Exposing HTTP2 service (over TLS) from Kubernetes on AWS

Question

I have an HTTP2 service. It's deployed on EKS (AWS Kubernetes). And I am trying to expose it to the internet.

If I am exposing it without TLS (with the code below) everything works fine. I can access it.

apiVersion: v1
kind: Service
metadata:
  name: demoapp
spec:
  type: LoadBalancer
  ports:
  - name: http
    port:  80
    targetPort: 5000
  selector:
    name: demoapp

If I am adding TLS, I am getting HTTP 502 (Bad Gateway).

apiVersion: v1
kind: Service
metadata:
  name: demoapp
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: somearn
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"  
spec:
  type: LoadBalancer
  ports:
  - name: https
    port: 443
    targetPort: 5000
  selector:
    name: demoapp

I have a guess (which could be wrong) that service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http for reason assumes that it's HTTP 1.1 (vs HTTP 2.0) and bark when one of the sides start sending binary (vs textual data).

Additional note: I am not using any Ingress controller.

And a thought. Potentially, I can bring TLS termination within the app (vs doing it on the load balancer) and switch as an example to NLB. However, brings a lot of hair in the solution and I would rather use load balancer for it.

Answer 1

Base on the annotations in your question; the TLS should terminate at the CLB and you should remove service.beta.kubernetes.io/aws-load-balancer-backend-protocol (default to tcp).