Consul-helm: issue terminating TLS at AWS Load Balancer

Hi folks,

I’m having an issue with consul-helm and enabling TLS termination at my AWS Elastic Load Balancer for the Consul UI.

When I open the DNS for Consul UI in a browser (e.g. https://consul.company.com) I get the error:

Client sent an HTTP request to an HTTPS server.

It seems that the HTTPS->HTTP listener being used is always routing to the Consul NodePort running a HTTPS server. Instead, the HTTPS connection should be terminated at the load balancer, “stepped down” to HTTP and sent to the appropriate Consul HTTP port.

Here is my values-override.yaml file which I pass to consul-helm. Note the added annotations for the UI Service.

global:
  datacenter: sandbox

  gossipEncryption:
    secretName: "consul"
    secretKey: "CONSUL_GOSSIP_ENCRYPTION_KEY"

  tls:
    enabled: true
    httpsOnly: false
    enableAutoEncrypt: true
    serverAdditionalDNSSANs: ["'consul.service.consul'"]

  acls:
    manageSystemACLs: true

server:
  replicas: 3
  bootstrapExpect: 3
  storage: 20Gi

dns:
  clusterIP: 172.20.53.53

ui:
  enabled: true
  service:
    type: 'LoadBalancer'
    annotations: |
      "external-dns.alpha.kubernetes.io/hostname": "consul.company.com"
      "external-dns.alpha.kubernetes.io/ttl": "30"
      "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "http"
      "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "<CERTIFICATE_ARN>"
      "service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy": "ELBSecurityPolicy-TLS-1-2-2017-01"
      "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "https"
      "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags": "Foo=Bar,Environment=sandbox,Name=consul-public"


syncCatalog:
  enabled: true

As you can see, I have the tls.httpsOnly key set to false.

When I look at my ELB config, I see a valid HTTPS->HTTP listener but, evidently, the Instance Port that it’s routing to is a HTTPS port, not HTTP, hence the browser error.

Have I misconfigured something here?

Thanks - Aaron

Looks like we set the service’s port to 8501 when TLS is enabled in the helm chart: https://github.com/hashicorp/consul-helm/blob/master/templates/ui-service.yaml#L23-L32.

For now you’ll need to manually create another service with the right port. I’ll open up an issue to track: https://github.com/hashicorp/consul-helm/issues/489

1 Like

Great, thanks @lkysow - appreciate the response.

Has there been any movement on merging any PRs which provide Kubernetes Ingress capabilities with Consul? This would be hugely beneficial for us.

That’s on our backlog but unfortunately I don’t have an update as to when we’ll get to it.

1 Like