How to build an ingress controller with central cert and auth management-CodePudding

I want to expose a few webapps in EKS to the internet in a centrally managed secure way.

In AWS, using an ALB is nice, as it for example allows you to terminate TLS and add authentication using Cognito. (

CodePudding user response：

I think I found a good solution.

I set up my environment using terraform. After I set up the alb ingress controller, I can create a suitable ingress object, wait until the ALB is up, use terraform to extract the address of the ALB and use publish-status-address to tell nginx to publish exactly that address to all its ingresses:

resource "kubernetes_ingress_v1" "alb" {
  wait_for_load_balancer = true
  metadata {
    name = "alb"
    namespace = "kube-system"
    annotations = {
      "alb.ingress.kubernetes.io/scheme" = "internet-facing"
      "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTP\": 80}, {\"HTTPS\":443}]"
      "alb.ingress.kubernetes.io/ssl-redirect" = "443"
      "alb.ingress.kubernetes.io/certificate-arn" = local.cert
      "alb.ingress.kubernetes.io/target-type" = "ip"
    }
  }
  spec {
    ingress_class_name = "alb"
    default_backend {
      service {
        name = "ing-nginx-ingress-nginx-controller"
        port {
          name = "http"
        }
      }
    }
  }
}

resource "helm_release" "ing-nginx" {
  name       = "ing-nginx"

  repository = "https://kubernetes.github.io/ingress-nginx"
  chart      = "ingress-nginx"
  namespace  = "kube-system"

  set {
    name  = "controller.service.type"
    value = "ClusterIP"
  }
  set {
    name  = "controller.publishService.enabled"
    value = "false"
  }
  set {
    name  = "controller.extraArgs.publish-status-address"
    value = kubernetes_ingress_v1.alb.status.0.load_balancer.0.ingress.0.hostname
  }
  set {
    name  = "controller.config.use-forwarded-headers"
    value = "true"
  }
  set {
    name  = "controller.ingressClassResource.default"
    value = "true"
  }
}

It is a bit weird, as it introduces something like a circular dependency, but the ingress simply waits until nginx is finally up and all is well.

This solution in not exactly the same as the --publish-ingress option as it will not be able to adapt to any changes of the ALB address. - Luckily I don't expect that address to change, so I'm fine with that solution.