Ingress Controller in AWS

Note: If you plan to use ExternalDNS with a Helm-deployed NGINX Ingress Controller, make sure to change the value of publishService.enabled=true during the ingress-nginx helm chart installation. Otherwise, the LoadBalancer address will NOT get propagated and ExternalDNS will not work.

To deliver the ACM-provided certificate to ELB, we need to add annotation to Ingress controller. We also want to terminate SSL on ELB, so backend will get plain HTTP.

This is done by adding the following annotation: 'http'. The common configuration is shown here:

# helm-charts/helmfile-values/values-ingress.yaml
    # This resolves possible issue with big headers
    proxy-buffer-size: '16k'
    # Improve performance of requests with large body
    client-body-buffer-size: '1m'
    # use X-Forwarded-* received from ELB - important for proper propagation
    # of LoadBalancer host, port, and schema
    use-forwarded-headers: 'true'
      http: http
      https: http
      # SSL is terminated on ELB, so HTTP will be used downstram to our services 'http'
      # only 'https' port will use SSL protocol 'https'
      # keep connections open upto 1 hour '3600'
      # Disable TLS1.1 and lower protocols on TLS handshake 'ELBSecurityPolicy-TLS-1-2-2017-01'
    enabled: true

Add the ingress-nginx Helm repository to your local configuration if you have not already done so.

helm repo add ingress-nginx

And then we can install the chart with specific arn value (update according to your setup):

helm upgrade --install ingress-nginx stable/ingress-nginx --namespace ingress-nginx \
    --values helm-charts/helmfile-values/values-ingress.yaml --wait --timeout 3m \
    --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-ssl-cert"=arn:aws:acm:eu-west-3:YOURACCOUNT:certificate/YOUR-CERTIFICATE-ID