Bahmni EKS clusters out of box comes with Kubernetes Ingress Controller Fake Certificate
. End-to-end TLS encyprtion is required in order to ensure our channel / data transmission is encrypted and in addition its equally important for regularity requirements like PCI and HIPPA etc.
In this document articulates
Setting up end-to-end TLS encryption for EKS using AWS Certificate Manager and CloudFront
Redirect http to https
Note: Here is an alternate way to setup end-to-end encryption using aws-pca-issuer.
1️⃣ Issue a new certificate in AWS Certificate Manager
Navigate to AWS Certificate manager in us-east-1 and request for a new certificate for your domain. Two things to remember
The certificate should be issues in
us-east-1 (Virginia)
in order to be used byCloudFront
Use wild card to support the same certificate by sub domains or list all your domains with sub domains e.g.
*.mybahmni.in
(note that single * would only support single subdomain, if you have multiple subdomains such as sub1.sub2.example.com, then you would need to add multiple wildcards*.*.example.com
)
Once the certificate is Issued, go inside the certificate and "Create Record in Route 53" under Domains to create CNAME(s) for the issued domain(s) in Route53
2️⃣ Create CloudFront distribution
We will create a new CloudFront distribution to service the application (accessible at the ingress DNS) with certificates issued by ACM and will also perform a http to https redirect
Create a new CloudFront distribution
Origin domain: ingress host where the application is available e.g.
lite.eks.mybahmni.in
Select “HTTP only” under protocol
Select “Redirect HTTP to HTTPS” under Viewer protocol policy
Select “GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE” under Allowed HTTP methods
Under Alternate domain name (CNAME) - add the domain Alias for this CloudFront e.g.
lite.mybahmni.in
(its important to add the Alternate domain name with matching alias name otherwise the CloudFront distribution would not show up while creating the A record in Route53)Under Custom SSL certificate - choose the certificate created in step #1
3️⃣ Create Alias for CloudFront Distribution
Finally we will create a Route53 Alias (AAAA record type) for CloudFront Distribution
Record name: e.g. lite or demo or BLANK for www (this should match the alternate domain name we setup in the Cloudfront distribution i.e.
lite.mybahmni.in
)Route Type: AAAA
Route traffic to Alias - select Alias to CloudFront Distribution - and then select the distribution we created in step #2