SSL(ACM) on EKS load balancer

Question

I have my app running on EKS which is using istio-ingressgateway service for load balancer having ports 15020,15032,15031,15029,15030,15443. I want to terminate SSL on this ELB but whenever I apply my ingress.yaml file, it overwrites all the default ports and only configures 443. What change should be needed to add 443 SSL port in running ELB and keep other ports as they are.

apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
    service.kubernetes.io/tke-existed-lbid: "xxxxxxxxxxxxxxxxxxxxx"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:xx-xxxx-x:123456789:certificate/xxxxxx-xxxxx-xxx-xxxx-xxxxxxx"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
  labels:
    chart: gateways-1.0.1
    release: istio
    heritage: Tiller
    app: istio-ingressgateway
    istio: ingressgateway
spec:
  type: LoadBalancer
  ports:
  - port: 443
    name: https
    protocol: TCP
  externalTrafficPolicy: Cluster
  selector:
    app: istio-ingressgateway
    istio: ingressgateway

score 0 · Answer 1 · answered Aug 19 '20 at 17:48

0

There doesn't seem to be support for using existing ELB through annotations. It's very interesting that tke-existed-lbid is working for you. If I am not wrong that's Tencent Kubernetes Engine. Annotations are designed to create new LBs. If you want to use existing LB, create the LB outside of the k8s context and keep your manifest as is (minus annotations) to serve as External Load Balancer.

answered Aug 19 '20 at 17:48

Faheem

3,429
19
26

yes **tke-existed-lbid** is working, and also why ports are overwriting not just adding 443 ? – Akash Verma Aug 19 '20 at 19:58
That annotation is not even mentioned in the official docs. I would open a ticket with AWS support TBH – Faheem Aug 19 '20 at 21:01

SSL(ACM) on EKS load balancer

1 Answers1