Follow Amazon's instructions to provision your cluster.
AWS‘s Elastic Kubernetes Service (EKS) does not support standard Kubernetes ingress. Instead, it relies on provisioning Elastic Load Balancers (ELBs) outside of the EKS cluster to direct traffic to exposed services running in the cluster. Because the wsk
cli expects to be able to use TLS to communicate securely with the OpenWhisk server, you will first need to ensure that you have a certificate available for your ELB instance to use in AWS’s IAM service. For development and testing purposes, you can use a self-signed certificate (for example the openwhisk-server-cert.pem
and openwhisk-server-key.pem
that are generated when you build OpenWhisk from source and can be found in the $OPENWHISK_HOME/ansible/roles/nginx/files
directory. Upload these to IAM using the aws cli:
aws iam upload-server-certificate --server-certificate-name ow-self-signed --certificate-body file://openwhisk-server-cert.pem --private-key file://openwhisk-server-key.pem
Verify that the upload was successful by using the command:
aws iam list-server-certificates
A typical output would be as shown below
{ "ServerCertificateMetadataList": [ { "ServerCertificateId": "ASCAJ4HPCCVA65ZHD5TFQ", "ServerCertificateName": "ow-self-signed", "Expiration": "2019-10-01T20:50:02Z", "Path": "/", "Arn": "arn:aws:iam::12345678901:server-certificate/ow-self-signed", "UploadDate": "2018-10-01T21:27:47Z" } ] }
Add the following to your mycluster.yaml
, using your certificate's Arn instead of the example one:
whisk: ingress: type: LoadBalancer annotations: service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:iam::12345678901:server-certificate/ow-self-signed
Shortly after you deploy your helm chart, an ELB should be automatically created. You can determine its hostname by issuing the command kubectl get services -o wide
. Use the value in the the EXTERNAL-IP column for the nginx service and port 443 to define your wsk apihost.
NOTE: It may take several minutes after the ELB is reported as being available before the hostname is actually properly registered in DNS. Be patient and keep trying until you stop getting no such host
errors from wsk
when attempting to access it.
Due to the way AWS supports TLS termination on ELBs there are a couple of configuration options required to put a signed certificate in place when deploying openwhisk.
First ensure you have a signed certificate in your AWS Certificate Manager.
Then ensure you enable the following:
whisk: ingress: awsSSL: "true" type: LoadBalancer annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https-api service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <your certificate ARN>
This will setup a loadbalanced service that allows your users to connect via HTTPS to the cluster. Internally we switch from SSL to plain HTTP communication as we're forwarding ports internally. Please read this doc for more information.
If you used a self-signed certificate, you will need to invoke wsk
with the -i
command line argument to bypass certificate checking.