You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by dg...@apache.org on 2020/04/02 19:32:55 UTC

[openwhisk-deploy-kube] 03/04: update docs for aws ssl

This is an automated email from the ASF dual-hosted git repository.

dgrove pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openwhisk-deploy-kube.git

commit 71db26075b960bbbefc96370fd4acd42d35b1642
Author: Tom Barber <to...@spicule.co.uk>
AuthorDate: Tue Mar 17 21:48:14 2020 +0000

    update docs for aws ssl
---
 docs/k8s-aws.md | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/docs/k8s-aws.md b/docs/k8s-aws.md
index 5fa956a..1c8c8ba 100644
--- a/docs/k8s-aws.md
+++ b/docs/k8s-aws.md
@@ -27,7 +27,7 @@
 
 Follow Amazon's instructions to provision your cluster.
 
-### Configuring OpenWhisk
+### Configuring OpenWhisk using SSL and IAM
 
 AWS's Elastic Kubernetes Service (EKS) does not support standard Kubernetes
 ingress.  Instead, it relies on provisioning Elastic Load
@@ -86,6 +86,29 @@ available before the hostname is actually properly registered in DNS.
 Be patient and keep trying until you stop getting `no such host`
 errors from `wsk` when attempting to access it.
 
+### Configuring Openwhisk using SSL and Elastic Loadbalancers
+
+Due to the way AWS supports TLS termination on ELBs there are a couple of configuration options required to put a
+signed certificate in place when deploying openwhisk.
+
+First ensure you have a signed certificate in your AWS Certificate Manager. 
+
+Then ensure you enable the following:
+```yaml
+whisk:
+  ingress:
+    awsSSL: "true"
+    type: LoadBalancer
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
+      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https-api
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <your certificate ARN>
+```
+
+This will setup a loadbalanced service that allows your users to connect via HTTPS to the cluster. Internally we switch 
+from SSL to plain HTTP communication as we're forwarding ports internally. 
+Please read [this doc](https://kubernetes-on-aws.readthedocs.io/en/latest/user-guide/tls-termination.html#common-pitfalls) for more information.
+
 ## Hints and Tips
 
 ## Limitations