Support AWS cert manager

[tamalsaha]

Fixes #188

[tamalsaha]

@julianvmodesto , this pr will open port 443 on LB service and send traffic to port 80 on HAProxy if service-annotations has "service.beta.kubernetes.io/aws-load-balancer-ssl-cert" set.

[julianvmodesto]

Excellent! Is this in 1.5.6? I tried putting imagePullPolicy: Always just in case, but I can't seem to see this feature in action.

[tamalsaha]

Yes. Do you see the 443-> 80 in the ingress service? https://github.com/appscode/voyager/blob/master/docs/user-guide/ingress/aws-cert-manager.md

[tamalsaha]

Also, if you exec into the operator pod and run /voyager version you should see when this binary was complied. It should be June 16, 2017.

[julianvmodesto]

Oops sorry, I forgot to delete the ingress after updating -- it works! 😃

Two things:

• instead of either tcp-80 or tcp-443, could we enable/add tcp-443 in addition to tcp-80 to the Service to allow both http and https access?
• is there a way to revert this? manually edit the LoadBalancer Service and remove the annotation?

[tamalsaha]

instead of either tcp-80 or tcp-443, could we enable/add tcp-443 in addition to tcp-80 to the Service to allow both http and https access?

Do you always want both ports to be open? Or that will be based on some config?

is there a way to revert this? manually edit the LoadBalancer Service and remove the annotation?

If you remove the service annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert, the port will revert back to 80-> 80.

[julianvmodesto]

Hmm, if it could be based on some config, that might be useful, but my use case is to have both open.

However, at some point I'd like to figure out how we could set up http -> https redirect with something like redirect scheme https code 301 if !{ ssl_fc } in the frontend (or backend?).

Will try out removing the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation!

[tamalsaha]

However, at some point I'd like to figure out how we could set up http -> https redirect with something like redirect scheme https code 301 if !{ ssl_fc } in the frontend (or backend?).

This is already possible with with the version in master. Basically, AWS ELB adds a X-Forwarded-Proto header. In your Ingress, you can add backend rule what will redirect to HTTPS endpoint if this header is missing. You have to do this for each backend for port 80.

See here:

• https://aws.amazon.com/premiumsupport/knowledge-center/redirect-http-https-elb/
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html#x-forwarded-proto
• https://www.exratione.com/2014/10/managing-haproxy-configuration-when-your-server-may-or-may-not-be-behind-an-ssl-terminating-proxy/

I am going make a note to add example for this in docs.