Expose EKS tekton pipeline dashboard with ssl enabled

Md Asraful Haque (Sohel) - Aug 21 - - Dev Community

In this tutorial we will try to expose tekton-pipeline dashboard using application load balancer with ssl enabled at AWS EKS cluster.

Image River and boat of bangladesh, Shaplabill, Jointapur, Sylhet, Bangladesh

Photo by ATM Arafath Ali on Unsplash

Pre-Requisite

  • EKS Cluster
  • Kubectl is configured at your local machine
  • Tekton pipeline is installed

Context

Tekton Dashboard is a Web-based UI for Tekton Pipelines and Tekton Triggers resources. Its quite easy to install following the official Install guidelines using kubectl. In your self-managed kubernetes cluster, you can easily expose it with ingress controller, But at EKS you have to install some ingress controller which is AWS Load Balancer Controller which seems to be a bit hassle to me if you want to achieve something quickly. Rather than I would use Service to achieve this.

Install Tekton Dashboard

Install the Tekton Dashboard using the official documentation

Expose Tekton Dashboard with Service (without https)

Create a LoadBalancer Type Service (ie tekton-dashboard-svc.yaml) with the following manifests:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: tekton-dashboard    
  name: tekton-dashboard
  namespace: tekton-pipelines
spec:
  type: LoadBalancer
  ports:
    - name: http
      port: 9097
      protocol: TCP
      targetPort: 9097
  selector:
    app.kubernetes.io/component: dashboard
    app.kubernetes.io/instance: default
    app.kubernetes.io/name: dashboard
    app.kubernetes.io/part-of: tekton-dashboard
  sessionAffinity: None
Enter fullscreen mode Exit fullscreen mode

Create this service using kubectl:

$ kubectl apply -n tekton-pipelines -f tekton-dashboard-svc.yaml
Enter fullscreen mode Exit fullscreen mode

This will create a LoadBalancer at aws, with the load balancer url you can access the dashboard or you can also map this loadBalancer with your domain name eg tekton-dashboard.myeks.com using Route53 service.

Expose Tekton Dashboard with Service and https enabled

Exposing the Tekton Dashboard with LoadBalancer Service was quite easy. Now we want to enable https. To do that we have to do the following steps:

Step 1: Create Certificate

Create Certificate using AWS Certificate Manager for your domain tekton-dashboard.myeks.com. Make sure you also validate the certificate.

Step 2 : Create Service with the certificate

Add the following annotations with the certificate arn:

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
Enter fullscreen mode Exit fullscreen mode

So the service will be like following (ie. tekton-dashboard-svc-ssl.yaml):

apiVersion: v1
kind: Service
metadata:
  annotations:
    # Note that the backend talks over HTTP.
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    # TODO: Fill in with the ARN of your certificate.
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn of the certificate created above"
    # Only run SSL on the port named "https" below.
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
  labels:
    app: tekton-dashboard
  name: tekton-dashboard-ssl
  namespace: tekton-pipelines
spec:
  type: LoadBalancer
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 9097
    - name: https
      port: 443
      protocol: TCP
      targetPort: 9097
   selector:
    app.kubernetes.io/component: dashboard
    app.kubernetes.io/instance: default
    app.kubernetes.io/name: dashboard
    app.kubernetes.io/part-of: tekton-dashboard
  sessionAffinity: None
Enter fullscreen mode Exit fullscreen mode

Create this service using kubectl:

$ kubectl apply -n tekton-pipelines -f tekton-dashboard-svc-ssl.yaml
Enter fullscreen mode Exit fullscreen mode

If you had created the service using tekton-dashboard-svc.yaml, you can delete that service.
Wait for some time, the load balancer will be created and now you can use now https.

Step 3 : Use the domain name

Now, Find your LoadBalancer from the service:

$ kc get svc tekton-dashboard-ssl -n tekton-pipelines
Enter fullscreen mode Exit fullscreen mode

You will get the LoadBalancer URl at the External-IP field.

-- With the URL, Locate that LoadBalancer at AWS Console and check at the Listener there is 443 port. For the SSL certificate check the certificate you defined at the Service has been attached at the loadbalancer.
-- From AWS Route53, Associate your domain name (eg. tekton-dashboard.myeks.com) with the LoadBalancer. If you are doing it for the first time, you can follow the AWS Routing traffic to an ELB load balancer documentation

That's it now you can browse the tekton dashboard using https://tekton-dashboard.myeks.com 🎉

If you want to Make your Tekton Dashboard user authenticated, Look at my next post to authenticate Tekton Dashboard using AWS Cognito.

NB. The picture attached at this post not related to content, its just attached to soothe your eyes :)

References:
https://stackoverflow.com/questions/56534589/is-there-a-way-to-configure-an-eks-service-to-use-https

. . . .