HTTPS for ALB ingress gateway and Istio ingress gateway

wreeder · July 8, 2019, 10:24pm

I can successfully setup an AWS ALB ingress gateway with HTTPS inbound terminating at the ALB, and use HTTP from the ALB to the Istio ingress gateway. However, it fails when I setup HTTPS from the ALB to the Istio ingress gateway with a 502 bad gateway.

I installed Istio with the AWS ALB ingress gateway, following the instructions here to install Istio with the sds profile, modifying the values-istio-sds-auth.yaml file based on these instructions to override the sds profile with the following settings:

set global.k8sIngressSelector=ingressgateway
set ingress.enable=false
set gateways.enabled=true, gateways.istio-ingressgateway.type=NodePort

Next, I followed these instructions to setup the ALB ingress controller:

Next, I followed instructions here to create and apply the following Ingress manifest

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: istio-ingress
  namespace: istio-system
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:699727076305:certificate/7ec44e83-467d-4c21-b154-a1b04775483f
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: istio-ingressgateway
              servicePort: 443

After setup, I ran through these instructions to test ingress to the httpbin example successfully. I was able to get to it through the browser and with curl.

Finally, I followed these instructions to setup the Istio ingress gateway with HTTPS using the SDS to manage the cert. This is where the testing fails. It failed to connect to the server when I used the following to get the INGRESS_HOST for NodePort:

export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath=‘{.items[0].status.hostIP}’)

So I shelled into a container in the namespace and got the following error running curl:

curl: (35) Unknown SSL protocol error in connection

When I test through the browser, I get a 502 Bad Gateway error.

Thanks for your help,
Bill

DaleBetts · October 30, 2019, 10:28am

Did you ever get to the bottom of this? I have the same issue

ahilmathew · June 24, 2020, 10:08pm

I’m also having this same issue. Did anyone figure out what is wrong here?

veetow · July 2, 2020, 8:45pm

For anyone that stumbles upon this like I did, I solved what is likely the same issue as the OP.

Make sure you add this annotation to your alb Ingress resource: alb.ingress.kubernetes.io/backend-protocol: HTTPS

The default is to speak HTTP to the backends.

github.com

kubernetes-sigs/aws-alb-ingress-controller/blob/ec387ad137e594647b67eb781fbc42010fe7b460/docs/guide/ingress/annotation.md#backend-protocol

# Ingress annotations
You can add kubernetes annotations to ingress and service objects to customize their behavior.

!!!note
    - Annotations applied to service have higher priority over annotations applied to ingress. `Location` column below indicates where that annotation can be applied to.
    - Annotation keys and values can only be strings. Advanced format are encoded as below:
        - boolean: 'true'
        - integer: '42'
        - stringMap: k1=v1,k2=v2
        - stringList: s1,s2,s3
        - json: 'jsonContent'
!!!tip
    The annotation prefix can be changed using the `--annotations-prefix` command line argument, by default it's `alb.ingress.kubernetes.io`, as described in the table below.

## Annotations
|Name                       | Type |Default|Location|
|---------------------------|------|------|------|
|[alb.ingress.kubernetes.io/actions.${action-name}](#actions)|json|N/A|ingress|
|[alb.ingress.kubernetes.io/auth-idp-cognito](#auth-idp-cognito)|json|N/A|ingress,service|
|[alb.ingress.kubernetes.io/auth-idp-oidc](#auth-idp-oidc)|json|N/A|ingress,service|

This file has been truncated. show original

rjmp1991 · March 12, 2021, 5:09am

Hi, i resolved this issued manually.

you need modify ingress spec

spec:
rules:

http:
paths:
- path: /headers
  backend:
  serviceName: istio-ingressgateway
  servicePort: 443
- path: /ip
  backend:
  serviceName: istio-ingressgateway
  servicePort: 443
  tls:
hosts:
- ingresslocal.sandboxsecuritybc.com
  secretName: ingress-certificate

The target group is predetermined created wrong.
you can create a new target to forward the traffic to secure istio-ingress-gateway svc in the instances (worker nodes).
The protocol must be HTTPS and health check in the same port.
Then modify the routes in ALB an change the forward to new target group

apryiomka · March 16, 2021, 8:43pm

This still doesn’t work for me, i have exactly the same problem:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
    alb.ingress.kubernetes.io/healthcheck-port: "31562"
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/tags: Environment=stage
    kubernetes.io/ingress.class: alb
  labels:
    app: tls
  name: tls
  namespace: istio-system
spec:
  rules:
  - host: '*.example.com'
    http:
      paths:
      - backend:
          serviceName: istio-ingressgateway
          servicePort: 443
        path: /*

I get 502

dred · April 21, 2022, 6:36am

Disabling SNI matching by setting

  hosts:
  - "*"

in the ingress gateway solved it for us. Apparently AWS ALB doesn’t forward the SNI.

Topic		Replies	Views
ISTIO fails to initiate HTTPS request to backend-service (via destination-rule) Networking	1	3324	September 28, 2021
HTTPS port protocol returns bad gateway	1	720	September 2, 2021
Unable to secure ingress with SDS	1	1854	March 21, 2019
Access a HTTPS service through istio ingress gateway	4	867	April 28, 2020
Istio with AWS ALB and TLS to istio-ingressgateway Networking	6	4593	March 16, 2021

HTTPS for ALB ingress gateway and Istio ingress gateway

Related topics