Is it possible to define different healthcheck protocol for a Service exposing two or more NodePorts ?

[hajdukda]

Let's say we have a Service:

spec:
  type: LoadBalancer
  ports:
    - port: 80
      targetPort: 80
      name: http
    - port: 443
      targetPort: 443
      name: https
  selector:
    some: selector

It will create two target groups -> one for port 443 and one for port 80, how to set a different healthcheck for them ?

[oliviassss]

@hajdukda, you can try through the service annotations: service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: traffic-port. Please check our live doc for more info about health check

[hajdukda]

My issue is not with port but protocol.

First one uses http and second one uses https. If you try to check health of the https service using http you will get no response.

Question is how to set healthcheck-protocol twice coz this service will create two target groups? If its currently not possible please consider this a feature request.

[oliviassss]

@hajdukda, would you be able to use 2 services? our currently annotation service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol does not support multiple protocols for 1 service.

[hajdukda]

If that's the case and this issue is closed. Should I open another one to update documentation to mention that AWS LB Controller supports only services with a single port exposed ?

[oliviassss]

Sure we can track in this issue, you're welcome to contribute a PR to add it in our live doc: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/service/annotations/#health-check

/kind documentation

[yohancourbe]

what is the way forward then ? If have the same situation, if I use the traffic-port with HTTP protocol on the health check, my HTTPS target group will never be healthy and vice-versa.

[yohancourbe]

@shraddhabang while #3547 clarifies the doc, I think it would be nice to have guidance on how to handle this use case. Having multiple ports seems to be a very common situation, typically for both ports 80 and 443.

I tested the use service.beta.kubernetes.io/aws-load-balancer-healthcheck-port, but this doesn't seem to be handled by the controller to add a nodePort like it would do for a port defined in the service. Adding the health-check port in the service definition will expose the health-check port on the NLB which is not ideal.

[fracca]

As a workaround for my setup. I found that if you define the nodePorts for http and https you can then use them within the health check annotations and can use one protocol. Given this was just a healthcheck, use of http was sufficient.

controller:
  kind: DaemonSet
  service:
    nodePorts:
      http: "30080"
      https: "30443"
    annotations:
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "HTTP"
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "30080" #force using http port
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/healthz"
        service.beta.kubernetes.io/aws-load-balancer-name: "k8s-ingress-public"
    enabled: true
    internal:
      enabled: true
      nodePorts:
        http: "31080"
        https: "31443"
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "HTTP"
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "31080" #force using http port
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/healthz"
        service.beta.kubernetes.io/aws-load-balancer-name: "k8s-ingress-internal"
  ingressClassResource:
    name: ingress-nginx
    enabled: true
    default: false
    controllerValue: "k8s.io/ingress-nginx"