Exposing a service on EKS using NGINX ingress and issues with load balancer

10/14/2020

I am trying to set up a service and expose it externally on EKS. I have already done it on GKE pretty easily but now AWS is giving me a hard time.

My NGINX yaml looks something like that:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myapp-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"

spec:
  tls:
  - hosts:
    - app.mydomain.com
    secretName: myapp-tls
  rules:
  - host: app.mydomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: myapp-service
          servicePort: 80

And then I have my domain app.mydomain.com on Google Domains pointing at the ingress external address. There is also a cert-manager service running in order to support HTTPS.

However, while basically the same setup worked completely out of the box on GKE, EKS gives me a hard time.

From what I understand it has something to do with EKS default LoadBalancer being layer 4 in comparison to Google's layer 7 (Which explains HTTPS not working) but there is also issues with redirections of the domain as it just resolves as the ingress address instead of my desired address and thus my app doesn't show up.

The domain is registered over Google Domains and I'm creating Synthetic Records (for my subdomain) that points to my ingress external address on EKS. The same scheme works perfectly fine on GKE but here it resolves the address as the ingress address instead of my domain which results in 404 on the ingress side.

I was wondering if someone could please point me to how to properly set it up? Should I give up on nginx ingress on EKS and move onto ALB? and how to properly associate the domain?

Thank you very much in advance!


Edit:

output of kubectl describe ingress myapp-ingress:

Name:             myapp-ingress
Namespace:        default
Address:          ********************************-****************.elb.eu-west-1.amazonaws.com
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  myapp-tls terminates app.mydomain.com
Rules:
  Host                          Path  Backends
  ----                          ----  --------
  app.mydomain.com  
                                /   myapp-service:80 (172.31.2.238:8000)
Annotations:                    cert-manager.io/cluster-issuer: myapp-letsencrypt-prod
                                kubernetes.io/ingress.class: nginx
Events:                         <none>
-- Or Y
amazon-eks
amazon-web-services
kubernetes
kubernetes-ingress
nginx

1 Answer

10/14/2020

Should I give up on nginx ingress on EKS and move onto ALB

No. NGinX ingress controllers work perfectly well on EKS. It is possible to configure them as either layer 4 or layer 7; we use it in layer 7 mode.

Can you update your question with the output of

kubectl get ingress myapp-ingress

I think your ingress path is also incorrect. Unless I'm mistaken that's just routing the root of your app, not all uris. We use the scheme

spec:
  rules:
    - host: service.d.tld
      http:
      paths:
        - path: /?(.*)  # <--- 
          backend:
            serviceName: my-service
            servicePort: http

Are you seeing errors in the nginx ingress controller's logs? That + kubectl events are both useful for debugging purposes.

I'd disable TLS everywhere and get your service working on http, then work stepwise on getting TLS enabled on the ingress controller.

Edit: Based on your response above,

curl -H "Host: app.mydomain.com" http://<elb-address>:80 

SHOULD call through to your service behind the ingress.

How is app.mydomain.com defined? Is it a CNAME to the <elb-address> dns entry?

-- mcfinnigan
Source: StackOverflow