Question

Kubernetes Load Balancer HTTPS Redirect Disabled During Cluster Upgrade

I have a frontend web server I’m hosting using DigitalOcean Kubernetes, and created a load balancer to serve traffic through. I created the load balancer using kubectl expose and then set it to redirect https traffic to http through the DigitalOcean website. I’ve noticed that every time I upgrade the Kubernetes cluster version it resets the load balancer’s settings, preventing any secure https traffic coming through. Is this intended behavior? How can I permanently setup https redirect? I’m assuming one of two things is happening:

  1. I’m not supposed to be able to edit load balancers that were created through Kubernetes, but this behavior was accidentally allowed through the UI

  2. The Kubernetes upgrade process inadvertently wipes all load balancer settings for balancers associated with the cluster that’s being upgraded

Any help is much appreciated, thanks!

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

tvolk131April 24, 2021
Accepted Answer

Not sure if anyone else has experienced this same problem, but I was able to fix it! Option #1 seems closest to reality. From my understanding, Kubernetes-owned load balancers should be configured completely using Kubernetes annotations, not through the UI. These resources helped me determine what was going on:

And in case anyone else is also trying to setup a load balancer with SSL redirect and a DigitalOcean-managed SSL certificate, here’s my final service definition:

apiVersion: v1
kind: Service
metadata:
  name: frontend-service
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-certificate-id: "your-certificate-id-here"
    service.beta.kubernetes.io/do-loadbalancer-hostname: "crusty.cards"
    service.beta.kubernetes.io/do-loadbalancer-protocol: "http"
    service.beta.kubernetes.io/do-loadbalancer-redirect-http-to-https: "true"
    service.beta.kubernetes.io/do-loadbalancer-tls-ports: "443"
spec:
  type: LoadBalancer
  ports:
    - name: http
      port: 80
      targetPort: 80
    - name: https
      port: 443
      targetPort: 80
  selector:
    app: frontend

If anyone from the DigitalOcean team is reading this… I think it would make a lot of sense to disallow modification of load balancer settings through the UI for Kubernetes-managed load balancers, and instead state that all settings must be changed through the use of annotations, and provide links to some of the resources listed above. That would have saved me hours of work and frustration.