Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Target Group Unhealthy Due to Redirect to /#?redirect=%2F - How to Set Separate Health Check Paths? #3846

Open
vrathore18 opened this issue Sep 8, 2024 · 2 comments
Open

Target Group Unhealthy Due to Redirect to /#?redirect=%2F - How to Set Separate Health Check Paths? #3846

vrathore18 opened this issue Sep 8, 2024 · 2 comments
Labels
kind/question

Comments

@vrathore18
Copy link

I am using the AWS ALB Ingress controller in my EKS setup, and one of my target groups is marked as unhealthy. The reason is that when users hit the URL {{ .Values.domainName }}, they are redirected to /#?redirect=%2F, which causes the ALB health checks to fail with a 302 redirect response.

Below is the part of my Ingress configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: {{ template "drafter.frontend.fullname" . }}
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: {{ .Values.ingressScheme }}
    alb.ingress.kubernetes.io/group.name: {{ .Values.eks_cluster }}
    alb.ingress.kubernetes.io/actions.redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.external.ACM_CERTIFICATE_ARN }},{{ .Values.external.ANONYMISER_CERTIFICATE_ARN }},{{ .Values.external.DRAFTER_CERTIFICATE_ARN }}"
    alb.ingress.kubernetes.io/inbound-cidrs: {{ .Values.ipWhiteList }}
    alb.ingress.kubernetes.io/ssl-redirect: '443'
spec:
  rules:
    - host: {{ .Values.domainName }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: {{ template "drafter.frontend.fullname" . }}
                port:
                  number: 4200
    - host: l.{{ .Values.domainName }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: {{ template "drafter.frontend-logger.fullname" . }}
                port:
                  number: 80
    - host: auth.{{ .Values.domainName }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: {{ template "drafter.genieauth.fullname" . }}
                port:
                  number: 80
    - host: auth.{{ .Values.anonymiser_domainName }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: {{ template "drafter.genieauth.fullname" . }}
                port:
                  number: 80
    - host: b.{{ .Values.domainName }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: {{ template "drafter.graphql-gateway.fullname" . }}
                port:
                  number: 80
    {{- if or (eq .Values.env_name "qa") (eq .Values.env_name "trialco") (eq .Values.env_name "app") }}
    - host: static.{{ .Values.domainName }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: {{ template "drafter.graphql-gateway.fullname" . }}
                port:
                  number: 80
    {{- end }}

The unhealthy target group corresponds to the following rule:

    - host: {{ .Values.domainName }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: {{ template "drafter.frontend.fullname" . }}
                port:
                  number: 4200

Problem:
The target group health checks fail because they receive a 302 redirect to /#?redirect=%2F, which doesn't return a 200 OK response. I understand that AWS ALB doesn't support different health check paths for each rule in a single Ingress.

Question:
How can I resolve this issue and make the target group healthy?
Is there a way to configure different health check paths for each rule within the same Ingress, or do I need to split the Ingress into separate resources for each service? What’s the best approach to handle this scenario?
Thanks!
@zac-nixon
Copy link
Contributor

/kind question

@zac-nixon
Copy link
Contributor

Hello! Thanks for reaching out, we came together as a team and concluded there are a couple options to solve this.

Option 1:
Set alb.ingress.kubernetes.io/success-codes to "200,302" on the ingress or service.

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/ingress/annotations.md?plain=1#L50

This will mean your load balancer treats 302 as a success code for all your target groups associated to the ingress. If you want to specify 302 as a success code for one target group you can set the annotation on the desired service.

Option 2:
Set alb.ingress.kubernetes.io/healthcheck-path on your ingress or service to a different path that only calculates health check data without the redirect.

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/ingress/annotations.md?plain=1#L45

Again, if you set on the ingress this will apply to all your target groups. You can set this on the desired service which only apply the new health check path to that service.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
kind/question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zac-nixon @k8s-ci-robot @vrathore18