ALB Ingress - SSL & SSL Redirect - #Section 13

 ALB Ingress SSL

 

 ALB Ingress SSL" refers to the use of an Application Load Balancer (ALB) as an ingress controller in a Kubernetes environment to manage SSL/TLS termination for incoming traffic. This setup allows you to secure your Kubernetes services by terminating SSL/TLS encryption at the ALB level before forwarding the traffic to your backend services.

Here's a more detailed explanation of the components and concepts involved:

1. Ingress Controller: An ingress controller is a Kubernetes resource that manages external access to services within a cluster. It acts as a reverse proxy and routes incoming traffic to the appropriate services based on rules defined in Ingress resources.

2. Application Load Balancer (ALB): An ALB is a load balancer provided by Amazon Web Services (AWS) that is used to distribute incoming application traffic across multiple targets. ALBs are capable of handling layer 7 (application layer) traffic and can route requests based on content, URL, or other characteristics.

3. SSL/TLS Termination: SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over a network. SSL/TLS termination involves decrypting incoming encrypted traffic (HTTPS) at the load balancer and forwarding it to the backend services in plain HTTP.

    

   When you implement ALB Ingress SSL, you are setting up an ALB to handle SSL/TLS encryption and termination for the incoming HTTPS traffic.
   

 

 

  

 

Step-01: Introduction

• We are going to register a new DNS in AWS Route53
• We are going to create a SSL certificate
• Add Annotations related to SSL Certificate in Ingress manifest
• Deploy the manifests and test
• Clean-Up

Step-02: Pre-requisite - Register a Domain in Route53 (if not exists)

• Goto Services -> Route53 -> Registered Domains
• Click on Register Domain
• Provide desired domain: somedomain.com and click on check (In my case its going to be stacksimplify.com)
• Click on Add to cart and click on Continue
• Provide your Contact Details and click on Continue
• Enable Automatic Renewal
• Accept Terms and Conditions
• Click on Complete Order

Step-03: Create a SSL Certificate in Certificate Manager

• Pre-requisite: You should have a registered domain in Route53
• Go to Services -> Certificate Manager -> Create a Certificate
• Click on Request a Certificate
  • Choose the type of certificate for ACM to provide: Request a public certificate
  • Add domain names: *.yourdomain.com (in my case it is going to be *.stacksimplify.com)
  • Select a Validation Method: DNS Validation
  • Click on Confirm & Request
• Validation
  • Click on Create record in Route 53
• Wait for 5 to 10 minutes and check the Validation Status

Step-04: Add annotations related to SSL

• 04-ALB-Ingress-SSL.yml

    ## SSL Settings
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/632a3ff6-3f6d-464c-9121-b9d97481a76b
    #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)    

Step-05: Deploy all manifests and test

Deploy and Verify

# Deploy kube-manifests
kubectl apply -f kube-manifests/

# Verify Ingress Resource
kubectl get ingress

# Verify Apps
kubectl get deploy
kubectl get pods

# Verify NodePort Services
kubectl get svc

Verify Load Balancer & Target Groups

• Load Balancer - Listeneres (Verify both 80 & 443)
• Load Balancer - Rules (Verify both 80 & 443 listeners)
• Target Groups - Group Details (Verify Health check path)
• Target Groups - Targets (Verify all 3 targets are healthy)

Step-06: Add DNS in Route53

• Go to Services -> Route 53
• Go to Hosted Zones
  • Click on yourdomain.com (in my case stacksimplify.com)
• Create a Record Set
  • Name: ssldemo101.stacksimplify.com
  • Alias: yes
  • Alias Target: Copy our ALB DNS Name here (Sample: ssl-ingress-551932098.us-east-1.elb.amazonaws.com)
  • Click on Create

Step-07: Access Application using newly registered DNS Name

• Access Application
• Important Note: Instead of stacksimplify.com you need to replace with your registered Route53 domain (Refer pre-requisite Step-02)

# HTTP URLs
http://ssldemo101.stacksimplify.com/app1/index.html
http://ssldemo101.stacksimplify.com/app2/index.html
http://ssldemo101.stacksimplify.com/

# HTTPS URLs
https://ssldemo101.stacksimplify.com/app1/index.html
https://ssldemo101.stacksimplify.com/app2/index.html
https://ssldemo101.stacksimplify.com/

 

ALB-Ingress-SSL-Redirect

Step-01: Add annotations related to SSL Redirect

• File Name: 04-ALB-Ingress-SSL-Redirect.yml
• Redirect from HTTP to HTTPS

    # SSL Redirect Setting
    alb.ingress.kubernetes.io/ssl-redirect: '443'   

Step-02: Deploy all manifests and test

Deploy and Verify

# Deploy kube-manifests
kubectl apply -f kube-manifests/

# Verify Ingress Resource
kubectl get ingress

# Verify Apps
kubectl get deploy
kubectl get pods

# Verify NodePort Services
kubectl get svc

Verify Load Balancer & Target Groups

• Load Balancer - Listeneres (Verify both 80 & 443)
• Load Balancer - Rules (Verify both 80 & 443 listeners)
• Target Groups - Group Details (Verify Health check path)
• Target Groups - Targets (Verify all 3 targets are healthy)

Step-03: Access Application using newly registered DNS Name

• Access Application

# HTTP URLs (Should Redirect to HTTPS)
http://ssldemo101.stacksimplify.com/app1/index.html
http://ssldemo101.stacksimplify.com/app2/index.html
http://ssldemo101.stacksimplify.com/

# HTTPS URLs
https://ssldemo101.stacksimplify.com/app1/index.html
https://ssldemo101.stacksimplify.com/app2/index.html
https://ssldemo101.stacksimplify.com/

Step-04: Clean Up

# Delete Manifests
kubectl delete -f kube-manifests/

## Delete Route53 Record Set
- Delete Route53 Record we created (ssldemo101.stacksimplify.com)