Secure Your Kubernetes Application: A Guide to Adding SSL and a Custom Domain

In the world of cloud-native applications, Kubernetes (K8s) has become a cornerstone for orchestrating containerized workloads. However, ensuring secure and professional access to your applications is equally crucial. This guide will walk you through the process of adding an SSL certificate and a custom domain to your Kubernetes application, leveraging the power of AWS services.

Why SSL and a Custom Domain Matter

• Security: SSL certificates encrypt communication between your application and users, protecting sensitive data from prying eyes.
• Trust: A valid SSL certificate displays the reassuring padlock icon in browsers, instilling trust in your users.
• Professionalism: A custom domain name (e.g., yourapp.com) replaces the generic load balancer URL, enhancing your brand identity.

Prerequisites

Before you begin, make sure you have the following:

• A. A registered domain name (e.g., yourapplication.com).
• B. Access to AWS Certificate Manager (ACM).
• C. (Optional, but recommended) Access to Amazon Route53 for DNS management.
• D. An existing Ingress resource configured for your Kubernetes application.

Step-by-Step Guide

1. Obtain an SSL Certificate (AWS Certificate Manager):

1. Log into the AWS Management Console.

2. Navigate to AWS Certificate Manager (ACM).

3. Click "Request a certificate" and select "Request a public certificate."

4. Enter your domain name (e.g., yourapplication.com) and any additional desired names (e.g., www.yourapplication.com).

5. Choose DNS validation as the validation method. ACM will provide instructions on how to add CNAME records to your domain's DNS settings to prove domain ownership.

2. Update Your Kubernetes Ingress Resource:

1. Open the YAML file defining your Ingress resource.
2. Add the following annotations, replacing placeholders:

alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]' 

alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' 

alb.ingress.kubernetes.io/certificate-arn: <your-certificate-arn>   # Get this from ACM once issued        

These annotations instruct the AWS Load Balancer Controller (LBC) to:

• Listen on both port 80 (HTTP) and 443 (HTTPS).
• Automatically redirect HTTP traffic to HTTPS.
• Use the specified SSL certificate from ACM.

3. If your Ingress resource doesnt already specify a host, add it:

spec:
  rules:
  - host: yourapplication.com
    http:
      # ... (your existing path configuration)        

4. Save your modified YAML file.

3. (Optional) Configure DNS in Route53:

1. If you're using Route53, create an A record in your domain's hosted zone.
2. Point this A record to the DNS name of your Application Load Balancer (ALB). You can find the ALB's DNS name by running kubectl get ingress <your-ingress-name> in your terminal.

4. Apply the Updated Ingress:

1. Apply the changes to your Kubernetes cluster:

kubectl apply -f your-ingress-file.yaml        

2. Monitor the status of your Ingress and ALB:

kubectl describe ingress <your-ingress-name>        

5. Test Your Secured Application:

After some time for DNS propagation and certificate validation, access your application using https://yourapplication.com. You should see a padlock icon in the browser's address bar, indicating a secure connection.

Troubleshooting Tips

• Permissions: Double-check that your Kubernetes service account has the necessary IAM permissions to work with ALB and ACM.
• Firewall: Ensure your security groups allow inbound traffic on port 443 (HTTPS).
• Logs: Review the logs of the LBC and ALB in CloudWatch if you encounter any issues.

Conclusion

By following these steps, you can add a layer of security and professionalism to your Kubernetes applications. With SSL/TLS encryption and a custom domain, you build trust with your users and enhance your brand's online presence.