AWS Load Balancer Controller - Ingress SSL Discovery Host for TrendWave Retail

Deploying Ingress SSL Discovery Host for TrendWave Retail

AMJ Cloud Technologies collaborated with TrendWave Retail, an e-commerce company, to enhance their AWS Elastic Kubernetes Service (EKS) cluster by implementing SSL certificate discovery with the AWS Load Balancer Controller. This project automated the association of AWS Certificate Manager (ACM) certificates using Ingress spec.tls.hosts for TrendWave’s microservices (frontend, backend, and default interfaces), eliminating manual certificate ARN configuration. Integrated with External DNS and Route 53, the solution ensured secure, scalable access with context path-based routing and HTTPS redirection, replacing manual SSL management.

Situation

TrendWave Retail needed to secure their e-commerce platform’s microservices with HTTPS while simplifying SSL certificate management. Their existing setup, built in a prior engagement with AMJ Cloud Technologies, used an ALB with manual certificate configurations, which was cumbersome for multiple services. AMJ was tasked with leveraging the AWS Load Balancer Controller’s SSL discovery feature to automatically associate ACM certificates for *.trendwaveretail.com and create a Route 53 DNS record (certdiscovery-tls.trendwaveretail.com) for seamless, secure access.

Task

The objectives were to:

Configure an Ingress manifest with spec.tls.hosts for automatic ACM certificate discovery.
Deploy and verify Kubernetes manifests for microservices and Ingress.
Automate Route 53 DNS record creation using External DNS.
Enforce HTTPS redirection and verify health checks.
Test application access via the registered DNS name (certdiscovery-tls.trendwaveretail.com).
Complete the project within one month.

Action

Our team executed the following steps, adhering to AWS and Kubernetes best practices:

Prerequisites

Used TrendWave’s existing EKS cluster (ecommerce-cluster, version 1.31) with the AWS Load Balancer Controller (v2.8.0) installed:

helm install load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=ecommerce-cluster --set image.tag=v2.8.0

Installed External DNS on the EKS cluster:

helm install external-dns external-dns/external-dns -n kube-system --set provider=aws --set aws.region=us-east-1

Configure IngressClass

Used the existing default IngressClass:

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb-ingress-class
  annotations:
    ingressclass.kubernetes.io/is-default-class: "true"

Deploy Microservices

Deployed TrendWave’s microservices (frontend, backend, default) with NodePort Services:

apiVersion: v1
kind: Service
metadata:
  name: frontend-service
  annotations:
    alb.ingress.kubernetes.io/healthcheck-path: /frontend/index.html
spec:
  type: NodePort
  ports:
    - port: 80

Applied similar configurations for backend-service (/backend/index.html) and default-service (/index.html) using files frontend-deployment.yaml, backend-deployment.yaml, and default-deployment.yaml.

Configure Ingress with SSL Discovery

Configured the Ingress with spec.tls.hosts for SSL discovery and External DNS:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cert-discovery-ingress
  annotations:
    alb.ingress.kubernetes.io/load-balancer-name: ecommerce-ingress
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/success-codes: "200"
    alb.ingress.kubernetes.io/healthy-threshold-count: "2"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "2"
    external-dns.alpha.kubernetes.io/hostname: certdiscovery-tls.trendwaveretail.com
spec:
  ingressClassName: alb-ingress-class
  tls:
    - hosts:
        - "*.trendwaveretail.com"
  rules:
    - http:
        paths:
          - path: /frontend
            pathType: Prefix
          - path: /backend
            pathType: Prefix
          - path: /
            pathType: Prefix

Applied manifests:
```
kubectl apply -f manifests/
```

Deploy and Verify

Verified Kubernetes resources:

kubectl get ingress
kubectl get deploy,pods,svc

Checked External DNS logs for Route 53 record creation:

kubectl logs -f $(kubectl get po -n kube-system | egrep -o 'external-dns[A-Za-z0-9-]+')

Confirmed Route 53 record set for certdiscovery-tls.trendwaveretail.com in the AWS Console.
Verified ALB settings and associated ACM certificate in the AWS Console (EC2 > Load Balancers).

Test Application Access

Performed DNS resolution test:

nslookup certdiscovery-tls.trendwaveretail.com

Verified HTTPS access (HTTP redirects to HTTPS):

https://certdiscovery-tls.trendwaveretail.com/frontend/index.html
https://certdiscovery-tls.trendwaveretail.com/backend/index.html
https://certdiscovery-tls.trendwaveretail.com/

Result

The project delivered a secure, automated solution for TrendWave Retail:

Scalability Achievement: Secured high traffic for TrendWave’s e-commerce microservices with dynamic ALB scaling.
Automation Level: Fully automated SSL discovery and Ingress setup via ACM and Kubernetes manifests.
Security Improvement: Enforced HTTPS with auto-detected ACM certificates, health checks, and restricted IAM permissions.

Technologies Used

AWS EKS
AWS Load Balancer Controller
Kubernetes Ingress
External DNS
Application Load Balancer
AWS Route 53
AWS Certificate Manager

Key Takeaways

This case study showcases AMJ Cloud Technologies’ expertise in automating SSL certificate management for TrendWave Retail’s e-commerce platform. The Ingress SSL discovery feature simplified ACM certificate association, while External DNS and Route 53 integration ensured secure, scalable access, offering a model for similar industries.