Related

Product Managed Kubernetes on DigitalOcean Product
How can I customize healthcheck to make LB available Question Question
Can't get load balancer in a healthy state Question Question

Question

Kubernetes LoadBalncer http->https redirection does not work

Posted January 1, 2020 2.7k views
Load BalancingKubernetes

Hi there!

I’m setting up Nginx ingress controller on my Kubernetes Cluster, and I can’t make http->https redirect to work.

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress-controller
  labels:
    component: "controller"
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-protocol: "https"
    service.beta.kubernetes.io/do-loadbalancer-certificate-id: "d6312b2d-c313-4b03-9030-ccc40f1afed5"
    service.beta.kubernetes.io/do-loadbalancer-tls-passthrough: "false"
    service.beta.kubernetes.io/do-loadbalancer-redirect-http-to-https: "true"
spec:
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: http
  selector:
    app: nginx-ingress
    component: "controller"
  type: "LoadBalancer"

As you can see in nginx ingress controller Service definition, I’m using correct annotation, however, when I visit http://mydomain.com, I get ERRCONNECTIONREFUSED, instead of getting redirection to https.

When I use https://mydomain.com, it works as expected, i.e. response from ingress resource is rendered.

Did I configure nginx ingress correctly? What am I missing?
Thank you.

Add a comment
patrycjusz
By:
patrycjusz
Add a comment
2 comments
  • jkwiatkoski January 2, 2020
    Reply Report

    Is your ingress controller listening on port 80 as well as 443? I see you have both service ports set to:

    targetPort: http

    Is this intentional?

    Note that targetPort is the port on the pod that the request hits. Your ingress controller needs to be listening on this port for the service to work.

    Are you specifying 80 as an exposed port on your deployment?

    Regards,

    John Kwiatkoski
    Senior Developer Support Engineer - Kubernete

  • patrycjusz January 2, 2020
    Reply Report

    Yes, it is very much intentional.
    Since Load Balancer is performing SSL termination/offloading, only unencrypted traffic lands in Ingress controller (both on port 443 and 80). After SSL termination, requests cannot go to targetPort 443 because of plaintext/SSL transport type mismatch, therefore, they are routed to port 80.

    There is no issue with exposed ports on nginx ingress controller deployment, because it works just fine for SSL.

    I presume that issue is with Load Balancer itself, because it does not perform http->https redirection, i.e. when I visit load balancer url at port 80 I don’t get redirected to port 443, but when I visit url at port 443 it works as expected.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
kibs February 16, 2020

I had the same issue, using the same YAML as you. I solved it by adding the following annotation

service.beta.kubernetes.io/do-loadbalancer-protocol: “http”

This sets the correct forwarding rules protocol in the load balancer and the http to https now works

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help