I m using helm charts to deploy an app in Azure Kubernetes Service with Ingress-nginx
My helm charts used to work fine last month, but when I created something new with my charts, the public IP of my ingress nginx is not working anymore.
PS C:\Zetaris\HelmDeployment> kubectl get ingress -n zetaris
NAME CLASS HOSTS ADDRESS PORTS AGE
xx-gui-nginx <none> uisaas.xxxxxxxxxxxxxx 20.167.72.8 80, 443 53m
xx-rest-nginx <none> restsaas.xxxxx 20.167.72.8 80, 443 55m
Here is my yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: lightning-gui-nginx
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: letsencrypt-enterprise
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "server: hide";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-Frame-Options: DENY";
more_set_headers "X-Xss-Protection: 1";
more_set_headers "referrer-policy: no-referrer";
more_set_headers "Content-Security-Policy: frame-ancestors 'none'";
spec:
tls:
- hosts:
- {{ .Values.ingress.guiurl }}
secretName: tls-secret-gui
rules:
- host: {{ .Values.ingress.guiurl }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: xx-gui-svc
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
name: xx-gui-svc
namespace: {{ .Values.namespace }}
spec:
ports:
- port: 80
targetPort: 9001
type: ClusterIP
selector:
app: {{ .Values.deployment.name }}
I can reach my app on port 9001 if I port-forward directly my pod.
The error is coming from the IP:
telnet 20.167.72.8 80
Connecting To 20.167.72.8...Could not open connection to the host, on port 80: Connect failed
As far as i know, there no IP restrictions or firewalls in AKS.
Do you have any idea on why would my ingress IP would not be reachable on internet?
Tried to create another app with same helm chart, uninstall and reinstall ingress service, public IP is never reachable.
Never mind I found the issue, needed to add:
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz"
When creating the ingress-nginx
I have a three node, on-prem, k3 cluster. I have installed AWX per these instructions: https://github.com/ansible/awx-operator
I can access the AWX login screen by executing this command on my laptop:
[red#mac.local ~]$ kubectl -n kube-system port-forward deployment/traefik 7080
Forwarding from 127.0.0.1:7080 -> 8052
Forwarding from [::1]:7080 -> 8052
Handling connection for 7080
...
And I can point my browser to http://localhost:7080 and I see the AWX login screen.
But I haven't a clue how to set up an ingress for AWX. What have I tried? A whole bunch of things and none of those have worked.
My latest attempt to create a ingress used this yaml:
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: awx-demo-ingress
# namespace: awx
spec:
rules:
- host: rocky
http:
paths:
- path: /awx
pathType: Exact
backend:
service:
name: awx-demo-service
port:
number: 80
This creates an ingress ...
kube-system awx-demo-ingress traefik localhost 10.0.3.51,10.0.3.52,10.0.3.53 80 12m
But rocky does not resolve to any IP address and if I point my browsers to http://10.0.3.51/ or http://10.0.3.51/awx results in 404 error.
I am close but I still got something wrong ...
$ kubectl describe ingress awx-demo-ingress -n kube-system
Name: awx-demo-ingress
Labels: <none>
Namespace: kube-system
Address: 10.0.3.51,10.0.3.52,10.0.3.53
Ingress Class: traefik
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
rocky-k3-1.XXXXXXXXX.com
/login awx-demo-service:80 (<error: endpoints "awx-demo-service" not found>)
Annotations: <none>
Events: <none>
I also tried this ...
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: awx-demo-ingress
namespace: awx
spec:
rules:
- host: rocky-k3-1.XXXXXXXX.com
http:
paths:
- path: /login
pathType: Exact
backend:
service:
name: awx-demo-service
port:
number: 80
$ kubectl describe ingress awx-demo-ingress
Name: awx-demo-ingress
Labels: <none>
Namespace: awx
Address: 10.0.3.51,10.0.3.52,10.0.3.53
Ingress Class: traefik
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
rocky-k3-1.XXXXXXXXXX.com
/login awx-demo-service:80 (10.42.1.9:8052)
Annotations: <none>
Events: <none>
But if I do a curl like this ...
$ curl http://rocky-k3-1.XXXXXXXX.com/login/
404 page not found
... I get 404 errors.
It turned out that I was using the wrong path in my ingress.yml file.
- path: /login
needed to change to
- path: /
I use countor as ingress nginx class for my ingress and try to add basic http authentication but it doesn't work.I wonder why it doesn't work?
What i'm missed?
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
ingress.kubernetes.io/force-ssl-redirect: "true"
kubernetes.io/ingress.class: contour
kubernetes.io/tls-acme: "true"
# It doesn't work
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
tls:
- hosts:
- my_domen.com
secretName: mysecretname
rules:
- host: my_domen.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: some-service
port:
number:
8083
Contour is not nginx based so the nginx annotations don't have an effect. As far as I'm aware, you need to run this process: https://projectcontour.io/guides/external-authorization/
I have a separate ingress-internal (manifests) for the backend and the frontend.
My backend service has several endpoints: one with GraphqQL and two Rest.
After deploying the project, I find that when I request the Rest endpoint (POST request); I have the error code 404.
How can I configure properly the backend ingress manifest?
I tired too many annotations like:
nginx.ingress.kubernetes.io/use-regex: "true"
# nginx.ingress.kubernetes.io/app-root: /
# nginx.ingress.kubernetes.io/default-backend: mcs-thirdparty-backend
nginx.ingress.kubernetes.io/rewrite-target: /$2
# nginx.ingress.kubernetes.io/rewrite-path: /response
# nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"
This is my current backend's ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mcs-thirdparty-back-ingress
namespace: namespace
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
ingressClassName: nginx-internal
rules:
- host: backend.exemple.com
http:
paths:
- path: '/(/|$)(.*)'
backend:
service:
name: mcs-thirdparty-backend
port:
number: 8080
pathType: Prefix
This the backend ingress that I arrived to work successfullywith:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mcs-thirdparty-ingress
namespace: namespace
spec:
ingressClassName: nginx-internal
rules:
- host: bilels.exemple.com
http:
paths:
- path: /
backend:
service:
name: mcs-thirdparty-frontend
port:
number: 80
pathType: Prefix
I am dockering our current application and deploying on kubernetes cluster.
We have 2 services, namely, service-A and service-B. One of our services(example service-A) uses websocket. we have configured a rule in ingress to route the websocket request directly to service-A on port 8080. Also have a rule to route other requests to service-B on port 443. But ingress controller always route the websocket request to service-B instead of routing to service-A.
So, I removed the service-B rule from ingress, but still its routed as tls request and request never reaches service-A. Not sure why its rerouted as TLS instead of http request upgraded to websocket connection.
Please find my ingress configuration below:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
field.cattle.io/publicEndpoints: '[{"addresses":[""],"port":443,"protocol":"HTTPS","serviceName":"cluster42:service-B","ingressName":"cluster42:my-ingress","hostname":"cluster42-phase-0 ","path":"/","allNodes":false},{"addresses":[""],"port":443,"protocol":"HTTPS","serviceName":"cluster42:service-A","ingressName":"cluster42:my-ingress","hostname":"cluster42-phase-0 ","path":"/ws-service","allNodes":false}]'
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"nginx.ingress.kubernetes.io/rewrite-target":"/","nginx.ingress.kubernetes.io/ssl-passthrough":"true"},"labels":{"app":"ingress","chart":" myapplication-chart","heritage":"Tiller","release":"installation-cluster42"},"name":"my-ingress","namespace":"cluster42"},"spec":{"rules":[{"host":"cluster42-phase-0 ","http":{"paths":[{"backend":{"serviceName":"service-B","servicePort":443},"path":"/"}]}}],"tls":[{"hosts":["cluster42-phase-0 "]}]}}
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.org/websocket-services: "service-A"
creationTimestamp: "2019-05-24T11:46:40Z"
generation: 31
labels:
app: ingress
chart: myapplication-chart
heritage: Tiller
release: installation-cluster42
name: my-ingress
namespace: cluster42
resourceVersion: "57549362"
selfLink: /apis/extensions/v1beta1/namespaces/cluster42/ingresses/my-ingress
uid: 98784b1f-7e19-11e9-b2f1-005056b0b58e
spec:
rules:
- host: cluster42-phase-0
http:
paths:
- backend:
serviceName: service-B
servicePort: 443
path: /
- backend:
serviceName: service-A
servicePort: 8080
path: /ws-service
tls:
- hosts:
- cluster42-phase-0
status:
loadBalancer:
ingress:
- {}
I expect the request to be routed to service-A instead of service-B. Can you please let me know if I am missing something in my configuration or doing anything wrong.
Thanks in Advance.
Check if destination port are opened and not used.
Then check if you have enough right to access by tiller to kube-system namespace.
otherwise you have to create RBAC and special service.
More infromation you can find here: tiller-rbac.
You have some mistakes in your ingress configuration file in spec section.
Take notice that currently the Ingress only supports a single TLS port, 443, and assumes TLS termination. So it's obvious that destination service will be service B with port 443. So you can delete tls section from configuration file.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
field.cattle.io/publicEndpoints: '[{"addresses":[""],"port":443,"protocol":"HTTPS","serviceName":"cluster42:service-B","ingressName":"cluster42:my-ingress","hostname":"cluster42-phase-0 ","path":"/","allNodes":false},{"addresses":[""],"port":443,"protocol":"HTTPS","serviceName":"cluster42:service-A","ingressName":"cluster42:my-ingress","hostname":"cluster42-phase-0 ","path":"/ws-service","allNodes":false}]'
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"nginx.ingress.kubernetes.io/rewrite-target":"/","nginx.ingress.kubernetes.io/ssl-passthrough":"true"},"labels":{"app":"ingress","chart":" myapplication-chart","heritage":"Tiller","release":"installation-cluster42"},"name":"my-ingress","namespace":"cluster42"},"spec":{"rules":[{"host":"cluster42-phase-0 ","http":{"paths":[{"backend":{"serviceName":"service-B","servicePort":443},"path":"/"}]}}],"tls":[{"hosts":["cluster42-phase-0 "]}]}}
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.org/websocket-services: "service-A"
creationTimestamp: "2019-05-24T11:46:40Z"
generation: 31
labels:
app: ingress
chart: myapplication-chart
heritage: Tiller
release: installation-cluster42
name: my-ingress
namespace: cluster42
resourceVersion: "57549362"
selfLink: /apis/extensions/v1beta1/namespaces/cluster42/ingresses/my-ingress
uid: 98784b1f-7e19-11e9-b2f1-005056b0b58e
spec:
rules:
- host: cluster42-phase-0
http:
paths:
- path: /
backend:
serviceName: service-B
servicePort: 443
- path: /ws-service
backend:
serviceName: service-A
servicePort: 8080
status:
loadBalancer:
ingress:
- {}