user5047085
user5047085

Reputation:

Is there a way to configure an EKS service to use HTTPS?

Here is the config for our current EKS service:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: main-api
  name: main-api-svc
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
  externalTrafficPolicy: Cluster
  ports:
    - name: http-port
      port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: main-api
  sessionAffinity: None
  type: LoadBalancer

is there a way to configure it to use HTTPS instead of HTTP?

Upvotes: 10

Views: 7810

Answers (3)

王子1986
王子1986

Reputation: 3609

although it is http, isn't it secure by default, since it is protected within your own VPC and private security subnet.

Upvotes: 0

0xMH
0xMH

Reputation: 2142

To terminate HTTPS traffic on Amazon Elastic Kubernetes Service and pass it to a backend:

1.    Request a public ACM certificate for your custom domain.

2.    Identify the ARN of the certificate that you want to use with the load balancer's HTTPS listener.

3.    In your text editor, create a service.yaml manifest file based on the following example. Then, edit the annotations to provide the ACM ARN from step 2.

apiVersion: v1
kind: Service
metadata:
  name: echo-service
  annotations:
    # Note that the backend talks over HTTP.
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    # TODO: Fill in with the ARN of your certificate.
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:{region}:{user id}:certificate/{id}
    # Only run SSL on the port named "https" below.
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"

spec:
  type: LoadBalancer
  selector:
    app: echo-pod
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8080

4.    To create a Service object, run the following command:

$ kubectl create -f service.yaml

5.    To return the DNS URL of the service of type LoadBalancer, run the following command:

$ kubectl get service

Note: If you have many active services running in your cluster, be sure to get the URL of the right service of type LoadBalancer from the command output.

6.    Open the Amazon EC2 console, and then choose Load Balancers.

7.    Select your load balancer, and then choose Listeners.

8.    For Listener ID, confirm that your load balancer port is set to 443.

9.    For SSL Certificate, confirm that the SSL certificate that you defined in the YAML file is attached to your load balancer.

10.    Associate your custom domain name with your load balancer name.

11.    Finally, In a web browser, test your custom domain with the following HTTPS protocol:

https://yourdomain.com

Upvotes: 12

Eran Chetzroni
Eran Chetzroni

Reputation: 1116

You should use an ingress (and not a service) to expose http/s outside of the cluster I suggest using the ALB Ingress Controller

There is a complete walkthrough here

and you can see how to setup TLS/SSL here

Upvotes: 0

Related Questions