Decide on Kubernetes Ingress Controller(s)

Considerations

Kubernetes supports any number of ingress controllers deployed multiple times. The choice of Ingress controller will determine which AWS features we can natively support (e.g. WAF requires an ALB).

Our recommendation is to use the aws-loadbalancer-controller (aka aws-alb-ingress-controller v2) with ACM certificates provisioned by terraform.

TLS terminates at the ALB. It’s then optionally unencrypted if the downstream services support it, such as

with self-signed certificates and a TLS sidecar like Envoy or Nginx. Without this, traffic is in clear-text between the ALB and the downstream service or pod.

Historically, we’ve recommended ingress-nginx (formerly nginx-ingress), but prefer to use the AWS load balancer controller due to it’s native support by AWS.