Creating a valid SSL certificate for AWS EKS Ingress is pretty simple if you know what do to.
Notice that you can also check the post Setting Up a Publicly Accessible VM with Docker, Nginx, and SSL on GCP.
Before starting, make sure you own a DNS zone that you can update. Let assume this DNS zone is for my-demo.com, and now we want the have my-site.my-demo.com as a valid SSL certificate that would direct into an EKS ingress that would direct it to a specific service.
We start by a certificate request from ACM:
aws acm request-certificate \
--domain-name "my-site.my-demo.com" \
--validation-method DNS \
--idempotency-token myappcert \
--region us-east-1 \
--subject-alternative-names "*.my-demo.com"
The output would specify the certificate ARN, for example:
"CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-4f3e-a5d6-d067a159d981"We need to add this as annotation to our ingress:
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-4f3e-a5d6-d067a159d981
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
Make sure the ingress also includes the following under the "spec".
ingressClassName: alb
tls:
- hosts:
- my-site.my-demo.com
We follow by describing the certificate use the ARN we just got in the output.
aws acm describe-certificate \
--certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-4f3e-a5d6-d067a159d981
In the description output we would find the DNS challenge:
"ResourceRecord": {
"Name": "_6a234567890345678934567e76822dee.my-site.my-demo.com.",
"Type": "CNAME",
"Value": "_9ce23456789345678934567894567657.xlfgrmvvlj.acm-validations.aws."
},
Now we need to fulfill this challenge by adding a CNAME in our DNS zone from the "Name" to the "Value". Once we add this we need to wait ~15 minutes and then we we access the valid SSL connection https://my-site.my-demo.com
No comments:
Post a Comment