate HTTPS traffic at the Elastic Load Balancing level for a Kubernetes Service object, you must:

  • Request a public ACM certificate for your custom domain.
  • Publish your Kubernetes service with the type field set to LoadBalancer.
  • Specify the Amazon Resource Name (ARN) of your ACM Certificate on your Kubernetes service to allow the Kubernetes API server to associate that certificate with the Classic Load Balancer when it's created.
  • Associate your custom domain with the Classic Load Balancer.

Note: The following resolution assumes that you have an active Amazon EKS cluster with associated worker nodes.

Resolution

1.    Request a public ACM certificate for your custom domain.

2.    Identify the ARN of the certificate that you want to use with the load balancer's HTTPS listener.

3.    To identify the nodes registered to your Amazon EKS cluster, run the following command in the environment where kubectl is configured:

$ kubectl get nodes

4.    In your text editor, create a deployment.yaml manifest file with the following code:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: echo-pod
  template:
    metadata:
      labels:
        app: echo-pod
    spec:
      containers:
      - name: echoheaders
        image: k8s.gcr.io/echoserver:1.10
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080

5.    To create a Kubernetes Deployment object, run the following command:

$ kubectl create -f deployment.yaml

6.    To verify that Kubernetes pods are deployed on your Amazon EKS cluster, run the following command:

$ kubectl get pods

Note: The pods are labeled app=echo-pod. You can use this label as a selector for the Service object to identify a set of pods.

7.    In your text editor, create a service.yaml manifest file based on the following example. Then, edit the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert to provide the ACM ARN from step 2.

apiVersion: v1
kind: Service
metadata:
  name: echo-service
  annotations:
    # Note that the backend talks over HTTP.
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    # TODO: Fill in with the ARN of your certificate.
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:{region}:{user id}:certificate/{id}
    # Only run SSL on the port named "https" below.
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
spec:
  selector:
    app: echo-pod
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8080
  type: LoadBalancer

8.    To create a Service object, run the following command:

$ kubectl create -f service.yaml

9.    To return the DNS URL of the service of type LoadBalancer, run the following command:

$ kubectl get service

Note: If you have many active services running in your cluster, be sure to get the URL of the right service of type LoadBalancer from the command output.

10.    Open the Amazon EC2 console, and then choose Load Balancers.

11.    Select your load balancer, and then choose Listeners.

12.    For Listener ID, confirm that your load balancer port is set to 443.

13.    For SSL Certificate, confirm that the SSL certificate that you defined in the YAML file is attached to your load balancer.

14.    Associate your custom domain name with your load balancer name.

15.    In a web browser, test your custom domain with the following HTTPS protocol:

https://yourdomain.com

A successful response returns a webpage with details about the client, including the hostname, pod information, server values, request information, and request headers.


Did this article help you?

Anything we could improve?


Need more help?