Skip to content

TLS listener not recongized #4181

New issue
New issue
Closed
Closed
TLS listener not recongized#4181
@zac-nixon

Description

@zac-nixon
zac-nixon
opened on May 15, 2025

using v2.13.1, the TLS protocol is not honored when generating SG rules leading to a null rule:

{"level":"debug","ts":"2025-05-14T18:03:01Z","logger":"events","msg":"Failed deploy model due to TargetGroupBinding.elbv2.k8s.aws \"k8s-ingressn-ingressn-82150018c4\" is invalid: spec.networking.ingress[0].ports: Invalid value: \"null\": spec.networking.ingress[0].ports in body must be of type array: \"null\"","type":"Warning","object":{"kind":"Service","namespace":"ingress-nginx","name":"ingress-nginx-controller-test","uid":"d2c65f18-5b72-4549-8c76-760548acd673","apiVersion":"v1","resourceVersion":"4620780"},"reason":"FailedDeployModel"}

repro:

apiVersion: v1
kind: Service
metadata:
  annotations:
    external-dns.alpha.kubernetes.io/hostname: blah
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"external-dns.alpha.kubernetes.io/hostname":"blah","meta.helm.sh/release-name":"ingress-nginx","meta.helm.sh/release-namespace":"ingress-nginx","service.beta.kubernetes.io/aws-load-balancer-attributes":"deletion_protection.enabled=true","service.beta.kubernetes.io/aws-load-balancer-backend-protocol":"ssl","service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout":"60","service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled":"true","service.beta.kubernetes.io/aws-load-balancer-internal":"false","service.beta.kubernetes.io/aws-load-balancer-ip-address-type":"dualstack","service.beta.kubernetes.io/aws-load-balancer-nlb-target-type":"ip","service.beta.kubernetes.io/aws-load-balancer-scheme":"internet-facing","service.beta.kubernetes.io/aws-load-balancer-ssl-cert":"arn:aws:acm:us-east-1:565768096483:certificate/669ce78e-d6ec-4f68-b320-17a2640c8f86","service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy":"ELBSecurityPolicy-TLS13-1-2-2021-06","service.beta.kubernetes.io/aws-load-balancer-ssl-ports":"443","service.beta.kubernetes.io/aws-load-balancer-type":"external","service.kubernetes.io/topology-mode":"auto"},"labels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/part-of":"ingress-nginx","app.kubernetes.io/version":"1.12.1","helm.sh/chart":"ingress-nginx-4.12.1","helm.toolkit.fluxcd.io/name":"ingress-nginx","helm.toolkit.fluxcd.io/namespace":"ingress-nginx","tags.datadoghq.com/service":"nginx-ingress"},"name":"echoserver","namespace":"echoserver"},"spec":{"allocateLoadBalancerNodePorts":true,"externalTrafficPolicy":"Cluster","internalTrafficPolicy":"Cluster","ipFamilies":["IPv6"],"ipFamilyPolicy":"SingleStack","loadBalancerSourceRanges":["10.0.0.0/8","100.64.0.0/10"],"ports":[{"name":"http","port":80,"protocol":"TCP","targetPort":2443},{"name":"https","port":443,"protocol":"TCP","targetPort":443}],"selector":{"app":"echoserve"},"sessionAffinity":"None","type":"LoadBalancer"}}
    meta.helm.sh/release-name: ingress-nginx
    meta.helm.sh/release-namespace: ingress-nginx
    service.beta.kubernetes.io/aws-load-balancer-attributes: deletion_protection.enabled=true
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-internal: "false"
    service.beta.kubernetes.io/aws-load-balancer-ip-address-type: dualstack
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:565768096483:certificate/669ce78e-d6ec-4f68-b320-17a2640c8f86
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.kubernetes.io/topology-mode: auto
  creationTimestamp: "2025-05-15T07:04:51Z"
  finalizers:
  - service.k8s.aws/resources
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.12.1
    helm.sh/chart: ingress-nginx-4.12.1
    helm.toolkit.fluxcd.io/name: ingress-nginx
    helm.toolkit.fluxcd.io/namespace: ingress-nginx
    tags.datadoghq.com/service: nginx-ingress
  name: echoserver
  namespace: echoserver
  resourceVersion: "6886"
  uid: 020c86ef-f3fd-4096-8a41-4755ad750025
spec:
  allocateLoadBalancerNodePorts: true
  clusterIP: fd79:1994:6b5d::2ef4
  clusterIPs:
  - fd79:1994:6b5d::2ef4
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv6
  ipFamilyPolicy: SingleStack
  loadBalancerClass: service.k8s.aws/nlb
  loadBalancerSourceRanges:
  - 10.0.0.0/8
  - 100.64.0.0/10
  ports:
  - name: http
    nodePort: 31612
    port: 80
    protocol: TCP
    targetPort: 2443
  - name: https
    nodePort: 32559
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: echoserve
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - hostname: k8s-echoserv-echoserv-37e561f2cb-f91e20a25249bda1.elb.us-east-1.amazonaws.com

credit to @visokoo for finding the bug.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions