Terminating SSL with AWS Elastic Load Balancer

[mooperd]

Hi,

I'm trying to work out how SSL can be terminated at the ELB using the AWS certificates.

The "LoadBalancer" service is able to create the ELB but I'm struggling to understand where I should be "plugging in" the other end. I think its confusing as the Load balancer service seems to bridge Cloud and Kubernetes.

This is perhaps more complicated because I am trying to use kubernetes as a ssl termination proxy for an external AWS Elasticsearch instance which is available on HTTPS. I intend that there is an SSL termination at the ELB,

The load balancer port configuration looks correct:

Port Configuration:
443 (HTTPS, ACM Certificate: f37da686-8a24-47a1-b9e7-9480df912fb7) forwarding to 32329 (HTTP)

My LoadBalancer service looks like this. I've been playing with the ports config.

---
# controller-service.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "Name=prodding-hydra-nginx-ingress-controller"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:476771282763:certificate/f37da686-8a24-47a1-b9e7-9480df912fb7"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
  labels:
    app: nginx-ingress
    chart: nginx-ingress-0.8.9
    component: "controller"
    heritage: Tiller
    release: prodding-hydra
  name: prodding-hydra-nginx-ingress-controller
spec:
#  clusterIP: ""
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 443
#    - name: https
#      port: 443
#      protocol: TCP
#      targetPort: 443
  selector:
    app: nginx-ingress
    component: "controller"
    release: prodding-hydra
  type: "LoadBalancer"

This is the service that I want to expose:

---
apiVersion: v1
kind: Service
metadata:
  name: prodding-hydra-external-elasticsearch-service
spec:
  externalName: search-es-REDACTED.eu-west-1.es.amazonaws.com
  type: ExternalName

With this Ingress:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/secure-backends: "true"
    kubernetes.io/ingress.class: nginx
  name: prodding-hydra-ingress
spec:
  rules:
  - host: dev-andrew.foobar.io
    http:
      paths:
      - backend:
          serviceName: prodding-hydra-external-elasticsearch-service
          servicePort: 443
        path: /

[aledbf]

@mooperd please check the required annotations here https://github.com/kubernetes/ingress-nginx/blob/master/deploy/provider/aws/service-l7.yaml

[mooperd]

Thats great! It worked. Is it possible to 301 http:// to https:// ?

Here is the config that is working.

---
# Source: nginx-ingress/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "Name=prodding-hydra-nginx-ingress-controller"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:476771282763:certificate/f37da686-8a24-47a1-b9e7-9480df912fb7" 
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
  labels:
    app: nginx-ingress
    chart: nginx-ingress-0.8.9
    component: "controller"
    heritage: Tiller
    release: prodding-hydra
  name: prodding-hydra-nginx-ingress-controller
spec:
  ports:
#  - name: http
#    port: 80
#    targetPort: http
  - name: https
    port: 443
    targetPort: http
  selector:
    app: nginx-ingress
    component: "controller"
    release: prodding-hydra
  type: "LoadBalancer"

[erickt]

@mooperd yes you can. Here are the docs on forcing ssl redirection. You can read up more on the AWS setup here. One thing to note though is that due to a change in Kubernetes 1.8, you can't currently terminate TLS in the ELB without customizing the nginx config template. I filed #1622 to fix this.

[mooperd]

@erickt Thanks for the heads up. I'll track those tickets.

The 301 works now that tls is enabled in the ingress. Thanks!

[aledbf]

@mooperd can we close this issue?

[iamrandys]

If anyone is using the helm chart nginx-ingress, here are the values that finally worked for me. I'm using the workaround and using "80" instead of "http" until #1622 is fixed. The information in this issue helped a lot. Thanks guys!

nginx-ingress:
  controller:
    config:
      force-ssl-redirect: "true"
    service:
      targetPorts:
        https: 80
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <your AWS cert arn here>
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"

[prageethw]

Note:
at the moment SSL force redirection by ELB only works for HTTP protocol out of the box.

read below for workaround and reasoning:

#2724

[BouchaaraAdil]

i have the same issue, i tried below annotations:

Service:
"annotations": { "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "http", "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:eu-west-1:5102549432404:certificate/349bdc18-d66e-46ad-aa9b-3eae90fb68d4", "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "https", "service.beta.kubernetes.io/aws-load-balancer-type": "nlb" }

on Ingress:
"annotations": { "nginx.ingress.kubernetes.io/force-ssl-redirect": "true" }

that have ended to redirected you too many times.

FYI i’m using here NLB

[kgriffiths]

@BouchaaraAdil AWS recently added K8s v1.15 to EKS, which does support NLB SSL termination. Those annotations should work now.