How to correctly expose internal gRPC microservice to other services in EKS?

Question

We are trying to bring up a gRPC microservice on AWS EKS. We've gotten to the point where we have an ALB up, however it's giving us this error: A certificate must be specified for HTTPS listeners

Here is our service YAML:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  namespace: dev
  name: some-service-name
  annotations:
    alb.ingress.kubernetes.io/backend-protocol-version: GRPC
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 80}, {"HTTPS": 50051}]'
    alb.ingress.kubernetes.io/target-type: ip
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internal
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: some-service-name
          servicePort: 50051
        path: /*

We don't want to expose this service externally, and only want internal services to hit it. I feel like we don't even need HTTPS for this, and can use HTTP, however it looks like gRPC requires HTTPS.

What's the correct way to get this working? The examples I've seen seem to be for external-facing services mostly. Do we need to create a private certificate authority, create a certificate from it, and then attribute it to the HTTPS listener in the load balancer settings?

Thanks!

Answer 1

ALB controller expects certificate ARN when we mention listen ports as HTTPS. There are two options to get it working -

1. Make listen ports as HTTP
2. Or add the associated certificate

Since you want to use GRPC, I do not think there is no hard rule to use HTTPS for GTPC https://kube.netes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/annotations/#backend-protocol

And it is still recommended to do HTTPS for internal communication