Closed wuttke closed 3 months ago
Annotations: alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:905418322627:certificate/658ea803-f7f2-4a4d-bb11-db8e9e480ea8
alb.ingress.kubernetes.io/group.name: mesalvo-constellation-ingress-group
alb.ingress.kubernetes.io/listen-ports: [{"HTTP": 80}, {"HTTPS": 443}]
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-redirect: 443
alb.ingress.kubernetes.io/success-codes: 200,401
alb.ingress.kubernetes.io/target-type: ip
meta.helm.sh/release-name: mesalvo-kafka-ui-release-c00d1040
meta.helm.sh/release-namespace: kafka
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedDeployModel 54m ingress Failed deploy model due to AccessDenied: User: arn:aws:sts::905418322627:assumed-role/mesalvo-cortex-constellation_control_plane_role/i-085b4ad0577f647a8 is not authorized to perform: elasticloadbalancing:DescribeListenerCertificates because no identity-based policy allows the elasticloadbalancing:DescribeListenerCertificates action
status code: 403, request id: 0131df13-2bc4-4b7d-9c60-5e90bd8923a7
Yet more permissions, and let's see if I find more:
That was all I need ;) Normal SuccessfullyReconciled 8m42s ingress Successfully reconciled
Hello @wuttke,
Thanks for the bug report, and good to hear that you could apply the missing permissions manually. I'm preparing a fix for this, targeting the next release.
While testing, I found that Ingresses with alb.ingress.kubernetes.io/target-type: ip
were not routable, due to the additional requirement on Pod IPs. Switching to target type instance
resolved this issue. Did you encounter this problem, too?
Cheers, Markus
P.S.: We usually don't advertise the Ingress capabilities of aws-load-balancer-controller because the application load balancer resides outside Constellation and is thus not suitable for sensitive traffic, for which an Ingress controller hosted inside Constellation would fit best. That being said, using the ALB may be appropriate, depending on the nature of the traffic.
Thank you very much! Both for the quick reply and the good pointers. This was really helpful.
Issue description
The Control Plane Policy does not have this permission: elasticloadbalancing:DescribeListenerCertificates
This is required for Ingress that create an ALB with Certicates
Steps to reproduce the behavior
No response
Version
No response
Constellation Config
No response