External HTTP/HTTPS Server on Kubernetes in AWS
Getting an HTTP server running on Kubernetes is very easy. Even exposing it with an ELB on AWS is straightforward — but getting that ELB to handle both HTTP and HTTPS traffic is tricky, and relies on one undocumented annotation.
Prerequisites:
A Kubernetes cluster on AWS with an associated public subnet. This is a subnet with a tag of the form kubernetes.io/cluster/${CLUSTER_NAME}. If you used kops to set up your cluster’s subnets, this should already exist. When you create a Kubernetes Service of the type LoadBalancer, Kubernetes will create an ELB in a public subnet associated with the cluster. If one doesn’t exist, the ELB can’t be created.
A security certificate in AWS that you can use for your HTTP server. Note the ARN in Certificate Manager; this will go into our template.
Writing the Deployment
First, you need an HTTP server, running as a Deployment, which listens on a single port for plain HTTP traffic. This server can be anything you like; my example below uses a simple request-echo server.
The only interesting thing to note is that I’ve used a named port, called backend-http for clarity. This isn’t required, but it makes the Service a bit easier to maintain. You should also note your Deployment’s selector label, since this will be used in the service.
Writing the Service
This is the interesting part! We’re going to create a service of type LoadBalancer, which tells Kubernetes that we want to externalize it as an ELB.
We also want three annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol, noting that our backend talks HTTP.service.beta.kubernetes.io/aws-load-balancer-ssl-cert, pointing at the ARN of our certificate.service.beta.kubernetes.io/aws-load-balancer-ssl-ports, naming the port that’s going to be SSL. Note that is undocumented in the main docs at the time of this article.
Here’s what this service looks like:
All you have to do is kubectl apply -f that file, and Kubernetes will create an ELB configured correctly for you! It takes a minute or two. If it doesn’t show up, check the status of the Service in the dashboard or with a kubectl describe.
