I am prototyping with Kong Ingress controller on AWS EKS. I was able to follow the EKS deployment guide and get the Kong Ingress Controller working with default configuration as specified in: [https://bit.ly/k4k8s](https://bit.ly/k4k8s). (kong:2.0 & kong-ingress-controller:0.8.1)
I wanted to test a setup with ELB instead of default NLB so that I can have following connection path between my clients and services.
Client(Browser) ---*HTTPS*---> AWS ELB ---*HTTPS*---> KONG on K8S ---*HTTPS*---> my-service
I am creating another K8S LoadBalancer service for ELB (in addition to one created by https://bit.ly/k4k8s) as follows:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <my-cert-arn>
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "env=qa,purpose=kong-prototype"
service.beta.kubernetes.io/aws-load-balancer-security-groups: "<my-sg-id>"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
name: kong-proxy-elb
namespace: kong
spec:
ports:
- name: proxy-ssl
port: 443
protocol: TCP
targetPort: 8443
nodePort: 32015
selector:
app: ingress-kong
type: LoadBalancer
I have configured KongIngress
to only accept HTTPS traffic on Kong
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: force-https
namespace: my-namespace
route:
protocols:
- https
https_redirect_status_code: 302
strip_path: true
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
namespace: my-namespace
annotations:
konghq.com/override: "force-https"
spec:
tls:
- hosts:
- mydomain.com
secretName: mydomain-com-tls
rules:
- host: mydomain.com
http:
paths:
- path: /svc-prefix
backend:
serviceName: backend-service
servicePort: 8443
This creates the ELB as expected but the SSL health check to the Kong Pods fail so ELB cannot route traffic to Kong. Apparently connections from ELB to Kong hangs.
If I change the aws-load-balancer-backend-protocol
to either tcp or http, then health check works and ELB routes the requests to Kong. However they are routed as HTTP
and not **HTTPS**
. So Kong rejects these requests.
Annotation service.beta.kubernetes.io/aws-load-balancer-ssl-ports
seem to have no effect here.
What am I missing?