Ingress Controller in AWS

Note: If you plan to use ExternalDNS with a Helm-deployed NGINX Ingress Controller, make sure to change the value of publishService.enabled=true during the ingress-nginx helm chart installation. Otherwise, the LoadBalancer address will NOT get propagated and ExternalDNS will not work.

To deliver the ACM-provided certificate to ELB, we need to add annotation to Ingress controller. We also want to terminate SSL on ELB, so backend will get plain HTTP.

This is done by adding the following annotation: 'http'. The common configuration is shown here:

# helm-charts/helmfile-values/values-ingress.yaml
      http: http
      https: http
      # SSL is terminated on ELB, so HTTP will be used downstram to our services 'http'
      # only 'https' port will use SSL protocol 'https'
      # keep connections open upto 1 hour '3600'
      # Disable TLS1.1 and lower protocols on TLS handshake 'ELBSecurityPolicy-TLS-1-2-2017-01'
    enabled: true

Add the ingress-nginx Helm repository to your local configuration if you have not already done so.

$ helm repo add ingress-nginx

And then we can install the chart with specific arn value (update according to your setup):

$ helm upgrade --install ingress-nginx stable/ingress-nginx --namespace ingress-nginx \
    --values helm-charts/helmfile-values/values-ingress.yaml --wait --timeout 3m \
    --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:eu-west-3:YOURACCOUNT:certificate/YOUR-CERTIFICATE-ID