Adding TLS termination

You can add TLS termination on the AWS Load Balancer.

Adding TLS termination on the AWS Load Balancer

You can route the traffic for the domain to pods of a service and add TLS termination on the AWS Load Balancer.

Prerequisites

  • You have an access to the OpenShift CLI (oc).

Procedure

  1. Install the Operator and create an instance of the aws-load-balancer-controller resource:

    1. apiVersion: networking.k8s.io/v1
    2. kind: AWSLoadBalancerController
    3. group: networking.olm.openshift.io/v1alpha1 (1)
    4. metadata:
    5.   name: cluster (2)
    6. spec:
    7.   subnetTagging: auto
    8.   ingressClass: tls-termination (3)
    1Defines the API group of the aws-load-balancer-controller resource.
    2Defines the aws-load-balancer-controller instance.
    3Defines the name of an ingressClass resource reconciled by the AWS Load Balancer Controller. This ingressClass resource gets created if it is not present. You can add additional ingressClass values. The controller reconciles the ingressClass values if the spec.controller is set to ingress.k8s.aws/alb.

  2. Create an Ingress resource:

    1. apiVersion: networking.k8s.io/v1
    2. kind: Ingress
    3. metadata:
    4.   name: <example> (1)
    5.   annotations:
    6.     alb.ingress.kubernetes.io/scheme: internet-facing (2)
    7.     alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx (3)
    8. spec:
    9.   ingressClassName: tls-termination (4)
    10.   rules:
    11.   - host: <example.com> (5)
    12.     http:
    13.         paths:
    14.           - path: /
    15.             pathType: Exact
    16.             backend:
    17.               service:
    18.                 name: <example-service> (6)
    19.                 port:
    20.                   number: 80
    1Specifies the name of an ingress.
    2The controller provisions the load balancer for this Ingress resource in a public subnet so that the load balancer is reachable over the internet.
    3The Amazon Resource Name of the certificate that you attach to the load balancer.
    4Defines the ingress class name.
    5Defines the domain for traffic routing.
    6Defines the service for traffic routing.