Setting up a TLS certificate with Nginx Ingress Controller with Amazon EKS

5 min readDec 22, 2024

Setting up TLS Certificate with Nignx Ingress Controller

Setting up a TLS certificate is an implicit requirement for any workload running in EKS.This post focuses on how to set up the TLS certificate with Nginx Ingress Controller with EKS.

High Level Steps

Setup EKS Cluster
Install Nginx Ingress Controller
Setup demo application
Create TLS Certificate
Configure Kubernetes Secrets with TLS certificate
Configure TLS with Ingress resources
Verify the TLS setup

Step — Create EKS Cluster

You can use your own cluster or create a new one as outlined in the following post.

Setting up Amazon EKS Cluster in the fastest and easiest way !

Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes (k8s) offering from AWS. There are many ways in which…

aws.plainenglish.io

In my case I am running the EKS cluster (test-cluster)

Step — Setup Nginx Ingress Controller

This step creates an ingress controller pod and also creates the load balancer in AWS.

Refer https://amod-kadam.medium.com/setting-up-nginx-ingress-controller-with-eks-f27390bcf804

The load balancer created in AWS is identified with a7bxxx-33.ap-south-1.elb.amazonaws.com

Step — Setup Test Application

Create Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
  namespace : demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      containers:
      - image: httpd
        name: httpd
        ports:
        - containerPort: 80
          protocol: TCP

kubectl apply -f demo-deployment.yaml

Step — Create Service

# demo-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: demo-service
  namespace: demo
  labels:
    app: demo
spec:
  type: ClusterIP
  selector:
    app: demo
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP

kubectl apply -f demo-service.yaml

This creates a service object.

Step — Create Ingress

# demo-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-app-ingress
  namespace: demo
spec:
  ingressClassName: nginx
  rules:
  - host: "www.demo.io"
    http:
      paths:
        - pathType: Prefix
          path: "/"
          backend:
            service:
              name: demo-service
              port:
                number: 80

kubectl apply -f demo-ingress.yaml

This should create an ingress object as shown below.

The load balancer created by default is Classic load balancer and it provides the DNS name. To get the IP address associated with DNS name use the curl command

curl -v a7b87ef01582a46ecbac231ea304065d-1267695333.ap-south-1.elb.amazonaws.com

The IP address returned by above command is 65.0.227.230

Verify if www.demo.io is accessible using curl command

curl — resolve www.demo.io:80:65.0.227.230 http://www.demo.io

Thus now we have a site which is setup as http://www.demo.io

Step — Create Certificate

This step creates a self signed certificate. This is useful when you are developing applications and want a quick way to set up TLS certificates without getting the actual certificate.

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

Setup the appropriate values for the certificate.

This should create two files: server.crt and server.key

server.crt is the certificate file and server.key is the private key which is used to configure the server side i.e. the Ingress resources.

Step — Create Kubernetes Secret

The TLS certificates are configured as Kubernetes secret and used further for the Ingress resources.

kubectl create secret tls demo-app-tls — namespace demo — key server.key — cert server.crt

Step — Amend the Ingress Resource to use the TLS Certificate

Note the tls section added here and secretName : demo-app-tls

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo-app-ingress
  namespace: demo
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - www.demo.io
    secretName: demo-app-tls
  rules:
  - host: "www.demo.io"
    http:
      paths:
        - pathType: Prefix
          path: "/"
          backend:
            service:
              name: demo-service
              port:
                number: 80

This basically configures the Ingress resource so as to route www.demo.io which uses demo-app.tls secret.

Step — Verify that the TLS setup

Using CURL

curl -kv — resolve www.demo.io:443:65.0.227.230 https://www.demo.io

This shows that your Ingress Resources are configured with the TLS certificate correctly as it returns ‘It Works’ response.

Verification from the browser

I have edited the file /etc/hosts so as to add entry for domain www.demo.io

Verify that you can access the www.demo.io from the browser.

As it is a self signed certificate (not signed by trusted CA) you should see warning about the certificate validity however you can still go ahead and you should see ‘It works’ response.

You should also see the certificate details in the browser.

This certificate is the one which was created earlier.

If you have a certificate with a Trusted CA then this warning should go away.

Thus we have now https://www.demo.io (with TLS ) setup.

Please note that the TLS gets terminated at Ingress level by Ingress Controller . The subsequent traffic is routed in plain HTTP. However it is also possible to set up TLS at each service level but that is for another post.

If you want to create a Private CA and use certificates created by your private CA checkout the following post.

How to set up Private CA and use the certificates issued by Private CA ?

In this post we will look at

amod-kadam.medium.com

Happy Holidays !