I am trying to leverage AWS ACM termination at a load balancer, using an ingress controller and an ingress object to forward all my traffic into my service mesh. I have a few requirements that are complicating things for me. These include:
- I must use Amazon Certificate Manager for SSL termination at the load balancer. Internal secrets can be managed with SDS.
- I must be able to force SSL for all requests through the load balancer
- I must be able to use a service like External DNS to automatically provision the endpoints once an ingress is created
I am looking for general advice about how to approach this.
Here’s my current somewhat working setup:
- An Nginx Ingress Controller using an NLB
- An Nginx Ingress which forwards traffic to an istio ingress gateway
- A Gateway and virtualservice for my app (in this case, it’s Jenkins)
- External DNS that watches for Nginx Ingress objects
This works about 80% of the way, except that I can’t add multiple certs to an NLB and forcing ssl redirect results in a redirect loop. I’ve tried using the ALB Ingress controller, but I haven’t so far been able to get External DNS to work correctly when using this controller.
Is the approach I’m taking a sensible one? I’d prefer using as much native Istio as possible, but my understanding is that ACM integration has to be done at a controller level and not through an istio gateway.
Any advice would be appreciated. Thanks!