We have a kubernetes cluster on aws eks, using the aws load balancer controller to manage albs using k8s ingress. https://github.com/kubernetes-sigs/aws-load-balancer-controller
When using the following annotation alb.ingress.kubernetes.io/backend-protocol: HTTPS aws alb is not able to communicate with our kubernetes service.
curl -i https://example-api-2.acme-test.com/ping
HTTP/2 502 server: awselb/2.0 date: Tue, 18 Apr 2023 08:47:21 GMT content-type: text/html content-length: 122
<html> <head><title>502 Bad Gateway</title></head> <body> <center><h1>502 Bad Gateway</h1></center> </body> </html>
However changing alb.ingress.kubernetes.io/backend-protocol: HTTPS fromHTTPS to HTTP resolves this issue, and we are able to communicate with the service using the same curl command..
Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: example
annotations:
alb.ingress.kubernetes.io/group.name: "acme-test"
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/tags: Environment=dev,Team=test
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]'
alb.ingress.kubernetes.io/certificate-arn: <redacted>
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/healthcheck-path: /health
alb.ingress.kubernetes.io/healthcheck-interval-seconds: '300'
alb.ingress.kubernetes.io/ssl-redirect: '443'
#alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
spec:
ingressClassName: alb
rules:
- host: example-api.<redacted>.om
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: example-api-2
port:
number: 80
Environment
- AWS Load Balancer controller version: 2.5
- Kubernetes version: 1.2.6
- Using EKS (yes/no), if so version? yes
We have this same configuration working (HTTPS) on an older version K8s EKS ( 1.2.2) AWS Controller version 2.4.1.
kubectl get all -n example
NAME READY STATUS RESTARTS AGE
pod/example-api-2-cd6cdd88f-5df5n 1/1 Running 0 15h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/example-api-2 NodePort 172.20.37.178 <none> 80:30451/TCP 20h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/example-api-2 1/1 1 1 20h
NAME DESIRED CURRENT READY AGE
replicaset.apps/example-api-2-cd6cdd88f 1 1 1 15h
kubectl describe service example-api-2 -n example
Name: example-api-2
Namespace: example
Labels: <none>
Annotations: <none>
Selector: app=example-api-2
Type: NodePort
IP Family Policy: SingleStack
IP Families: IPv4
IP: 172.20.37.178
IPs: 172.20.37.178
Port: <unset> 80/TCP
TargetPort: 8080/TCP
NodePort: <unset> 30451/TCP
Endpoints: 10.0.6.119:8080
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
kubectl describe deployment example-api-2 -n example
Name: example-api-2
Namespace: example
CreationTimestamp: Mon, 17 Apr 2023 12:40:06 +0100
Labels: app=example-api-2
Annotations: deployment.kubernetes.io/revision: 5
Selector: app=example-api-2
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: app=example-api-2
log-label=true
log-namespace=acme
Containers:
example-api-2:
Image: <redacted>.dkr.ecr.us-east-2.amazonaws.com/example-api:v0.4.7-2api
Port: 80/TCP
Host Port: 0/TCP
Environment:
false
ENVIRONMENT: production
Mounts: <none>
Volumes: <none>
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
Progressing True NewReplicaSetAvailable
OldReplicaSets: <none>
NewReplicaSet: example-api-2-cd6cdd88f (1/1 replicas created)
Events: <none>