How to Deploy An Nginx Ingress Controller in AWS EKS along with SSL termination in EKS.

Use case using the STAR (Situation, Task, Action, Result) method to switch SSL termination from an AWS Application Load Balancer (ALB) to an SSL termination within an EKS cluster using an Nginx Ingress Controller.

Situation

You are currently using an AWS Application Load Balancer (ALB) to terminate SSL/TLS traffic for your applications running on AWS Elastic Kubernetes Service (EKS). This setup works well, but you want to switch to using SSL termination in your EKS cluster with the Nginx Ingress Controller for better control, flexibility, and potentially reduced costs.

Task

The task is to configure SSL termination within the EKS cluster using the Nginx Ingress Controller instead of the ALB. This involves:

1. Setting up Nginx Ingress Controller in the EKS cluster.
2. Converting a .pfx file to generate cert.pem and key.pem files.
3. Configuring a Kubernetes Secret to store the SSL certificate.
4. Modifying the Ingress resource to use the Kubernetes Secret for SSL termination.
5. Updating Flux to deploy these changes via GitOps.
6. Configuring the AWS Application Load Balancer to pass traffic to the Nginx Ingress Controller.

Actions

1. Setting up Nginx Ingress Controller in EKS

Assuming you have Flux and Terraform set up, let's start with deploying the Nginx Ingress Controller.

Terraform Configuration:

Create a Terraform file nginx-ingress.tf

provider "kubernetes" {

config_path = "~/.kube/config"

}

resource "helm_release" "nginx_ingress" {

name = "nginx-ingress"

repository = "https://kubernetes.github.io/ingress-nginx"

chart = "ingress-nginx"

version = "4.0.1"

set {

name = "controller.service.type"

value = "LoadBalancer"

}

set {

name = "controller.service.externalTrafficPolicy"

value = "Local"

}

}

Apply the Terraform configuration:

terraform init

terraform apply -auto-approve

2. Converting a .pfx File to Generate cert.pem and key.pem Files

Use OpenSSL to convert the .pfx file to cert.pem and key.pem.

openssl pkcs12 -in your-cert.pfx -out cert.pem -clcerts -nokeys

openssl pkcs12 -in your-cert.pfx -out key.pem -nocerts -nodes

3. Creating a Kubernetes Secret for SSL Certificate

Create a Kubernetes Secret to store the SSL certificate and key

kubectl create secret tls my-tls-secret --cert=cert.pem --key=key.pem -n your-namespace

4. Modifying the Ingress Resource

Create the Kubernetes Ingress resource with secret to connect to ingress controller using terraform script , Also create Service Type Cluster IP for service to communicate to application pods.

Create a file named ingress.yaml:

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

name: my-app-ingress

namespace: your-namespace

annotations:

nginx.ingress.kubernetes.io/ssl-redirect: "true"

nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

nginx.ingress.kubernetes.io/rewrite-target: /

spec:

ingressClassName: nginx

tls:

- hosts:

- my-app.example.com

secretName: my-tls-secret

rules:

- host: my-app.example.com

http:

paths:

- path: /

pathType: Prefix

backend:

service:

name: my-app-service

port:

number: 80

---

apiVersion: v1

kind: Service

metadata:

name: my-app-service

namespace: your-namespace

spec:

type: ClusterIP

selector:

app: my-app

ports:

- port: 80

targetPort: 7007

protocol: TCP

name: http

5. Updating Flux

Prerequisite: Flux is already configured for your EKS cluster.

Ensure your GitOps setup is properly configured to handle these changes. Commit and push the ingress.yaml file to your Git repository to trigger the Flux deployment.

Apply manifest

kubectl apply -f ingress.yaml

6. Configuring the AWS Application Load Balancer

Ingress Managed Application Load Balancer is by default deployed as part of nginx-ingress controller deployment .Earlier Application pods were directly communicating to Service Type Load balancer to route traffic from application load balancer to pod. Now in place of Application load balancer application will pointing to Service Type Cluster IP.

Cluster IP service will be routing traffic to Ingress controller using Ingress Resource rules. SSL certificate rules are defined in ingress resources. So Ingress Managed Application Load Balancer will pass the traffic to ingress controller to process with SSL termination in EKS cluster.

Result

With these steps completed, SSL termination is now handled by the Nginx Ingress Controller within your EKS cluster. The ALB passes traffic to the Nginx Ingress Controller, which terminates the SSL connection. This offers better control over SSL/TLS configurations, potentially lowers costs by reducing reliance on AWS ALB for SSL termination, and provides more flexibility in managing SSL certificates.

Benefits of Moving SSL Termination to Ingress Controller

1. Cost Efficiency: Reduced Load Balancer Costs: AWS Application Load Balancers (ALBs) charge based on the number of new connections and data processed. By moving SSL termination to the Nginx Ingress Controller within your EKS cluster, you reduce the reliance on ALBs for handling SSL connections, which can significantly reduce costs. Lower Certificate Management Costs: Managing SSL certificates within Kubernetes using Secrets can be more cost-effective than using AWS Certificate Manager (ACM) for ALB.
2. Enhanced Control: Customizable SSL/TLS Settings: Nginx Ingress Controller allows you to fine-tune SSL/TLS settings. You can configure cipher suites, protocols, and other SSL/TLS parameters to meet your security requirements. Custom Annotations: Nginx Ingress provides a wide range of annotations that allow you to customize the behavior of your ingress resources, such as enabling HTTP/2, setting custom timeouts, and handling redirects.
3. Simplified Certificate Management: Automated Certificate Renewal: Tools like cert-manager can be integrated with Nginx Ingress Controller to automate the issuance and renewal of SSL certificates from providers like Let's Encrypt. This reduces the administrative burden of manually renewing certificates. Centralized Management: All SSL certificates can be managed as Kubernetes Secrets, providing a centralized and consistent way to manage certificates across all your applications.
4. Unified Management: Single Point of Configuration: By handling SSL termination within the Kubernetes cluster, you can manage all your SSL configurations in one place. This simplifies the deployment and configuration process, as you don’t need to manage separate configurations for ALB and Nginx Ingress. Version Control: Kubernetes manifests, including those for Ingress resources and Secrets, can be stored in a version-controlled Git repository. Using GitOps tools like Flux, you can automate the deployment and ensure that all changes are tracked and auditable.
5. Improved Performance: Local Termination: Terminating SSL/TLS at the ingress controller can reduce latency compared to forwarding encrypted traffic through the ALB. This is because the SSL handshake and decryption happen closer to the application. Resource Efficiency: By terminating SSL/TLS in the EKS cluster, you can better utilize the resources of your worker nodes for SSL processing, potentially leading to better performance compared to relying on ALBs.
6. Enhanced Security: Advanced Security Configurations: Nginx Ingress Controller supports various security features like Web Application Firewall (WAF) and rate limiting. These features can be configured to protect your applications from common web vulnerabilities and attacks. Isolation and Multi-tenancy: In a multi-tenant Kubernetes environment, you can configure different ingress controllers for different namespaces or teams, providing isolation and better control over SSL/TLS configurations.
7. Flexibility: Multi-cloud and Hybrid Cloud Support: If you operate in a multi-cloud or hybrid cloud environment, managing SSL termination within Kubernetes makes it easier to have a consistent setup across different environments. You’re not tied to the specific features and limitations of AWS ALB. Custom Logic and Plugins: Nginx allows the use of custom modules and plugins, enabling you to implement specific logic required by your applications, such as custom authentication mechanisms or logging.

Conclusion

Moving SSL termination to the Nginx Ingress Controller within your EKS cluster provides several significant benefits, including cost savings, enhanced control and security, simplified certificate management, and improved performance. By leveraging the flexibility and powerful features of Nginx Ingress, you can achieve a more efficient, secure, and manageable setup for handling SSL/TLS traffic in your Kubernetes environment.

Resources :

• https://www.youtube.com/watch?v=gvKi7wZHbLU
• https://kubernetes.github.io/ingress-nginx/

?? Explore my Digital Product AWS DevSecOps industry wide use cases: https://lnkd.in/dzUGDBwY

?? Join the AWS DevSecOps Community: https://lnkd.in/dDsf4rCv

?? Subscribe to the Newsletter: https://lnkd.in/gqgkFZCp

?? Follow on LinkedIn: https://lnkd.in/gy8xy2Gb

?? Subscribe to the YouTube Channel: https://lnkd.in/g6mSHukf

Remember to like, share, and comment to help spread valuable knowledge further. Let's keep learning and growing together.