I am prototyping with Kong Ingress controller on AWS EKS. I was able to follow the EKS deployment guide and get the Kong Ingress Controller working with default configuration as specified in:
[https://bit.ly/k4k8s](https://bit.ly/k4k8s). (kong:2.0 & kong-ingress-controller:0.8.1)
I wanted to test a setup with ELB instead of default NLB so that I can have following connection path between my clients and services.
Client(Browser) ---*HTTPS*---> AWS ELB ---*HTTPS*---> KONG on K8S ---*HTTPS*---> my-service
I am creating another K8S LoadBalancer service for ELB (in addition to one created by https://bit.ly/k4k8s) as follows:
apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01" service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <my-cert-arn> service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "env=qa,purpose=kong-prototype" service.beta.kubernetes.io/aws-load-balancer-security-groups: "<my-sg-id>" service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" name: kong-proxy-elb namespace: kong spec: ports: - name: proxy-ssl port: 443 protocol: TCP targetPort: 8443 nodePort: 32015 selector: app: ingress-kong type: LoadBalancer
I have configured
KongIngress to only accept HTTPS traffic on Kong
apiVersion: configuration.konghq.com/v1 kind: KongIngress metadata: name: force-https namespace: my-namespace route: protocols: - https https_redirect_status_code: 302 strip_path: true apiVersion: extensions/v1beta1 kind: Ingress metadata: name: my-ingress namespace: my-namespace annotations: konghq.com/override: "force-https" spec: tls: - hosts: - mydomain.com secretName: mydomain-com-tls rules: - host: mydomain.com http: paths: - path: /svc-prefix backend: serviceName: backend-service servicePort: 8443
This creates the ELB as expected but the SSL health check to the Kong Pods fail so ELB cannot route traffic to Kong. Apparently connections from ELB to Kong hangs.
If I change the
aws-load-balancer-backend-protocol to either tcp or http, then health check works and ELB routes the requests to Kong. However they are routed as
HTTP and not
**HTTPS**. So Kong rejects these requests.
service.beta.kubernetes.io/aws-load-balancer-ssl-ports seem to have no effect here.
What am I missing?