In this article, we are going to learn how to install Ngix Ingress Controller in EKS with enabled SSL. AWS recommends using ALB Controller for EKS Cluster but there are some limitations in ALB Controller. So we are going to use Ngix Ingress Controller for our EKS Cluster. Let's get started.

Prerequisite

  • EKS Cluster

    • Add Helm Repository

    In here we are going to use Helm to install Ngix Ingress Controller. So first we need to add Helm repository to our local machine. To do that run below command.
    1
    2
    helm repo add nginx-stable https://helm.nginx.com/stable
    helm repo update

    Now we can see the added repository by running below command.

    1
    helm repo list

    Install Nginx Ingress Controller

    Now we can install Ngix Ingress Controller by running below command.

    1
    helm upgrade --install nginx-ingress ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace nginx-ingress --create-namespace

    And also we can see the installed Ngix Ingress Controller pods by running below command.

    1
    kubectl get pods -n nginx-ingress

    Output will be like below.

    1
    2
    NAME                                       READY   STATUS    RESTARTS   AGE
    nginx-ingress-controller-95fc5f944-qj6sg   1/1     Running   0          5d6h

    Verify the LoadBalancer is created or not by running below command.

    1
    kubectl get services -n nginx-ingress

    Output will be like below.

    1
    2
    NAME                                               TYPE           CLUSTER-IP       EXTERNAL-IP                                                              PORT(S)                      AGE
    nginx-ingress-ingress-nginx-controller             LoadBalancer   10.100.20.84     af5836566fac145d9a649bb18c6376f0-XXXXXXXXX.us-east-2.elb.amazonaws.com   80:31105/TCP,443:31746/TCP   5d6h

    Make sure to copy the EXTERNAL-IP. We need to use this EXTERNAL-IP to map our domain name.

    Map the Domain 2048..com

    Now we need to map the domain 2048.your-domain-name.com (this will be our sub-domain we are going to map out demo application) to the LoadBalancer EXTERNAL-IP. To do that we need to create a CNAME record in our DNS provider. Here I am using AWS Route53 as my DNS provider. If you need to learn How to add a domain with Amazon Route 53, please refer article .So I am going to create a CNAME record in Route53. If you are using another DNS provider, you can follow the same steps to create a CNAME record in your DNS provider. Go to your Route53 hosted zone and click on Create Record Set. Then add below details to create a CNAME record. 

    1
    2
    3
    Name: 2048
    Type: CNAME
    Value: af5836566fac145d9a649bb18c6376f0-XXXXXXXXX.us-east-2.elb.amazonaws.com

    Deploy Demo Application

    Now we can deploy a demo application to test our Ngix Ingress Controller. Here I am going to deploy 2048 Games as a Demo App. Create a file called `2048.yaml` and add below content to that file.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    ---
    apiVersion: v1
    kind: Namespace
    metadata:
      name: 2048-game
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: deployment-2048
      namespace: 2048-game
    spec:
      selector:
        matchLabels:
          app.kubernetes.io/name: app-2048
      replicas: 5
      template:
        metadata:
          labels:
            app.kubernetes.io/name: app-2048
        spec:
          containers:
          - image: alexwhen/docker-2048
            imagePullPolicy: Always
            name: app-2048
            ports:
            - containerPort: 80
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: service-2048
      namespace: 2048-game
    spec:
      ports:
        - port: 80
          targetPort: 80
          protocol: TCP
      type: NodePort
      selector:
        app.kubernetes.io/name: app-2048
    ---
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: nginx-2048-ingress
      namespace: 2048-game
      annotations:
        kubernetes.io/ingress.class: nginx
    spec:
      rules:
      - host: 2048.domain.com
        http:
          paths:
            - path: /
              pathType: Prefix
              backend:
                service:
                  name: service-2048
                  port:
                    number: 80

    Now we can deploy this application by running below command.

    1
    kubectl apply -f 2048.yaml -n 2048-game

    It’ll take some time to propagate the DNS changes. After that, you can access the 2048 Games application by using the URL http://2048.domain.com. You can now see the 2048 Games application is working fine but the URL is not secure. So we need to add SSL to our application. To do that we need to install Cert-Manager.

    Install Cert-Manager

    In here we are going to use `Cert-Manager` to add SSL to our application. So first we need to install Cert-Manager. To do that run below command.

    1
    helm install  cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.11.0 --set installCRDs=true

    This will install Cert-Manager in our EKS Cluster. Now we can see the installed Cert-Manager pods by running below command.

    1
    kubectl get pods -n cert-manager

    Install Cluster Issuer

    Now we need to install Cluster Issuer. To do that create a file called `cluster-issuer.yaml` and add below content to that file.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
        name: letsencrypt-prod
    spec:
      acme:
        server: https://acme-v02.api.letsencrypt.org/directory
        email: admin@<domain>.com
        privateKeySecretRef:
          name: letsencrypt-prod
        solvers:
          - http01:
               ingress:
                  class: nginx

    Now we can install Cluster Issuer by running below command.

    1
    kubectl apply -f cluster-issuer.yaml

    Update the ingress to use SSL

    Now we need to update the ingress we have created for our 2048-game application like this.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: nginx-2048-ingress
      namespace: 2048-game
      annotations:
        kubernetes.io/ingress.class: nginx
        cert-manager.io/cluster-issuer: letsencrypt-prod ### Add this annotation rule
    spec:
      rules:
      - host: 2048.<domain>.com
        http:
          paths:
            - path: /
              pathType: Prefix
              backend:
                service:
                  name: service-2048
                  port:
                    number: 80
      tls: ### Add this section
        - hosts:
            - 2048.<domain>.com
          secretName: 2048-game-tls

    Now you can apply this ingress by running below command.

    1
    kubectl apply -f 2048.yaml -n 2048-game

    Now you can see the SSL certificate is added to the 2048.domain.com. You can check that by going to the browser and accessing the 2048 Games application by using the URL https://2048.domain.com.

    Conclusion

    In this article, we learned how to install Ngix Ingress Controller in EKS with enabled SSL. I hope you enjoyed this article. If you have any issue regarding this tutorial, mention your issue in the comment section or reach me through my E-mail.

    Happy Coding