In the documentation of Nginx Ingress for AWS it says:
By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer.
Link: https://kubernetes.github.io/ingress-nginx/deploy/#tls-termination-in-aws-load-balancer-nlb
So, I follow the instructions: set AWS ACM certification, set VPC CIDR and deploy.
Then check ingress nginx service:
kubectl get service --namespace ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.100.124.56 adba41948av49484z55137c374e1e17d-09af54e014df8676.elb.us-east-1.amazonaws.com 80:31985/TCP,443:32330/TCP 17h
ingress-nginx-controller-admission ClusterIP 10.100.175.52 <none> 443/TCP 17h
In the AWS console, the Load Balancer has necessary certificate and all seems fine.
Next, I create Ingress rules and Service with type: ClusterIP
- Service:
apiVersion: v1
kind: Service
metadata:
name: test-app-service
spec:
selector:
name: test-app-pod
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: ClusterIP
- Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-app-ingress
spec:
ingressClassName: nginx
rules:
- host: foobar.com # forwards to LB
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: test-app-service
port:
number: 80
Check the Ingress:
kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
test-app-ingress nginx foobar.com adba41948av49484z55137c374e1e17d-09af54e014df8676.elb.us-east-1.amazonaws.com 80 29m
So I am just stuck here. When I go to http://foobar.com -- it works perfectly fine. But when I go to https://foobar.com - it says 'Could not resolve host: foobar.com'
And I would expect that when I go to https://foobar.com then it terminates TLS on LB and sends the traffic to the service.
I have also found an article, where it is described the same, and in comments there are the same questions like I have, so I am not the only one :D : https://habeeb-umo.medium.com/using-nginx-ingress-in-eks-with-tls-termination-in-a-network-load-balancer-1783fc92935 (I followed this instructions also - no luck as well)
UPDATE:
as per @mdaniel
When I do curl -v http://foobar.com and curl -v https://foobar.com - it both says Could not resolve host: foobar.com:
http:
* Could not resolve host: foobar.com
* Closing connection 0
curl: (6) Could not resolve host: foobar.com
https:
* Could not resolve host: foobar.com
* Closing connection 0
curl: (6) Could not resolve host: foobar.com
And in the browser when I go to http://foobar.com - it opens the page OK, BUT when I refresh the page it shows 'This site can’t be reached'.
UPDATE2:
I think I have found an issue.
I used httpd container inside the pod and opened 8080 port
spec:
containers:
- name: some-app
image: httpd:2.4.54
ports:
- containerPort: 8080
So when I do port-forward
kubectl port-forward test-app-deployment-f59984d85-qckr9 8081:8080
The first GET request http://127.0.0.1:8081 is fine, but after another one - it fails
Forwarding from 127.0.0.1:8081 -> 8080
Forwarding from [::1]:8081 -> 8080
Handling connection for 8081
E1124 11:48:43.466682 94768 portforward.go:406] an error occurred forwarding 8081 -> 8080: error forwarding port 8080 to pod d79172ed802e00f93a834aab7b89a0da053dba00ad327d71fff85f582da9819e, uid : exit status 1: 2022/11/24 10:48:43 socat[15820] E connect(5, AF=2 127.0.0.1:8080, 16): Connection refused
So I changed containerPort to 80 and it helped:
spec:
containers:
- name: some-app
image: httpd:2.4.54
ports:
- containerPort: 80 # changed port to 80
Run port forwarding: kubectl port-forward test-app-deployment-f59984d85-qckr9 8081:80
Make 3 GET requests http://127.0.0.1:8081
Forwarding from 127.0.0.1:8081 -> 80
Forwarding from [::1]:8081 -> 80
Handling connection for 8081
Handling connection for 8081
Handling connection for 8081
curl -v http://foobar.comandcurl -v https://foobar.comCould not resolve host: foobar.comhttp: ``` * Could not resolve host: foobar.com * Closing connection 0 curl: (6) Could not resolve host: foobar.com ``` https: ``` * Could not resolve host: foobar.com * Closing connection 0 curl: (6) Could not resolve host: foobar.com ``` And in the browser when I go to foobar.com - it opens the page BUT, when I refresh multiple times the page it sometimes shows OK, sometimes 'This site can’t be reached'. It seems like this is LB or worker node issue. Will update my question also