-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add TLS support for NLB / fix several NLB bugs #74910
Conversation
b892012
to
a30a909
Compare
/assign @micahhausler |
/test pull-kubernetes-e2e-gce-100-performance |
Do we know when this bug will be fixed? We are interested in installing Istio on our AWS EKS with multiple NLBs --> Fixes #69264 |
/bump |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: M00nF1sh, micahhausler The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-kubemark-e2e-gce-big |
What are the chances this'll make its way into a 1.11.x release? |
Dragging in on the mail chain. |
Hi, I'll check whether there are merge conflicts and cherry pick this back 😄 |
Sorry, cherrypicks are only for bugfixes not features |
To me, this seems like a bit of both. So which version will have these changes then? |
+1 What version is this going into? |
@tnachen Hi, this will go into v1.15 😄 |
Thanks for the response, @M00nF1sh. I guess it's time to put the heat on the kops team to catch up then :) |
Thanks @M00nF1sh for working on this. |
Hi @M00nF1sh and @micahhausler! |
@igorvpcleao Hi, this is already available in k8s v1.15. |
Can someone confirm this has been released in 1.15 please ?
(cluster has been deployed on AWS by kubeadm 1.15.3) |
Is anybody using a sane workaround for EKS + NLB + ACM until v1.15 + becomes available for EKS? |
Also interested ... |
For now I'm adding the ACM certs manually via CLI/UI after the NLB is provisioned |
AWS EKS now is supports 1.15 for upgrade and can use this already |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Add TLS support for NLB
Fix several NLB bugs(around targetGroup naming/tagging)
Which issue(s) this PR fixes:
Fixes #73297
Fixes #69264
Fixes #75006
Special notes for your reviewer:
SSL
, however, in ALB/NLB, both SSL/TLS is identified asTLS
. To avoid confusing and ease migration from CLB to NLB,service.beta.kubernetes.io/aws-load-balancer-backend-protocol:ssl
is re-used for denoting backend SSL in NLB as well.migration from TCP to TLS termination:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arnOfACMCert
andservice.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
, and change service targetPort to an HTTP port.service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
, and change service targetPort to an TLS portcreate NLB service with multiple TLS/TCP port.
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arnOfACMCert
, andservice.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
add TLS port to existing NLB service.
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arnOfACMCert
, andservice.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
modify SSL policy
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-2016-08
targetGroup names/ tagging
Does this PR introduce a user-facing change?: