Redirect rule is not being created on aws load balancer by the controller

[paulob122]

Bug Description

Previously for several environments we had already set up redirect rules, using custom actions annotation, for some ingresses. The following configuration is an example:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/healthcheck-path: /
    alb.ingress.kubernetes.io/listen-ports: '[{ "HTTPS": 443 }]'
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/actions.redirect-to-sso: > 
      {"type":"redirect","redirectConfig":{"host":"app.domain","port":"443","protocol":"HTTPS","statusCode":"HTTP_302"}}
  name: app-ingress
  namespace: harbor
spec:
  ingressClassName: alb-external
  rules:
  - host: app.domain
    http:
      paths:
      - backend:
          service:
            name: redirect-to-sso
            port:
              name: use-annotation
        path: /account/sign-in
        pathType: Prefix
  tls:
  - hosts:
    - app.domain

With the above configuration, you would expect the aws-load-balancer controller to create the redirect rule in the specified load balancer (as before).

After creating the ingress described above, you can see that it has been successfully reconciled via the controller, however the following output appears:

/account/sign-in   redirect-to-sso:use-annotation (<error: services "redirect-to-sso" not found>)

Controller logs/error messages while reproducing the issue: In the controller logs, with the debug flag enabled, we can only see successful status code 200 requests during the reconciliation phase. Nothing else indicates another source of errors or misbehaviour.

Expected Behavior

Controller create redirect rule on load balancer aws resource.

Actual Behavior

Controller does not create redirect rule on load balancer aws resource.

Regression
Was the functionality working correctly in a previous version ? [Yes / No]
If yes, specify the last version where it worked as expected
Yes. In the aws-load-balancer-controller version 2.11.0 for the kubernetes version 1.32.x

Current Workarounds

Environment

• AWS Load Balancer controller version: 2.13.3
• Kubernetes version: 1.33.0
• Using EKS (yes/no), if so version?: yes, eks.6
• Using Service or Ingress: Ingress

[zac-nixon]

Hi, I am trying to reproduce this but didn't have much luck:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/healthcheck-path: /
    alb.ingress.kubernetes.io/listen-ports: '[{ "HTTPS": 443 }]'
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:565768096483:certificate/669ce78e-d6ec-4f68-b320-17a2640c8f86    
    alb.ingress.kubernetes.io/actions.redirect-to-sso: > 
      {"type":"redirect","redirectConfig":{"host":"app.domain","port":"443","protocol":"HTTPS","statusCode":"HTTP_302"}}
  name: test-ing
  namespace: default
spec:
  ingressClassName: alb
  rules:
  - host: app.domain
    http:
      paths:
      - backend:
          service:
            name: redirect-to-sso
            port:
              name: use-annotation
        path: /account/sign-in
        pathType: Prefix
  tls:
  - hosts:
    - app.domain

This did not create a redirect rule for me on v2.11.0 or v2.13.3. To further test, I took the example we have from our documentation and tested it against the same versions (https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/ -- alb.ingress.kubernetes.io/actions.${action-name}). The example was able to create redirect rules in both versions. Do you have more details?

[paulob122]

@zac-nixon I'm using the aws-load-balancer-controller helm chart with the version 1.13.3.

I can't get more precise about the problem I'm experiencing, but it started happening on more than one cluster after I upgraded kubernetes to 1.33

[andreybutenko]

Thanks for reporting the issue! @shraddhabang was able to reproduce this.

The redirect rule you have configured is an infinite loop because the host, port, and protocol of the redirect config is the same as the host, port, and protocol.

Here is the relevant LBC logic isInfiniteRedirectRule: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/pkg/ingress/rule_optimizer.go#L87

If you add another listener, like this:

# before
alb.ingress.kubernetes.io/listen-ports: '[{ "HTTPS": 443 }]'
# after
alb.ingress.kubernetes.io/listen-ports: '[{ "HTTP": 80 }, { "HTTPS": 443 }]'

You'll that the listener HTTP:80 has the redirect rule, but the listener HTTPS:443 does not have the redirect rule.

• Could you please update your redirect rule to avoid the infinite loop? Then, your configuration should work as expected :)
• If you are intentionally setting up a redirect loop, could you share more about your usecase?