aws-load-balancer-controller: alb provisioned with incorrect redirect rules?

Describe the bug I am using the loadbalancer controller to configure an internal ALB for a service. I am using the following docuemntation to configure the automatic HTTP to HTTPS redirection on the loadbalancer listeners. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.1/guide/tasks/ssl_redirect/

This does provision the loadbalancer however the rules on the loadbalancer for port 80 listerner and port 443 listener are both set to static response:404.

Steps to reproduce Create a service and an ingress with the following annotations:

apiVersion: v1
kind: Service
metadata:
  name: company-service
  namespace: dar
spec:
  ports:
    - port: 80
      targetPort: 8000
      protocol: TCP
  type: LoadBalancer
  selector:
    app: company-service

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: conpany-service
  namespace: dar
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/certificate-arn:  arn:aws:acm:eu-west-1:540369091157:certificate/6a51c08d-<REDACTED>
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    external-dns.alpha.kubernetes.io/hostname: company-service.internal.staging.company.com.
    external-dns.alpha.kubernetes.io/ttl: "300"
spec:
  rules:
    - host: "company-service.internal.staging.company.com"
    - http:
        paths:
        - path: /
          backend:
            serviceName: ssl-redirect
            servicePort: use-annotation

Expected outcome An ALB provisioned with a listener on port 80 which has a rule to redirect to the listener on port 443. And a listener on port 443, with the assigned certificate which forwards traffic to the kubernetes pods behind.

Environment EKS version 1.21.2

  • AWS Load Balancer controller version: amazon/aws-alb-ingress-controller:v2.2.4
  • Kubernetes version: 1.21.1
  • Using EKS (yes/no), if so version?: yes version 1.21

Additional Context:

Upon checking the loadbalancer directly in the AWS console, you can see the rules created: image

Also, when attempting to manually correct the 443 listener rule, so that it forwards to the pods behind, they are all grey and not selectable…

image

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 15 (1 by maintainers)

Most upvoted comments

@m477r1x, couple of things

  • With v2.2.4 controller, you can configure ssl-redirect via the annotation alb.ingress.kubernetes.io/ssl-redirect, for further details, you can refer to the live docs - https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/#ssl-redirect
  • I don’t see any ingress rule to forward traffic to your k8s service. Either the manifest you put in the issue is not complete, or you don’t have the rules. Could you ensure the configuration is complete?
  • The changes you make from the AWS console will be overwritten by the controller during next reconcile
+3
kishorj on Oct 5, 2021
Read more comments on GitHub
← aws-load-balancer-controller: ALB Ingress is not getting created
aws-load-balancer-controller: ALB sending requests to pods after ingress controller deregisters them leading to 504s →