I'm trying to figure out which ingress controller works best with ACM (AWS Certificate Manager) while also allowing me to access JWT claims. I previously considered the NGINX ingress controller because it lets me manage routes based on token claims, but I've found out that it only supports classic and NLB, which seems to prevent me from using cert-manager. On the other hand, I've looked into the AWS Load Balancer (ALB) controller, but I'm unclear if it allows for inspecting the actual JWT token issued by the OAuth provider; it seems like it only offers the token from the ALB itself. I'm aiming to protect my routes with RBAC using the claims in the token. Can anyone clarify if this is feasible with the ALB controller?
2 Answers
One option is to shift your JWT processing to a different layer. Have you considered using Kong? It might support JWT integration nicely.
If you're set on using ACM with EKS without cert-manager for TLS, you should know that you can't export the private key from ACM. You'll need to delegate TLS handling to either an NLB or an ALB in front of your ingress resources. The traffic will then reach your ingress controller, where you can manage the JWT or forward it to your workloads. If you choose cert-manager, you can handle TLS on the ingress controller and deal with JWT processing there. Just remember, JWT claims generally get processed after the TLS termination, so it’s best to handle them at your application level.
Would it be crazy to set up a CloudFront distribution in front of the ELB just for TLS termination? I could use ACM there without caching, and it should work with my current NGINX ingress controller.