It seems that the HTTPS->HTTP listener being used is always routing to the Consul NodePort running a HTTPS server. Instead, the HTTPS connection should be terminated at the load balancer, “stepped down” to HTTP and sent to the appropriate Consul HTTP port.
Here is my values-override.yaml file which I pass to consul-helm. Note the added annotations for the UI Service.
As you can see, I have the tls.httpsOnly key set to false.
When I look at my ELB config, I see a valid HTTPS->HTTP listener but, evidently, the Instance Port that it’s routing to is a HTTPS port, not HTTP, hence the browser error.
We spent the last few days trying to get this working. We investigated switching the lb backend-protocol to be https but that caused the health checks to fail. If we manually updated those health check to use the tcp endpoint, the services became available but any request to them would just hang indefinitely.
However, we did get this working by updating the LoadBalancer service to forward both http and https requests to the port 8500 of the consul server.
Setting the ui.enabled to true and ui.service.enabled to false should allow the use of the above service definition to route traffic to the consul server.
Having said that, this is only for the short term. We are looking into a more long term fix that would require us having a clearer idea of why the health checks fail on the ssl endpoint when the backend protocol is https and then after that, why the requests just hang indefinitely.
I hope this unblocks you but do let us know if there are follow up questions.
Hey @ashwin-venkatesh. Thanks for doing some research into this. We have a user story ourselves to investigate this further and attempt mitigation, but this new information will help massively - cheers!
We are looking into a more long term fix that would require us having a clearer idea of why the health checks fail on the ssl endpoint when the backend protocol is https and then after that, why the requests just hang indefinitely.
My halfway-educated guess for this was that the load balancer is acting as a HTTP “client” itself and attempting to open up TLS connections to the Consul server. But, as the Consul server is using a certificate not signed by a well-known CA, the load balancer closes the connection. That being said, I didn’t do a great deal of investigation into whether or not this was the case.
I’ll update here if the above solution rectifies the issue for us. At least until consul-helm supports Kubernetes Ingress (as vault-helm does already)
the load balancer is acting as a HTTP “client” itself and attempting to open up TLS connections to the Consul server. But, as the Consul server is using a certificate not signed by a well-known CA, the load balancer closes the connection.
That does sound about right
consul-helm supports Kubernetes Ingress
The latest consul-helm does support ingress gateways that should potentially address this. Here is a link to the ingress-gateway docs. It might be a little more work though as it requires further configuration on the consul server. It would be great if you could give it the old college try, but the solution mentioned above should work as well.
Ignore the above thing. I was wrong about ingress gateways