AWS ALB Ingress Controller doesn't resolve over TLS

Question

I've installed and configured AWS ALB Ingress Controller(https://github.com/kubernetes-sigs/aws-alb-ingress-controller) and it's working properly over HTTP. However, it doesn't resolve over HTTPS.

The Ingress resource is the following:

$ kubectl describe ingress api-gateway-ingress
Name:             api-gateway-ingress
Namespace:        orbix-mvp
Address:          4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
Default backend:  default-http-backend:80 (<none>)
TLS:
  api-gateway.orbixpay.com terminates api-gateway.orbixpay.com,4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
Rules:
  Host  Path  Backends
  ----  ----  --------
  *     
        /*   api-gateway:3000 (<none>)
Annotations:
  kubernetes.io/ingress.class:                       alb
  alb.ingress.kubernetes.io/scheme:                  internet-facing
  alb.ingress.kubernetes.io/ssl-policy:              ELBSecurityPolicy-2016-08
  alb.ingress.kubernetes.io/subnets:                 subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9
  alb.ingress.kubernetes.io/success-codes:           302
  kubectl.kubernetes.io/last-applied-configuration:  {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"alb.ingress.kubernetes.io/scheme":"internet-facing","alb.ingress.kubernetes.io/ssl-policy":"ELBSecurityPolicy-2016-08","alb.ingress.kubernetes.io/subnets":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","alb.ingress.kubernetes.io/success-codes":"302","kubernetes.io/ingress.class":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"api-gateway.orbixpay.com","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}}

Events:  <none>

I've also added a self-signed SSL certificate as per the instructions over here:

https://kubernetes.github.io/ingress-nginx/user-guide/tls/

On edit the Ingress looks like the following:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
    alb.ingress.kubernetes.io/subnets: subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9
    alb.ingress.kubernetes.io/success-codes: "302"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"alb.ingress.kubernetes.io/scheme":"internet-facing","alb.ingress.kubernetes.io/ssl-policy":"ELBSecurityPolicy-2016-08","alb.ingress.kubernetes.io/subnets":"subnet-0c4cb5452b630939e, subnet-0e5d3c389bfbefee9","alb.ingress.kubernetes.io/success-codes":"302","kubernetes.io/ingress.class":"alb"},"labels":{"app":"api-gateway"},"name":"api-gateway-ingress","namespace":"orbix-mvp"},"spec":{"rules":[{"host":"api-gateway.orbixpay.com","http":{"paths":[{"backend":{"serviceName":"api-gateway","servicePort":3000},"path":"/*"}]}}]}}
    kubernetes.io/ingress.class: alb
  creationTimestamp: "2019-03-07T14:57:22Z"
  generation: 8
  labels:
    app: api-gateway
  name: api-gateway-ingress
  namespace: orbix-mvp
  resourceVersion: "2230952"
  selfLink: /apis/extensions/v1beta1/namespaces/orbix-mvp/ingresses/api-gateway-ingress
  uid: 4fd70b63-40e9-11e9-bfe7-024a064218ac
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: api-gateway
          servicePort: 3000
        path: /*
  tls:
  - hosts:
    - api-gateway.orbixpay.com
    - 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com
    secretName: api-gateway.orbixpay.com
status:
  loadBalancer:
    ingress:
    - hostname: 4ae1e4ba-orbixmvp-apigatew-c613-1873743362.eu-central-1.elb.amazonaws.com

Thing is, the Ingress doesn't resolve over TLS - it just times out. As far as I'm aware this is the correct way to set it up, so I'm rather clueless as to why it's not working. Any help is appreciated.

Pampy Pampy · Accepted Answer · 2019-03-12T13:28:24

I think you are mixing up 2 different things here: You want to use ALB Ingress Controller, but you're showing that you're using the configuration for the Nginx Controller. Those are actually 2 pretty different projects. They serve a common purpose but are actually completely different ways to solve it. Nginx is running on your cluster, while ALB Ingress Controller is actually just configuring an ALB which runs on it's own machine(s).

The catch is, that ALB cannot use custom certificates. At least not directly from Kubernetes. They need to be put in ACM first.

If you have a certificate in ACM already, ALB Ingress Controller should match it, according to the documentation.

You can also specify which certificate to use for your load balancer like this

alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:1231234564:certificate/4564abc12-d3c2-4455-8c39-45354cddaf03

(replace with the ARN you get from ACM)

Some more general tips for debugging this:

Search for the load balancer in the AWS Management Console and check if your listeners have been applied as you expect it. If it looks like you would have configured it, something must be wrong with the logic here already.
If they are not applied, probably ALB Ingress Controller got a problem parsing your ingress. Check the logs of the alb-ingress-controller pod in the kube-system namespace to get more details about that.

AWS ALB Ingress Controller doesn't resolve over TLS

1 Answers