You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to Voyager? Please start here.
Using AWS Certificate Manager
Voyager can use AWS certificate manager to terminate SSL connections for LoadBalancer
type ingress in aws
provider. To use this feature,
add the following annotations to Ingress;
ingress.appscode.com/annotations-service: |
{
"service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:...",
"service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "http",
"service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "443"
}
Voyager operator will apply these annotation on LoadBalancer
service used to expose HAProxy to internet.
This service will (logically) listen on port 443, terminate SSL and forward to port 80 on HAProxy pods. Also,
ELB will listen on port 80 and forward cleartext traffic to port 80.
apiVersion: v1
kind: Service
metadata:
name: <ingress>
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'arn:aws:acm:...'
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: 80
- port: 80
targetPort: 80
...
Elastic Load Balancing
stores the protocol used between the client and the load balancer in the X-Forwarded-Proto
request
header and passes the header along to HAProxy. The X-Forwarded-Proto
request header helps HAProxy
identify the protocol (HTTP or HTTPS) that a client used to connect to load balancer. If you would
like to redirect cleartext client traffic on port 80 to port 443, please add redirect backend rules
when X-Forwarded-Proto
header value is HTTPS
. Please see the following ingress example and
example rules.
apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
name: test-aws-ingress
namespace: default
spec:
rules:
- host: appscode.example.com
http:
paths:
- backend:
serviceName: test-service
servicePort: '80'
backendRules:
- 'acl is_proxy_https hdr(X-Forwarded-Proto) https'
- 'redirect scheme https code 301 if ! is_proxy_https'