Setting up TLS with Nginx Ingress
This guide provides a step-by-step tutorial on setting up TLS with Nginx Ingress on AWS EKS clusters
![Setting up TLS with Nginx Ingress](/content/images/size/w2000/2024/03/aws-eks-nginx-ingress-tls.jpg)
Expose an Kubernetes service with TLS using NGINX Ingress on AWS EKS
Step 1: Create an AWS EKS Cluster
AWS EKS Kubernetes Cluster using eksctl Command
Step 1.1: Install AWS CLI (Mac OS)
Step 1.1.1: Download AWS CLI binary
curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
![](https://blog.kubelancer.com/content/images/2024/03/Screenshot-2024-03-20-at-6.14.53-PM.png)
Step 1.1.2: Install
sudo installer -pkg ./AWSCLIV2.pkg -target /
![](https://blog.kubelancer.com/content/images/2024/03/Screenshot-2024-03-20-at-6.16.51-PM.png)
Step 1.1.3:Verify the installation
which aws
aws --version
![](https://blog.kubelancer.com/content/images/2024/03/Screenshot-2024-03-20-at-6.18.54-PM.png)
Step 1.2: Configure AWS CLI
Step1.2.1: Login to AWS console as root user
Create IAM user
- username: kubedeveloper
- No AWS console access, Only programmatic access
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjzyYnF1dz2wS5vlHyJgx%2Fuploads%2FPqHMeqwEbvvnagIrU6R0%2Fimage.png?alt=media&token=a26ff775-2a05-4464-9e17-8867ebfd75db)
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjzyYnF1dz2wS5vlHyJgx%2Fuploads%2FqBvBQM5Gg6Mj1iJHG4dr%2Fimage.png?alt=media&token=939df324-46c7-4c35-aa88-fd4b615d2ad0)
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjzyYnF1dz2wS5vlHyJgx%2Fuploads%2F20OeRkHRfASqmrBOVRGx%2Fimage.png?alt=media&token=d308e472-e088-4ec8-9386-2fd32e0f6b0d)
Step:1.2.2: Create Access and SecretAccessKey
Select the IAM user "kubedeveloper"
Navigate to Security Credentials
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjzyYnF1dz2wS5vlHyJgx%2Fuploads%2Fll5brYBnjX1YacsoSyBZ%2Fimage.png?alt=media&token=578a4ad1-1b61-4aba-8a34-c3d9d1205a86)
Click Create access key
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjzyYnF1dz2wS5vlHyJgx%2Fuploads%2FsvI4AX25o2ADcgQ1QxRk%2Fimage.png?alt=media&token=fcd6f1ab-bfe4-4db9-971d-523c899f3a55)
Select Use case : Command Line Interface (CLI) & check the Confirmation
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjzyYnF1dz2wS5vlHyJgx%2Fuploads%2F8vlg3x9lBqgQW6taHVLB%2Fimage.png?alt=media&token=d130a183-f0ee-46a6-9037-9f90656057cd)
Set description tag - optional and Click create
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FjzyYnF1dz2wS5vlHyJgx%2Fuploads%2FqPpnqqmYaTlRoO4NI6pF%2Fimage.png?alt=media&token=fa415c45-ae0d-4100-8703-0252dea0500f)
Step 1.2.3: Configure AWS CLI on Mac OS command-line
aws configure
![](https://blog.kubelancer.com/content/images/2024/03/Screenshot-2024-03-20-at-6.44.04-PM-1.png)
Step 1.3: Install eksctl on Mac OS
Step 1.3.1: To download the latest release, run on Mac OS (arm64 architecture):
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_Darwin_arm64.tar.gz"
tar -xzvf eksctl_Darwin_arm64.tar.gz
sudo mv ./eksctl /usr/local/bin
![](https://blog.kubelancer.com/content/images/2024/03/Screenshot-2024-03-20-at-6.56.56-PM.png)
Ref: https://www.weave.works/oss/eksctl/
Step 1.3.2: Creating an AWS EKS Kubernetes Cluster using eksctl
Create Cluster configuration yaml file
vi cluster-config.yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: kubelancer-cluster-2
region: us-east-1
nodeGroups:
- name: ng-1
instanceType: t4g.small
desiredCapacity: 2
volumeSize: 10
ssh:
allow: false
Let's create eks cluster on AWS using eksctl command
eksctl create cluster -f cluster-config.yaml
![](https://blog.kubelancer.com/content/images/2024/03/Screenshot-2024-03-20-at-7.01.28-PM.png)
Step 1.3.3: Use the following command to get kube-config
aws eks update-kubeconfig --name=kubelancer-cluster-2 --region=us-east-1
kubectl get node
![](https://blog.kubelancer.com/content/images/2024/03/Screenshot-2024-03-20-at-7.03.34-PM.png)
Step 2: Deploy the NGINX Ingress Controller
kubectl create namespace ingress-nginx
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtIAC1lPEGKYMOMihDaPg%2Fuploads%2FVBh6nhAcJNG7teP272de%2FScreenshot%202024-03-20%20at%204.55.45%E2%80%AFPM.png?alt=media&token=6fe6bcb5-6f38-4d3d-8c3e-8669bc19243e)
Pre-flight check
kubectl get pods -n ingress-nginx
Output
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtIAC1lPEGKYMOMihDaPg%2Fuploads%2FDD6sfjKtcyJkGktLpuCv%2Fimage.png?alt=media&token=49a65b77-42f5-4a82-9067-761e1cd15558)
List Service
kubectl get svc --namespace=ingress-nginx
Output
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtIAC1lPEGKYMOMihDaPg%2Fuploads%2FGLRrgUBXcuRyro83y5nR%2Fimage.png?alt=media&token=fdeb9af4-0831-4939-ad75-154561f23803)
Step 3: Deploy a sample application
kubectl create ns dev
vi kubewebserver.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubewebserver
namespace: dev
labels:
app: kubewebserver
spec:
replicas: 1
selector:
matchLabels:
app: kubewebserver
template:
metadata:
labels:
app: kubewebserver
spec:
containers:
- name: kubewebserver
image: kubelancer/hello-kubelancer:v1
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: kubewebserver-service
namespace: dev
labels:
app: kubewebserver-service
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
app: kubewebserver
kubectl apply -f kubewebserver.yaml
Output
kubectl get deploy,svc -n dev
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtIAC1lPEGKYMOMihDaPg%2Fuploads%2FeTk07j4AlfoaJIXxHrM0%2FScreenshot%202024-03-20%20at%205.05.19%E2%80%AFPM.png?alt=media&token=651be820-e1b8-4708-be3a-eeb237477fce)
Step 4: Create ingress without TLS
vi ingress-with-host.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-with-host-02
namespace: dev
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: webtest.kubelancer.in
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubewebserver-service
port:
number: 80
kubectl apply -f ingress-with-host.yaml
Output
kubectl get ingress -n dev
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtIAC1lPEGKYMOMihDaPg%2Fuploads%2F97L9U3aHwsZnlKpGegNY%2Fimage.png?alt=media&token=a516a462-414d-4dbf-b3f1-ca969e4770bc)
Output
curl http://webtest.kubelancer.in
curl http://webtest.kubelancer.in
Hello Kubelancer
Let we perform below steps to access same website using https://
To config SSL, we going to use Cert-Manager and Let's Encrypt in this Lab
In simple:
Cert Manager
cert-manager creates TLS certificates for workloads in your Kubernetes, also helps to renew the certificate.
cert-manager obtain certificates from a Let's Encrypt.
Let's Encrypt
To enable HTTPS for website, we need to purchase SSL certificate from Certificate Authority, which is costable. For demo or development environment, we have a choice to use free Certificate Authority (CA), that guy is Let’s Encrypt.
Step 5: Deploy cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.yaml
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtIAC1lPEGKYMOMihDaPg%2Fuploads%2FIsrT2vcrzntmh1n0WR9T%2FScreenshot%202024-03-20%20at%205.16.43%E2%80%AFPM.png?alt=media&token=6211691e-2d79-4b45-b818-3eab3486c89f)
Output
kubectl get pods --namespace cert-manager
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtIAC1lPEGKYMOMihDaPg%2Fuploads%2FfW985jE6K3Y1SwsGolWl%2FScreenshot%202024-03-20%20at%205.18.25%E2%80%AFPM.png?alt=media&token=021f2afc-f111-4365-8f63-0b8067382618)
Step 6: Configure a Let's Encrypt Issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: dev
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: noreply@gmail.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
ingressClassName: nginx
kubectl create -f issuer.yaml
kubectl get issuer -n dev
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtIAC1lPEGKYMOMihDaPg%2Fuploads%2FpASQoTkG0GYkOn07QeBf%2FScreenshot%202024-03-20%20at%205.24.04%E2%80%AFPM.png?alt=media&token=62650b32-cd15-40d6-8d64-f8e019ca2e94)
Step 7: Deploy a TLS Ingress Resource
vi ingress-with-host.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-with-host-02
namespace: dev
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
cert-manager.io/issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- webtest.kubelancer.in
secretName: kubewebserver-tls
rules:
- host: webtest.kubelancer.in
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubewebserver-service
port:
number: 80
kubectl apply -f ingress-with-host.yaml
kubectl get secret -n dev
![](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtIAC1lPEGKYMOMihDaPg%2Fuploads%2FMlA2bfOoYaLfpeXRNc8k%2FScreenshot%202024-03-20%20at%205.28.05%E2%80%AFPM.png?alt=media&token=f8b51b85-1c32-4185-bb95-a9da22da0702)
Step 8: Output
![](https://blog.kubelancer.com/content/images/2024/03/spaces-2FtIAC1lPEGKYMOMihDaPg-2Fuploads-2F4Zjo6fjkr2hyQLfQ65vj-2FScreenshot-202024-03-20-20at-205.30.13-E2-80-AFPM.png)
Now the website has secure connection