i am trying to install my ca certificates with in ingress controller. I am following this guide. https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
I could run cert-manager in Node group while running other pods in fargate. I want to know
I am getting the error that says x509 error
certificate is valid for *.corp not aws-load-balancer-webhook-service.kube-system.svc
Do i need to install cert manager though i have my own tls certs. how to route traffic with tls certs from aws-load-balancer-controller.
Thanks,
Surya.
You dont need cert manager to use certs with load balancers. Cert manager is a utility to dynamically generate & manage the lifecycle of the certificate.
If you have your own certificate you can import those into your alb or nlb created by load balancer controller for ingress or service objects respectively.
Related
I have followed the instructions from here to install an OKD cluster on AWS with my own domain. After installation succeed, I cannot access to the web console because of the self-signed SSL cert.
I have a wildcard SSL cert issued by AWS ACM, and I would like to apply it to the cluster. As the public ACM cert is not exportable, I have tried to attach the cert to the network load balancer, but still failed.
What should I do?
I cannot access to the web console because of the self-signed SSL cert
Are you sure? Most modern web browsers allow you to still bypass the TLS cert warning.
Anyway, so the web console is being exposed by the Ingress Controller, which means (unless you already customized the Ingress during installation) that this should be fronted by a CLB (classic load balancer) and not a NLB (network load balancer). The API is fronted by an NLB, and it's very likely that you'll still want a valid TLS certificate for the API.
But, since we're talking about the web console, we're talking about Ingress Controller configuration. Specifically, you should be looking at https://docs.okd.io/latest/networking/ingress-operator.html#nw-ingress-setting-a-custom-default-certificate_configuring-ingress
# Create the certificate secret
$ oc --namespace openshift-ingress create secret tls custom-certs-default \
--cert=tls.crt --key=tls.key
# Update the Ingress Controller to use the new certificate secret
$ oc patch --type=merge --namespace openshift-ingress-operator \
ingresscontrollers/default \
--patch '{"spec":{"defaultCertificate":{"name":"custom-certs-default"}}}'
The above instructions are for configuring the Ingress Controller post-install. This should also be doable pre-install, you would have to come up with some modified instructions similar to https://docs.okd.io/latest/installing/installing_aws/installing-aws-network-customizations.html#nw-aws-nlb-new-cluster_installing-aws-network-customizations
Basically something like this should work (I haven't actually tried this)
# Use the installer to create a manifests directory
$ ./openshift-install create manifests --dir <installation_directory>
# Create your certificate secret in the manifests directory
$ oc --namespace openshift-ingress create secret tls custom-certs-default \
--cert=tls.crt --key=tls.key --dryrun -o yaml > \
<installation_directory>/manifests/cluster-ingress-default-ingresscontroller-certificate.yaml
# Create the Ingress Controller manifest referencing the secret
$ touch <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml
# Populate the above YAML file with the Ingress Controller
# manifest referencing the correct certificate secret
We are using EKS and Nginx-ingress(NLB). I'm trying to configure multiple AWS ACM certificates in the AWS-load-balancer-SSL-cert annotation for NLB. But with no luck. Could someone help if it possible at all? Thanks
If that not possible, Please guide me any other way on how to use multiple ACM cert in the ingress object-level if possible.
My EXACT Scenario:-
I am using an NLB (FYI)
If we able to add multiple ACM certificate at controller level that also works for me (I am using a single certificate in my NLB currently see below annotations)
At the controller level, these flags help me to add a single certificate:-
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:ap-south-1:1234556677:certificate/3a1d5a-469b-dffe4bad3182
service.beta.kubernetes.io/aws-load-balancer-type: nlb
or
I am maintaining an ingress object as per NameSpace. if we are able to attach a Certificate at the ingress object level, which also solves my problem.
Good question.
There is no support for multiple ACM certificates on an ALB/NLB that points to an nginx ingress controller (or any other ingress controller AFAIK).
The dirty hack from Kubernetes is to create another Service that points to the same nginx ingress controller (same selectors) but in this case, it will just create another ALB/NLB and you may not want that.
The non-Kubernetes way which is the way might work better for you is just to do it from AWS itself and modify the ALB/NLB that sends traffic to your nginx ingress.
✌️
To add in Rico's answer.
It's not possible to attach multiple certificates to the Nginx ingress controller or any other ingress with annotation : service.beta.kubernetes.io/aws-load-balancer-ssl-cert.
Closed PR : https://github.com/kubernetes/kubernetes/pull/95208
Issue thread: https://github.com/kubernetes/cloud-provider-aws/issues/80#issuecomment-686722657
It's not working with NLB However if you are using the ALB you can use this annotation
Single cert with ALB
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx
Multiple certificates
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/cert1,arn:aws:acm:us-west-2:xxxxx:certificate/cert2,arn:aws:acm:us-west-2:xxxxx:certificate/cert3
alb.ingress.kubernetes.io/certificate-arn specifies the ARN of one or more certificates managed by ACM
Another Option For NLB
Create an ACM certificate with multiple Wild card domains and use this single Cert with ingress. this will work with NLB also
So your ACM certificate will be storing certs for multiple domains example
*.example.com
*.hello.io
*.so.in
single ACM certificate now you can use with NLB Ingress, and no need worry about attaching multiple certs.
Option : 2 using cert-manager and storing cert in secret
It would be better if you planning to use multiple domains use wild card certificates with Cert-manager store them into Secret of K8s and use it as pluggable solution with ingress.
I think both the other answers are old and not valid now as I got confused reading those as they mention that its not possible to add 2 certs for NLB. However, you can easily add certs on nginx ingress controller with the annotation in a comma separated string. I myself have deployed AWS LB Controller and using nginx ingress controller to deploy NLB. My annotations on nginx ingress controller service
service.beta.kubernetes.io/aws-load-balancer-ssl-cert=arn:aws:acm:eu-central-1:123456:certificate/123abc,arn:aws:acm:eu-central-1:123456:certificate/123xyz
and I have 2 ACM certs attached to my load balancer both with separate URLs
abc.com
xyz.com
I am trying to use an amazon SSL certificate for my app. Currently, I have dockerized application hosting on the AWS server with envoy front-proxy. I am using lets-encrypt SSL certificates for a trusted domain certificate. Now I want to switch it with amazon's SSL certificates.
I am exploring this but I didn't get any clear idea. This blog show how to enable traffic encryption between services in AWS App Mesh using AWS Certificate Manager. but they have not mentioned how to do it with enovy proxy.
For envoy, we have to provide cert and key files. But as per this question, we are not able to download these files from amazon. Is it possible to use the Amazon certificate with envoy front-proxy? If yes then can you please give me the idea/example of how to do it?
Thanks in advance..
Only AWS Services can use AWS SSL Certificates. If you want to use an AWS SSL Certificate for TLS/HTTP traffic you would use an Application Load Balancer to handle the certificate and send it to your Envoy proxy hosted on an EC2 box. Ideally you would keep the network traffic encrypted which would require you to use a LetsEncrypt certificate between the Application Load Balancer and EC2.
I got yaml file for specifying ssl certificate (provided by aws certificate manager)to load balancer for kubernetes deployment. But, we are running kubernetes cluster in aws china account where certification manager option is not available. Now if I have SSL certificate provided by Godaddy, how can I install it? Is any other alternative ways to install certificate rather than load balancer? Can I install it in my tomcat container itself and build new image with it?
As far as I know, you cannot setup an ELB deployed with a kubernetes Service to use a certificate which is NOT an ACM certificate. In fact, if you take a look at the possibile annotations here you'll see that the only annotation available to select a certificate is service.beta.kubernetes.io/aws-load-balancer-ssl-cert and the documentation for that annotation says the following:
ServiceAnnotationLoadBalancerCertificate is the annotation used on the
service to request a secure listener. Value is a valid certificate ARN.
For more, see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-listener-config.html
CertARN is an IAM or CM certificate ARN, e.g. arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
As you ask, you can for sure terminate your ssl inside your kubernetes Pod and make the ELB a simple TCP proxy.
In order to do so, you need to add the following annotation to your Service manifest:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'tcp'
Also, you will need to forward both your http and https ports in order to handle http to https redirect correctly inside you pod.
If you need more specific help, please post you current manifest.
I'm try to enable SSL on my domain which points to my AWS instance I already create LB which connects to my instance. But when ever I try to access the domain using "https" I always get this error "refused to connect", what could be the reason for this?
If your domain has been acquired from AWS just request a SSL certificate on Amazon Certificate Manager.
aws acm request-certificate --domain-name example.com --subject-alternative-names www.example.com
(Go to step 4)
If your domain has been acquired outside AWS like GoDaddy or another service, first you need to adquired a SSL cert, for free SSL see Let’s Encrypt.
Import your certificate to Amazon Certificate Manager using cli
aws acm import-certificate --certificate file://cert.pem --certificate-chain file://chain.pem --private-key file://privkey.pem
Create your ELB and add this listeners:
See image
On ELB step 3 "Configure Security Settings", Choose an existing certificate from AWS Certificate Manager (ACM) and select your certificate (example.com) then continue your process.