0

Why is my LoadBalancer service in Kubernetes not reachable? I have deployed an nginx-ingress-controller helm chart and it has a service of LoadBalancer type in EKS. This service receives a url (EXTERNAL-IP) and this url has an IP but when I'm trying the reach this url it's not reachable. I did kubectl port-forward -n ingress-nginx services/ingress-nginx-controller8080:80 and then I can reach nginx in localhost:8080 so I know the problem is to reach the service itself from the internet. I've checked and VPC and subnets security-groups and inbound/outbound rules and it seems ok. . can anyone provide some guidance on how to troubleshoot this issue?

This is the definition of the

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:xxx:certificate/xxx
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.5.1
    helm.sh/chart: ingress-nginx-4.4.2
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  allocateLoadBalancerNodePorts: true
  clusterIP: xxx
  clusterIPs:
  - xxx
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    nodePort: xxx
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    nodePort: xxx
    port: 443
    protocol: TCP
    targetPort: http
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  sessionAffinity: None
  type: LoadBalancer

This is the command I'm using to deploy the nginx helm chart:

helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx  --namespace ingress-nginx --create-namespace --version 4.4.2 -f values.yaml

And this is my values.yaml:

controller:
  config: 
    allow-snippet-annotations: "true"
    http-snippet: |
      server {
        listen 2443;
        return 308 https://$host$request_uri;
      }
    use-forwarded-headers: "false"
  service:
    enabled: true
    annotations: 
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
      service.beta.kubernetes.io/aws-load-balancer-internal: "true"
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:xxx:certificate/xxx
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
    ports:
      http: 80
      https: 443
    targetPorts:
      http: http
      https: http
    type: LoadBalancer

to reach the nginx service I either go to it on browser or just do:

curl xxx-xxx.elb.eu-central-1.amazonaws.com

but I always get This site can’t be reached

galbarnissan
  • 13
  • 2

1 Answers1

0

First and foremost: give up. Nginx controller won't just work with ACM properly, I've wasted enourmous hours to accept this and move on.
Now that you did, here's approach I employed just yesterday and it worked brilliant.

  1. Install nginx controller as helm release, without making any changes to controller service, this will create CLB (instead of NLB) and this is fine. NLB is mentioned in the guides on the internet as a crutch to get ACM certificate working, but all it does is produces redirect loops.
  2. MOST IMPORTANT - Please, go through this to install cert-manager to manage LE certificates for you - ACM won't just let you export certificate. If you have external one already - good, just put it as secret for TLS definition below, otherwise after installation of cert-manager (if it takes too long to install helm for it, you didn't specify true for CRD installation - THIS IS CRUCIAL and if it gets stuck you will need to uninstall release and retry again properly).
  3. Here's example of nginx ingress you can adapt to your needs:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: yeaboi-lb
  namespace: yeaboi
  annotations:
    nginx.ingress.kubernetes.io/server-snippet: |
      rewrite ^/(/?)$ /yeaboi$1 break;
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt"
    acme.cert-manager.io/http01-edit-in-place: "true"
spec:
  tls: 
  - secretName: yeaboi-tls
    hosts:
      - yeaboi.io
  rules:
  - host: yeaboi.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: yeaboi-web
            port:
              number: 80
  ingressClassName: nginx
  1. Here's example of yeaboi-web service you can use in conjunction with abovementioned ingress (obviously make sure to specify targetPort exposed for your deployment):
    apiVersion: v1
    kind: Service
    metadata:
      name: yeaboi-web
      namespace: yeaboi
      labels:
        app: yeaboi-web
    spec:
      ports:
      - port: 80
        targetPort: 9000
        protocol: TCP
      selector:
        app: yeaboi-web
  1. Point your domain to CLB created by nginx (just in case make sure it has your EC2 in inService status etc).
  2. Enjoy having working nginx ingress you can customize a lot (unlike ALB ingress which is severely limited in comparison).
Randych
  • 56
  • 5