Follow Amazon's instructions to provision your cluster.
AWS's Elastic Kubernetes Service (EKS) does not support standard Kubernetes
ingress. Instead, it relies on provisioning Elastic Load
Balancers (ELBs) outside of the EKS cluster to direct traffic to
exposed services running in the cluster. Because the wsk cli
expects to be able to use TLS to communicate securely with the OpenWhisk
server, you will first need to ensure that you have a certificate
available for your ELB instance to use in AWS's IAM service. For
development and testing purposes, you can use a self-signed
certificate (for example the openwhisk-server-cert.pem and
openwhisk-server-key.pem that are generated when you build OpenWhisk
from source and can be found in the
$OPENWHISK_HOME/ansible/roles/nginx/files directory. Upload these to
IAM using the aws cli:
aws iam upload-server-certificate --server-certificate-name ow-self-signed --certificate-body file://openwhisk-server-cert.pem --private-key file://openwhisk-server-key.pemVerify that the upload was successful by using the command:
aws iam list-server-certificatesA typical output would be as shown below
{
"ServerCertificateMetadataList": [
{
"ServerCertificateId": "ASCAJ4HPCCVA65ZHD5TFQ",
"ServerCertificateName": "ow-self-signed",
"Expiration": "2019-10-01T20:50:02Z",
"Path": "/",
"Arn": "arn:aws:iam::12345678901:server-certificate/ow-self-signed",
"UploadDate": "2018-10-01T21:27:47Z"
}
]
}
Add the following to your mycluster.yaml, using your certificate's Arn
instead of the example one:
whisk:
ingress:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:iam::12345678901:server-certificate/ow-self-signedShortly after you deploy your helm chart, an ELB should be
automatically created. You can determine its hostname by issuing
the command kubectl get services -o wide. Use the value in the
the EXTERNAL-IP column for the nginx service and port 443 to define
your wsk apihost.
NOTE: It may take several minutes after the ELB is reported as being
available before the hostname is actually properly registered in DNS.
Be patient and keep trying until you stop getting no such host
errors from wsk when attempting to access it.
Due to the way AWS supports TLS termination on ELBs there are a couple of configuration options required to put a signed certificate in place when deploying openwhisk.
First ensure you have a signed certificate in your AWS Certificate Manager.
Then ensure you enable the following:
whisk:
ingress:
awsSSL: "true"
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https-api
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <your certificate ARN>This will setup a loadbalanced service that allows your users to connect via HTTPS to the cluster. Internally we switch from SSL to plain HTTP communication as we're forwarding ports internally. Please read this doc for more information.
If you used a self-signed certificate, you will need to invoke wsk
with the -i command line argument to bypass certificate checking.