Advice on How to Achieve SSL Termination At Load Balancer?

Hey all,

I am trying to leverage AWS ACM termination at a load balancer, using an ingress controller and an ingress object to forward all my traffic into my service mesh. I have a few requirements that are complicating things for me. These include:

  • I must use Amazon Certificate Manager for SSL termination at the load balancer. Internal secrets can be managed with SDS.
  • I must be able to force SSL for all requests through the load balancer
  • I must be able to use a service like External DNS to automatically provision the endpoints once an ingress is created

I am looking for general advice about how to approach this.
Here’s my current somewhat working setup:

  • An Nginx Ingress Controller using an NLB
  • An Nginx Ingress which forwards traffic to an istio ingress gateway
  • A Gateway and virtualservice for my app (in this case, it’s Jenkins)
  • External DNS that watches for Nginx Ingress objects

This works about 80% of the way, except that I can’t add multiple certs to an NLB and forcing ssl redirect results in a redirect loop. I’ve tried using the ALB Ingress controller, but I haven’t so far been able to get External DNS to work correctly when using this controller.

Is the approach I’m taking a sensible one? I’d prefer using as much native Istio as possible, but my understanding is that ACM integration has to be done at a controller level and not through an istio gateway.

Any advice would be appreciated. Thanks!