Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
76 lines (69 sloc) 2.63 KB
title menu product_name menu_name section_menu_id
Using AWS Certificate Manager | Kubernetes Ingress
product_voyager_8.0.1
identifier name parent weight
aws-cm-tls
AWS Cert Manager
tls-ingress
15
voyager
product_voyager_8.0.1
guides

New to Voyager? Please start here.

Using AWS Certificate Manager

Voyager can use AWS certificate manager to terminate SSL connections for LoadBalancer type ingress in aws provider. To use this feature, add the following annotations to Ingress;

  ingress.appscode.com/annotations-service: |
    {
      "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:...",
      "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "http",
      "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "443"
    }

Voyager operator will apply these annotation on LoadBalancer service used to expose HAProxy to internet. This service will (logically) listen on port 443, terminate SSL and forward to port 80 on HAProxy pods. Also, ELB will listen on port 80 and forward cleartext traffic to port 80.

apiVersion: v1
kind: Service
metadata:
  name: <ingress>
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'arn:aws:acm:...'
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
  type: LoadBalancer
  ports:
  - port: 443
    targetPort: 80
  - port: 80
    targetPort: 80
   ...

Elastic Load Balancing stores the protocol used between the client and the load balancer in the X-Forwarded-Proto request header and passes the header along to HAProxy. The X-Forwarded-Proto request header helps HAProxy identify the protocol (HTTP or HTTPS) that a client used to connect to load balancer. If you would like to redirect cleartext client traffic on port 80 to port 443, please add redirect backend rules when X-Forwarded-Proto header value is HTTPS. Please see the following ingress example and example rules.

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: test-aws-ingress
  namespace: default
spec:
  rules:
  - host: appscode.example.com
    http:
      paths:
      - backend:
          serviceName: test-service
          servicePort: '80'
          backendRules:
            - 'acl is_proxy_https hdr(X-Forwarded-Proto) https'
            - 'redirect scheme https code 301 if ! is_proxy_https'