How to configure AWS ELB with HTTPS to Kong on K8S?

I am prototyping with Kong Ingress controller on AWS EKS. I was able to follow the EKS deployment guide and get the Kong Ingress Controller working with default configuration as specified in: [https://bit.ly/k4k8s](https://bit.ly/k4k8s). (kong:2.0 & kong-ingress-controller:0.8.1)

I wanted to test a setup with ELB instead of default NLB so that I can have following connection path between my clients and services.

Client(Browser) ---*HTTPS*---> AWS ELB ---*HTTPS*---> KONG on K8S ---*HTTPS*---> my-service

I am creating another K8S LoadBalancer service for ELB (in addition to one created by https://bit.ly/k4k8s) as follows:

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <my-cert-arn>
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "env=qa,purpose=kong-prototype"
    service.beta.kubernetes.io/aws-load-balancer-security-groups: "<my-sg-id>"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
  name: kong-proxy-elb
  namespace: kong
spec:
  ports:
  - name: proxy-ssl
    port: 443
    protocol: TCP
    targetPort: 8443
    nodePort: 32015
  selector:
    app: ingress-kong
  type: LoadBalancer

I have configured KongIngress to only accept HTTPS traffic on Kong

apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
    name: force-https
    namespace: my-namespace
route:
  protocols:
  - https
  https_redirect_status_code: 302
  strip_path: true

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  namespace: my-namespace
  annotations:
    konghq.com/override: "force-https"
spec:
  tls:
  - hosts:
    - mydomain.com
    secretName: mydomain-com-tls
  rules:
  - host: mydomain.com
    http:
      paths:
      - path: /svc-prefix
        backend:
          serviceName: backend-service
          servicePort: 8443

This creates the ELB as expected but the SSL health check to the Kong Pods fail so ELB cannot route traffic to Kong. Apparently connections from ELB to Kong hangs.

If I change the aws-load-balancer-backend-protocol to either tcp or http, then health check works and ELB routes the requests to Kong. However they are routed as HTTP and not **HTTPS**. So Kong rejects these requests.

Annotation service.beta.kubernetes.io/aws-load-balancer-ssl-ports seem to have no effect here.

What am I missing?


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ