I have kube cluster & its control plane endpoint is haproxy. I want to use hostname of system where haproxy lies and use it as hostname in the ingress resource. Is it possible to achieve this. The request ha proxy backend config is below:
frontend k8s_frontend
bind *:6443
mode tcp
default_backend k8s_backend
backend k8s_backend
mode tcp
balance roundrobin
server master1 10.50.8.117:6443
server master2 10.50.8.118:6443
server master3 10.50.8.119:6443
frontend http_frontend
bind :80
bind :443 ssl crt /com.pem
default_backend servers
backend servers
balance roundrobin
server worker1 10.50.8.120:443 ssl verify none
server worker2 10.50.8.121:443 ssl verify none
Below is my ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard-ingress
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- host: "HAPROXY_HOSTNAME"
http:
paths:
- pathType: Prefix
path: "/k8s"
backend:
service:
name: kubernetes-dashboard
port:
number: 443
Yes, you can mention the hostname of HAProxy in the ingress source. The ingress controller node can be resolved as hostname along with deploying and exposing the echo server service as shown below. Kindly refer to this document.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: haproxy
name: echoserver
spec:
rules:
host: $HOST
http:
paths:
backend:
serviceName: echoserver
servicePort: 8080
path: /
EOF
More details on HAProxy Ingress Controller can be found here.
Related
The EKS nodes targets show unhealthy when deploying ALB ingress in AWS with Load Balancer Controller.
Istio Ingress Gateway is provisioned as NodePort and I have obtained the correct port which in my case is 32403. The nodes security groups allow traffic on 32403 from load balancer.
Here is the ingress, which creates the following:
ALB
only one listener on 443
listener rule 1 - /healthz/ready/* that forwards to target group 1
listener rule 2 - /* that forwards to target group 2
listener rule 3 - Request is not otherwise routed - returns 404
Not sure what I'm missing but shouldn't there be a listener for 15201 as well?
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/load-balancer-name: k8s-lb
alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=recp-entres-cb-alblogs,access_logs.s3.prefix=lb-logs,routing.http.drop_invalid_header_fields.enabled=true,deletion_protection.enabled=true
alb.ingress.kubernetes.io/security-groups: sg-xxxxxxxxxxx
alb.ingress.kubernetes.io/manage-backend-security-group-rules: "true"
alb.ingress.kubernetes.io/subnets: subnet-xxxxxxxxxxx, subnet-xxxxxxxxxxx, subnet-xxxxxxxxxxx
alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
alb.ingress.kubernetes.io/healthcheck-port: "32403"
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-1:11111111111111:certificate/7773d18b-842c-488e-91ea-a36gh9866232
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-Ext-2018-06
alb.ingress.kubernetes.io/shield-advanced-protection: 'false'
name: gateway-ingress
namespace: istio-ingress
spec:
ingressClassName: alb
rules:
- http:
paths:
- backend:
service:
name: istio-ingressgateway
port:
number: 15021
path: /healthz/ready
pathType: Prefix
- backend:
service:
name: istio-ingressgateway
port:
number: 443
path: /
pathType: Prefix
When I deploy ingress using ingress addon (minikube addons enable ingress) it address sets to 192.168.49.2:
NAME CLASS HOSTS ADDRESS PORTS AGE
some-ingress <none> application.com 192.168.49.2 80, 443 86s
How do I change it to 127.0.0.1 (or external ip) to be able to receive requests from outside?
UPD:
Using vm_driver=docker; minikube ip returns 192.168.49.2.
UPD2: Ingress config:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: application-ingress
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts:
- application.com
secretName: tls-secret
rules:
- host: application.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: application-back
port:
number: 80
Actually, you don't have to change it in order to receive external requests.
The rules: part of your configuration:
spec:
rules:
- host: application.com
expects a DNS record with application.com name. Later in the guide you can see:
Add the following line to the bottom of the /etc/hosts file.
Note: If you are running Minikube locally, use minikube ip to get the
external IP. The IP address displayed within the ingress list will be
the internal IP.
172.17.0.15 hello-world.info
This sends requests from hello-world.info to Minikube.
That entry points to your ingress IP or Minikube IP. Of course you need to adjust your IP and DNS name.
If you would like to curl the IP instead of DNS name you can do so by removing the host rule from your ingress. For example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: application-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: "/"
backend:
serviceName: application-back
servicePort: 80
After that you should be able to curl -Lk by IP with no issues.
I am using minikube for developing an application on Kubernetes and I am using Traefik as the ingress controller.
I am able to connect and use my application services when I use the url of the host which I defined in the ingress ("streambridge.local") and I set up in the linux hosts ("/etc/hosts"). But when I use the exact same ip address that I used for the dns I am not able to connect to any of the services and I receive "404 page not found". I have to mention that I am using the IP address of the minikube which I got by: $(minikube ip). Below is my ingress config and the commnads that I used for the dns.
How I can connect and use my application services with the IP?
Ingress config:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
kubernetes.io/ingress.class: "traefik"
traefik.frontend.rule.type: PathPrefixStrip
traefik.frontend.passHostHeader: "true"
traefik.backend.loadbalancer.sticky: "true"
traefik.wss.protocol: http
traefik.wss.protocol: https
spec:
rules:
- host: streambridge.local
http:
paths:
- path: /dashboard
backend:
serviceName: dashboard
servicePort: 9009
- path: /rdb
backend:
serviceName: rethinkdb
servicePort: 8085
My /etc/hosts:
127.0.0.1 localhost
192.168.99.100 traefik-ui.minikube
192.168.99.100 streambridge.local
This works: http://streambridge.local/rdb
But this does not work: http://192.168.99.100/rdb and returns 404 page not found
You have created ingress routes that evaluate the host header of the http request. So while you are actually connecting to the same ip, it is once with host:streambridge.local and once with "192.168.99.100" for which you did not add a rule in traefik. This is therefore working exactly as configured.
I have an ingress defined as:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: zaz-address
kubernetes.io/ingress.allow-http: "false"
ingress.gcp.kubernetes.io/pre-shared-cert: foo-bar-com
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /zaz/*
backend:
serviceName: zaz-service
servicePort: 8080
Then the service zap-service is a nodeport defined as:
apiVersion: v1
kind: Service
metadata:
name: zaz-service
namespace: default
spec:
clusterIP: 10.27.255.88
externalTrafficPolicy: Cluster
ports:
- nodePort: 32455
port: 8080
protocol: TCP
targetPort: 8080
selector:
app: zap
sessionAffinity: None
type: NodePort
The nodeport is successfully selecting the two pods behind it serving my service. I can see in the GKE services list that the nodeport has an IP that looks internal.
When I check in the same interface the ingress, it also looks all fine, but serving zero pods.
When I describe the ingress on the other hand I can see:
Rules:
Host Path Backends
---- ---- --------
foo.bar.com
/zaz/* zaz-service:8080 (<none>)
Which looks like the ingress is unable to resolve the service IP. What am I doing wrong here? I cannot access the service through the external domain name, I am getting an error 404.
How can I make the ingress translate the domain name zaz-service into the proper IP so it can redirect traffic there?
Seems like the wildcards in the path are not supported yet.
Any reason why not using just the following in your case?
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /zaz
backend:
serviceName: zaz-service
servicePort: 8080
My mistake was, as expected, not reading the documentation thoroughly.
The port stated in the Ingress path is not a "forwarding" mechanism but a "filtering" one. In my head it made sense that it would be redirecting http(s) traffic to port 8080, which is the one where the Service behind was listening to, and the Pod behind the service too.
Reality was that it would not route traffic which was not port 8080 to the service. To make it cleaner I changed the port in the Ingress from 8080 to 80 and in the Service the front-facing port from 8080 to 80 too.
Now all requests coming from the internet can reach the server successfully.
I use an HAProxy to redirect all requests from 80 port to a 443 and using a NodePort to enter on a traefik-ingress-controller (v1.6.6, inside a Kubernetes cluster).
Here the HAProxy.conf:
frontend http-frontend
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend http_app
frontend https-frontend
bind *:443 ssl crt /etc/ssl/certs/my-cert.pem
reqadd X-Forwarded-Proto:\ https
default_backend traefik_app
backend http_app
redirect scheme https if !{ ssl_fc }
backend traefik_app
server traefik localhost:30010 check
Every application running on my Kubernetes cluster has an Ingress.
Among them I have a Keycloak pod (v4.1.0, for the authentication) with this ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: keycloak
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: login.myapp.it
http:
paths:
- backend:
serviceName: keycloak
servicePort: 8080
Here a picture:
When I connect to https://login.myapp.it/auth/admin/ I get redirected to
https://login.myapp.it:80/auth/admin/master/console/ (note the port 80) and I received an SSL_ERROR_RX_RECORD_TOO_LONG error.
Someone has some hints for this redirect issue with keycloak behind proxy?
Thank you in advance.
Sounds like you are missing your TLS certs on your ingress:
$ kubectl -n kube-system create secret tls your-k8s-tls-secret --key=tls.key --cert=tls.crt
Then:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: keycloak
annotations:
kubernetes.io/ingress.class: traefik
spec:
tls:
- secretName: your-k8s-tls-secret
rules:
- host: login.myapp.it
http:
paths:
- backend:
serviceName: keycloak
servicePort: 8080
Hope it helps!
I solved my issue using the following traefik annotation:
traefik.frontend.passHostHeader: "true"
that forwards client Host header to the backend.
Here a complete ingress example:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: keycloak
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.passHostHeader: "true"
spec:
rules:
- host: login.myapp.it
http:
paths:
- backend:
serviceName: keycloak
servicePort: 8080
In alternative I may have added to haproxy.cfg the following:
reqadd X-Forwarded-Port:\ 443