Ambassador: AWS Load Balancer creates port 80 and 443 both with protocol SSL

Created on 15 Nov 2018  路  7Comments  路  Source: datawire/ambassador

Need to create AWS load balancer with SSL(443) and TCP(80) but creates SSL(443) and SSL(80)
A clear and concise description of what the bug is.

YAML file used to reproduce

apiVersion: v1
kind: Service
metadata:
  labels:
    service: ambassador
  name: ambassador
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:ap-southeast-1:123123123:certificate/443abcde-cfgh-klmn-6789-b9876ab01c67"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "*"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v0
      kind:  Module
      name:  tls
      config:
        server:
          enabled: True
          redirect_cleartext_from: 80
      ---
      apiVersion: ambassador/v0
      kind:  Mapping
      name:  frontend-web_mapping
      prefix: /
      service: frontend-web:3000
spec:
  type: LoadBalancer
  ports:
  - name: ambassador-http
    port: 80
    targetPort: 80
  - name: ambassador-https
    port: 443
    targetPort: 443
  selector:
    service: ambassador

Expected behavior
Need to either have a way to specify protocols for AWS Load Balancer listeners protocols or should specify protocols correctly

How do I make sure that the global redirection works from 80 to 443 and also listeners are created on load balancers with correct protocols and ports?

All 7 comments

@krish512 Did you try service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"?
My guess is if you try the above, it will work for you.

Haven't seen it, an explanation of all the annotations are listed here.

@dpankros I can confirm that service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" solves the problem exposed by @krish512

Thanks!

Thanks this worked, but how do I create an AWS Application load balancer with this which supports HTTP2 rather than just a Classic load balancer supporting HTTP and HTTPS

@krish512 To my knowledge, you can only create ELBs (classic) or NLBs through kubernetes annotations. Specifically, the value of service.beta.kubernetes.io/aws-load-balancer-type controls the type of load balancer.
1) If you don't specify a value, an ELB (classic LB) is created.
2) If you specify a value of nlb an NLB is created.
3) any other value will not be accepted.
Thus, for now, albs are not supported. Maybe sometime in the future.

Of course, you could create one manually, but if ports or hosts ever change, you'd be left to manually update them which, IMHO, is just asking for trouble.

Using the same issue for a more queries on similar lines,

I was able to create HTTP and HTTPS listeners, now I need a third listener which is TCP on port 3306 for Database. How do I achieve this?

Did you try adding another port to your service? I believe the ELB listeners get generated from that. If you need it to be an ssl/tls listener ssl, you'll also need to add that to the annotation (e.g. "443,3306").

This isn't really an Ambassador question, however. I recommend you consult the Kuberenetes Documenation on this topic for more information.

Well, that's when I'm creating a different load balancer, I want to use existing ambassador load balancer for this

Closing this issue

Was this page helpful?
0 / 5 - 0 ratings

Related issues

josephglanville picture josephglanville  路  3Comments

klarose picture klarose  路  5Comments

danielmittelman picture danielmittelman  路  3Comments

nilanjan-samajdar picture nilanjan-samajdar  路  4Comments

aroundthecode picture aroundthecode  路  4Comments