4

I'm trying to set up my EKS cluster in AWS with Nginx ingress controller.

Nginx ingress controller creates a service of type LoadBalancer which in turn creates a ELB instance that's mapped to the node ports of the service.

I'd like to have the SSL certificate managed by AWS, not the kubernetes cluster, so I imported it into the AWS Certificate Manager and added an annotation to the nginx service:

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <certificate_arn>

So far it's standard stuff. The load balancer is now doing the SSL termination and the subsequent communication between it and the cluster is unencrypted, which is what I wanted. The only problem is that instead of this:

[Client] -> HTTPS (443) -> [ELB (SSL termination)] -> HTTP (80) -> [Service]

I get this

[Client] -> HTTPS (443) -> [ELB (SSL termination)] -> HTTP (443) -> [Service]

As you can see, the ELB doesn't change the port from 443 to 80 and the communication gets rejected by the Nginx pod because it receives unencrypted traffic on port 443.

I tried a similar thing with SSL/TCP ELB but the same problem occurs.

I searched but couldn't find any way, how to tell the ELB to send the unecrypted traffic to port 80. ANy ideas?

Thanks!

Improve this question
1
  • please, in addition to describe your issue, would be good if you add your kubernetes yamls Commented Mar 15, 2019 at 16:05

1 Answer 1

Reset to default
4

You need to configure your Ingress service to use targetPort: http even when using the 443 port.

Here is an example of using Nginx Ingress and Amazon ELB with Layer 7 (HTTP/HTTPS) listeners:

kind: Service apiVersion: v1 metadata: name: ingress-nginx namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" spec: type: LoadBalancer selector: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx ports: - name: http port: 80 targetPort: http - name: https port: 443 targetPort: http # <--- PAY ATTENTION HERE
Improve this answer
1
  • My request works on http, but the same times out when I invoke using https. I changed target port as mentioned by you to http still no luck. How can I debug where exactly has the issue in kubernetes? Commented Dec 26, 2019 at 4:54

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.