Nginx-Ingress in EKS — EKS + nginx-ingress +NLB + TLS

Sauravmoy Sarkar
3 min readSep 19, 2021

--

Follow me on LinkedIn

This page explains how to setup nginx and mergeable ingress gateway in EKS cluster so that it can route the HTTP calls to appropriate microservice living in appropriate namespace. I’ll also cover how to secure the Nginx-ingress with TLS and and enabling NLB.

At first, let us understand the concept what are we going to set up in this writeup. Please take a look at the below diagram.

In the above diagram we have a namespace called “Nginx-ingress namespace” within the K8S cluster. We’ll deploy the Nginx and related stuffs like IngressClass, Service, Deployment, ConfigMap, ServiceAccount, ClusterRole etc. in this namespace. We also add an master ingress entry in this namespace.

Then lets say for example, we have multiple other namespaces where instance of our application (in a microservices fashion for example) lives. So we have here “Application environment namespace 1, Application environment namespace 2, Application environment namespace 3” depicts the different namespaces.

Now we want our Nginx to redirect the HTTP request that is placed by the user to appropriate microservice in appropriate namespace. In order to do so we would need to add an ingress minion in each of namespaces i.e. “Application environment namespace 1, Application environment namespace 2, Application environment namespace 3”. This will connect the ingress minion with the master in “Nginx-ingress namespace” and so Nginx know where to redirect.

Lets now deploy the nginx

Now here is the git source code for this writeup! I’ll explain how this should read and execute. Also, I’ll mention which are the lines of code you need to change and concern about.

Clone or download the repo and run the below.

cd nginx-ingress-controller-deploy kubectl apply -f ns-and-sa.yaml
kubectl apply -f rbac.yaml
kubectl apply -f nginx-config.yaml
kubectl apply -f ingress-class.yaml
kubectl apply -f loadbalancer-aws-elb.yaml

Now you need to edit the default-server-secret.yaml at line # 8 and 9. Add you certificate and public key at these placeholders and run below commands

kubectl apply -f default-server-secret.yaml
kubectl apply -f nginx-ingress.yaml

Till here we have deployed the nginx and related stuffs in “Nginx-ingress namespace”. Now we need to add the master ingress in “Nginx-ingress namespace”.

Adding master and minion ingresses

Please go to ingress-rules-deploy folder in git repo and change line # 12 and 14 by adding your hostname entry in ingress-rules-master.yaml and run the below.

cd ingress-rules-deploykubectl apply -f ingress-rules-master.yaml

Similarly lets edit the ingress-rules-minion.yaml. Here also you need to change the host entry at line #11 same way you did in the earlier step. You may edit the route entries according to your specs and the look at the namespace entry and change accordingly.

Now here is the catch, please note in order to Nginx to redirect the call correctly to the service in a particular namespace “wildcard” entry should be same in master and minion ingress. You may add multiple master with different name and wildcard entry in them. In that case you will have multiple master ingresses in your “Nginx-ingress namespace” and each “Application environment namespace” will have exactly one minion ingress entries.

Important things to note

We have enabled TLS in this nginx with the below manifests. You may take a peek how it was done.

default-server-secret.yamlnginx-config.yaml

In the AWS setup we have used Network load balancer (NLB) to expose the nginx to the outer world. The reason we are using NLB here is, NLB gives us a static IP address (Of course with failover though) which can be redirected from the DNS easily. It is specified at loadbalancer-aws-elb.yaml.

Hope this helps someone!. Feel free to comment on anything that can be improved! Enjoy!

Please encourage to write similar how to docs hitting the follow button.

Follow me on LinkedIn

--

--

Sauravmoy Sarkar
Sauravmoy Sarkar

Written by Sauravmoy Sarkar

Technologist, Fullstack Architect, DevOps and cloud engineer, Solutionist, Entrepreneur, Son-husband-father

No responses yet