Ingress Controller in AWS

TODO - these pages need to be revisited and updated after TLS and Organizations updates.

Note: If you plan to use ExternalDNS with Helm-deployed NGINX Ingress Controller, make sure you changed value publishService.enabled=true during ingress-nginx helm chart installation. Otherwise the LoadBalancer address will NOT get propagated and ExternalDNS will not work. To deliver ACM-provided certificate to ELB, we need to add annotation to Ingress controller. We also want to terminate SSL on ELB, so backend will get plain HTTP. This is done by adding annotation: 'http'. The common configuration is shown here:

# helm-charts/helmfile-values/values-ingress.yaml
      http: http
      https: http
      # SSL is terminated on ELB, so HTTP will be used downstram to our services 'http'
      # only 'https' port will use SSL protocol 'https'
      # keep connections open upto 1 hour '3600'
      # Disable TLS1.1 and lower protocols on TLS handshake 'ELBSecurityPolicy-TLS-1-2-2017-01'
    enabled: true

Add ingress-nginx Helm repository to your local configuration, if you didn’t do it before:

$ helm repo add ingress-nginx

And then we can install the chart with specific arn value:

$ helm upgrade --install ingress-nginx stable/ingress-nginx --namespace ingress-nginx \
    --values helm-charts/helmfile-values/values-ingress.yaml --wait --timeout 3m \
    --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:eu-west-3:441851189095:certificate/5e44b0ab-fbc6-4cd2-9c45-1252ce1f9b71