Bitnami provides a nice Helm chart for EJBCA, a FOSS public key infrastructure certificate authority application with a REST API. However, the Service and Ingress setup doesn't work very well if you're deploying to Amazon EKS.
Our EKS clusters use the AWS Load Balancer Controller to automatically create ALBs from Kubernetes Ingresses which are properly annotated. This allows us to attach certificates stored in AWS Certificate Manager, set TLS policies, and establish health checks right in our manifests. Fantastic stuff.
While trying to get EJBCA to play nicely on one of the above-described clusters, I ended up needing to made the following changes to the values.yaml
file I was using in order to get things running properly.
service:
type: NodePort
# The default here is LoadBalancer, which won't work with our setup.
ingress:
enabled: true
pathType: Prefix
hostname: <YOUR_HOSTNAME_HERE>
ingressClassName: "alb"
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/success-codes: 200-399
alb.ingress.kubernetes.io/healthcheck-path: /ejbca/doc # Same as livenessProbe
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
alb.ingress.kubernetes.io/certificate-arn: <YOUR_ACM_CERT_ARN_HERE>
Hopefully, you find this helpful if you're trying to put EJBCA on EKS.
Comments