HTTPS for ALB ingress gateway and Istio ingress gateway

I can successfully setup an AWS ALB ingress gateway with HTTPS inbound terminating at the ALB, and use HTTP from the ALB to the Istio ingress gateway. However, it fails when I setup HTTPS from the ALB to the Istio ingress gateway with a 502 bad gateway.

I installed Istio with the AWS ALB ingress gateway, following the instructions here to install Istio with the sds profile, modifying the values-istio-sds-auth.yaml file based on these instructions to override the sds profile with the following settings:

  • set global.k8sIngressSelector=ingressgateway
  • set ingress.enable=false
  • set gateways.enabled=true, gateways.istio-ingressgateway.type=NodePort

Next, I followed these instructions to setup the ALB ingress controller:

Next, I followed instructions here to create and apply the following Ingress manifest

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: istio-ingress
  namespace: istio-system
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:699727076305:certificate/7ec44e83-467d-4c21-b154-a1b04775483f
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: istio-ingressgateway
              servicePort: 443

After setup, I ran through these instructions to test ingress to the httpbin example successfully. I was able to get to it through the browser and with curl.

Finally, I followed these instructions to setup the Istio ingress gateway with HTTPS using the SDS to manage the cert. This is where the testing fails. It failed to connect to the server when I used the following to get the INGRESS_HOST for NodePort:

export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath=‘{.items[0].status.hostIP}’)

So I shelled into a container in the namespace and got the following error running curl:

curl: (35) Unknown SSL protocol error in connection

When I test through the browser, I get a 502 Bad Gateway error.

Thanks for your help,
Bill

1 Like

Did you ever get to the bottom of this? I have the same issue

2 Likes

I’m also having this same issue. Did anyone figure out what is wrong here?

For anyone that stumbles upon this like I did, I solved what is likely the same issue as the OP.

Make sure you add this annotation to your alb Ingress resource: alb.ingress.kubernetes.io/backend-protocol: HTTPS

The default is to speak HTTP to the backends.

1 Like

Hi, i resolved this issued manually.

you need modify ingress spec

spec:
rules:

  • http:
    paths:
    • path: /headers
      backend:
      serviceName: istio-ingressgateway
      servicePort: 443
    • path: /ip
      backend:
      serviceName: istio-ingressgateway
      servicePort: 443
      tls:
  • hosts:

The target group is predetermined created wrong.
you can create a new target to forward the traffic to secure istio-ingress-gateway svc in the instances (worker nodes).
The protocol must be HTTPS and health check in the same port.
Then modify the routes in ALB an change the forward to new target group

This still doesn’t work for me, i have exactly the same problem:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
    alb.ingress.kubernetes.io/healthcheck-port: "31562"
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/tags: Environment=stage
    kubernetes.io/ingress.class: alb
  labels:
    app: tls
  name: tls
  namespace: istio-system
spec:
  rules:
  - host: '*.example.com'
    http:
      paths:
      - backend:
          serviceName: istio-ingressgateway
          servicePort: 443
        path: /*

I get 502

Disabling SNI matching by setting

  hosts:
  - "*"

in the ingress gateway solved it for us. Apparently AWS ALB doesn’t forward the SNI.