HTTP -> HTTPS redirect with ALB on EKS
Summary
It's not clear (or possible?) on how to enable a HTTP->HTTPS redirect using an ALB on EKS.
Using examples/aws/elb-layer7-loadbalancer.yaml as a base example with ALB, and the AWS LB controller SSL redirect docs, the redirect does not seem to happen.
The ALB Controller v2.2 docs above mention that it also needs an ingress rule, manually editing the ingress rules on the webservice ingress to add this as a first rule:
- backend:
serviceName: ssl-redirect
servicePort: use-annotation
path: /*doesn't help (and we don't have a way to specify custom ingress rules using our values in the first place, but just to test this), because other pages will 404:
╰─>$ curl http://domain.tld/ -iL
HTTP/1.1 301 Moved Permanently
Server: awselb/2.0
Location: https://domain.tld:443/
[..]
HTTP/2 302
location: https://domain.tld/users/sign_in
[..]
HTTP/2 404
server: awselb/2.0
[..]Steps to reproduce
- Install a cluster on EKS
- Use the below values to set up
Configuration used
certmanager-issuer:
install: false
global:
hosts:
domain: domain.tld
ingress:
type: NodePort
configureCertmanager: false
tls:
enabled: false
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:ACCOUNT-ID:certificate/CERT-ARN
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/scheme: "internet-facing"
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/success-codes: 200,302
alb.ingress.kubernetes.io/group.name: gitlab
nginx-ingress:
controller:
setAsDefaultIngress: true
config:
use-forwarded-headers: "true"
service:
type: NodePort
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:ACCOUNT-ID:certificate/CERT-ARN
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/group.name: gitlab
alb.ingress.kubernetes.io/scheme: "internet-facing"
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
alb.ingress.kubernetes.io/success-codes: 200,302
targetPorts:
https: httpCurrent behavior
No SSL redirect happening
Expected behavior
Potentially a way to get SSL redirect working with an ALB in EKS, or a warning that it's not working (if not possible)
Versions
- Chart:
4.9.4 - Platform: Cloud: EKS
- Kubernetes: (
kubectl version)- Client:
v1.18.6 - Server:
v1.18.16-eks-7737de
- Client:
- Helm: (
helm version)- Client:
v3.3.3
- Client:
╰─>$ kubectl get -n kube-system deployment.apps/aws-load-balancer-controller -ojson | jq '.metadata.labels'
{
"app.kubernetes.io/instance": "aws-load-balancer-controller",
"app.kubernetes.io/managed-by": "Helm",
"app.kubernetes.io/name": "aws-load-balancer-controller",
"app.kubernetes.io/version": "v2.2.0",
"helm.sh/chart": "aws-load-balancer-controller-1.2.0"
}