<!-- NOTICE: This Issue tracker is for the GitLab Helm chart, not the GitLab Rails application. Support: Please do not raise support issues for GitLab.com on this tracker. See https://about.gitlab.com/support/ --> ## Summary It's not clear (or possible?) on how to enable a HTTP->HTTPS redirect using an ALB on EKS. Using [`examples/aws/elb-layer7-loadbalancer.yaml`](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/aws/elb-layer7-loadbalancer.yaml) as a base example with ALB, and the [AWS LB controller SSL redirect docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/tasks/ssl_redirect/), the redirect does not seem to happen. The ALB Controller v2.2 docs above mention that it also needs an ingress rule, manually editing the ingress rules on the webservice ingress to add this as a first rule: ``` - backend: serviceName: ssl-redirect servicePort: use-annotation path: /* ``` doesn't help (and we don't have a way to specify custom ingress rules using our values in the first place, but just to test this), because other pages will 404: ``` ╰─>$ curl http://domain.tld/ -iL HTTP/1.1 301 Moved Permanently Server: awselb/2.0 Location: https://domain.tld:443/ [..] HTTP/2 302 location: https://domain.tld/users/sign_in [..] HTTP/2 404 server: awselb/2.0 [..] ``` ## Steps to reproduce 1. Install a cluster on EKS 1. Use the below values to set up ## Configuration used ```yaml certmanager-issuer: install: false global: hosts: domain: domain.tld ingress: type: NodePort configureCertmanager: false tls: enabled: false annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:ACCOUNT-ID:certificate/CERT-ARN alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' alb.ingress.kubernetes.io/scheme: "internet-facing" alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/success-codes: 200,302 alb.ingress.kubernetes.io/group.name: gitlab nginx-ingress: controller: setAsDefaultIngress: true config: use-forwarded-headers: "true" service: type: NodePort annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600" service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:ACCOUNT-ID:certificate/CERT-ARN service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/group.name: gitlab alb.ingress.kubernetes.io/scheme: "internet-facing" alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]' alb.ingress.kubernetes.io/success-codes: 200,302 targetPorts: https: http ``` ## Current behavior No SSL redirect happening ## Expected behavior Potentially a way to get SSL redirect working with an ALB in EKS, or a warning that it's not working (if not possible) ## Versions - Chart: `4.9.4` - Platform: Cloud: EKS - Kubernetes: (`kubectl version`) - Client: `v1.18.6` - Server: `v1.18.16-eks-7737de` - Helm: (`helm version`) - Client: `v3.3.3` ```json ╰─>$ kubectl get -n kube-system deployment.apps/aws-load-balancer-controller -ojson | jq '.metadata.labels' { "app.kubernetes.io/instance": "aws-load-balancer-controller", "app.kubernetes.io/managed-by": "Helm", "app.kubernetes.io/name": "aws-load-balancer-controller", "app.kubernetes.io/version": "v2.2.0", "helm.sh/chart": "aws-load-balancer-controller-1.2.0" } ``` ## Relevant logs