connection reset by peer Error with nginx Ingress in Kind cluster - kubernetes

I installed vault helm chart 0.8.0 in dev mode and nginx ingress controller on Kind cluster and applied the following Ingress resource:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: vault-ingress
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
rules:
- host: vault.com
http:
paths:
- path: /v1/*
backend:
serviceName: vault
servicePort: 8200
This is the patch for Kind cluster as noted in https://kind.sigs.k8s.io/docs/user/ingress/:
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 8200 # Vault port in K8s
hostPort: 80 # Vault port on host
- containerPort: 8200 # Vault port in K8s
hostPort: 443 # Vault port on host
when doing the following curl command I get error:
VAULT_ADDR="http://localhost"
vault login root
Error authenticating: error looking up token: Get "http://localhost/v1/auth/token/lookup-self": read tcp 127.0.0.1:34596->127.0.0.1:80: read: connection reset by peer
Name: vault-ingress
Namespace: vault
Address: localhost
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
vault.com
/v1/* vault:8200 (10.244.1.7:8200)
Annotations: nginx.ingress.kubernetes.io/use-regex: true
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 2m47s (x15 over 10h) nginx-ingress-controller Scheduled for sync

Related

Error: endpoints "default-http-backend" not found

I have Kubernetes cluster v1.19.16 set up in bare metal Ubuntu-18.04 server and currently i want to connect cluster jenkins service through http://jenkins.company.com. Haproxy server side frontend & backend already been configured.
My service.yaml file content as follows,
apiVersion: v1
kind: Service
metadata:
name: jenkins-svc
namespace: jenkins
annotations:
prometheus.io/scrape: 'true'
prometheus.io/path: /
prometheus.io/port: '8080'
spec:
selector:
app: jenkins-server
type: ClusterIP
ports:
- protocol: TCP
port: 8080
targetPort: 80
ingress-resource.yaml file content as follows,
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: jenkins-ingress
namespace: jenkins
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: "jenkins.company.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
serviceName: jenkins-svc
servicePort: 8080
# kubectl get service -n jenkins
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
jenkins-svc ClusterIP 10.96.136.255 <none> 8080/TCP 20m
# kubectl get ing jenkins-ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
jenkins-ingress <none> jenkins.company.com 80 5h42m
# kubectl describe ingress -n jenkins
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name: jenkins-ingress
Namespace: jenkins
Address:
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
jenkins.dpi.com
/ jenkins-svc:8080 (10.244.0.16:80)
Annotations: ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: nginx
Events: <none>
When i tried to access http://jenkins.company.com it shows below error message on browser.
Please let me know what i'm missing here?
The issue with the service port and container port. Jenkins default port is 8080, so I assume your service port is 80
ports:
- protocol: TCP
port: 80
targetPort: 8080
and ingress should be
spec:
rules:
- host: "jenkins.company.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
serviceName: jenkins-svc
servicePort: 80
port: The port of this service
targetPort The target port on the pod(s) to forward traffic to
Difference between targetPort and port in Kubernetes Service definition

How to make ingress use my TLS Certificate in Microk8s

I have the following Ingress configuration:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: http-ingress
spec:
rules:
- host: example-adress.com
http:
paths:
- path: /apple
pathType: Prefix
backend:
service:
name: apple-service
port:
number: 80
- path: /banana
pathType: Prefix
backend:
service:
name: banana-service
port:
number: 80
tls:
- hosts:
- example-adress.com
secretName: testsecret-tls
And i also created the Secret:
apiVersion: v1
kind: Secret
metadata:
name: testsecret-tls
namespace: default
data:
tls.crt: path to .crt
tls.key: Zpath to .key
type: kubernetes.io/tls
But when i connect to one of my services and check the certificate it says that it uses a cert created by Kubernetes Ingress Controller Fake certificate.
When i run microk8s kubectl describe ingress i get the following output:
Name: http-ingress
Namespace: default
Address: 127.0.0.1
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
testsecret-tls terminates example-adress.com
Rules:
Host Path Backends
---- ---- --------
example-adress.com
/apple apple-service:80 (10.1.55.17:5678)
/banana banana-service:80 (10.1.55.10:5678)
Annotations: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 28m nginx-ingress-controller Ingress default/http-ingress
Normal UPDATE 20m (x2 over 28m) nginx-ingress-controller Ingress default/http-ingress
What do i need to change to make my Ingress use my Cert instead of generating a new one everytime?
Posting this out of comment as it works.
Based on your tls secret yaml, you tried to add certificate and private key using paths, which is not supported currently (reference)
Fragment from reference:
When using this type of Secret, the tls.key and the tls.crt key must be provided in the data (or stringData) field of the Secret configuration, although the API server doesn't actually validate the values for each key.
Therefore there are two suggestions how to move forward:
Add base64 encrypted values for key and certificate to tls secret
Allow kubernetes do it for you with the following command:
kubectl create secret tls testsecret-tls --cert=tls.cert --key=tls.key

Kubernetes: Route Kubernetes dashboard through Ingress with out host and without proxy

Cluster information:
Installation Method: kubeadm
Kubernetes: 1.19.2
Master & Nodes: Ubuntu 20.04.1 (Oracle Virutalbox)
Docker: 19.03.12
Calico: 3.16.1
Ingress : Bare-metal - 0.40.1
I want to access the Kubernetes dashboard from my laptop using ingress without proxy?
Can anyone help me with the steps... ( I tried multiple ways with the help of the internet... not sure where I am missing?)
Note: As per discussion forums I have added "hostNetwork: true" under the deployment section in ingress YAML to resolve "not working without host parameter" and commented "type: NodePort".
Updated info:
I have created ingress-controller as daemon instead of deployments/pod - this helps in accessing directly with worker IPs. (this is what I am expecting - but unable to access kubernetes dashboard as it is in different namespace)
Ingress yaml: this is running in default namespace
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kdash-in-ns
port:
number: 443
kdash-in-ns yaml - svc with External Name
kind: Service
apiVersion: v1
metadata:
name: kdash-in-ns
namespace: default
spec:
type: ExternalName
externalName: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
ports:
- name: https
port: 443
Below details about kdash-in-ns svc with ExternalName
dockeras#ubuntu3:~/simplek8s/kubernetes/yamls/ingress-demo$ kubectl describe svc kdash-in-ns
Name: kdash-in-ns
Namespace: default
Labels: <none>
Annotations: <none>
Selector: <none>
Type: ExternalName
IP:
External Name: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local
Port: https 443/TCP
TargetPort: 443/TCP
Endpoints: <none>
Session Affinity: None
Events: <none>
kubectl describe for the updated ingress route: in this i have ngnix - which is working fine (i guess both ingress and nginx are in same namespace.. getting error for dashboard - as it in different namespace (kubernetes-dasbhoard))
dockeras#ubuntu3:~$ kubectl describe ing nginx-ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name: nginx-ingress
Namespace: default
Address: 192.168.1.31,192.168.1.32
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
*
/nginx nginx-deploy-main:80 )
/foo kubernetes-dashboard:443 (<error: endpoints "kubernetes-dashboard" not found>)
/dashboard kdash-in-ns:443 (<error: endpoints "kdash-in-ns" not found>)
Annotations: kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /$2
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 4m40s nginx-ingress-controller Ingress default/nginx-ingress
When I tried the same URLs in browser below are the responses (One of my worker iP - 192.168.1.31)
192.168.1.31/nginx - responds with nginx default page (pod - nginx-deploy-main)
192.168.1.31/foo - error page - 503 service temporarily Unavailable (default nginx)
192.168.1.31/dashboard - 504 Gateway Time-out (default nginx)
running svc, pods:
All Pods and svcs
If I understand correctly, you want to access kubernetes service (dashboard) from outside cluster. You may deploy metallb LoadBalancer and manage a pull of IPs from external cluster network, assigned to your cluster.
So, you can assign an IP and a LoadBalancer through which you will access your service. Below is an example for mssql server, but you can easily adapt it to your needs with dashboard:
apiVersion: v1
kind: Service
metadata:
name: sql-server-lb
namespace: database-server
annotations:
metallb.universe.tf/address-pool: default
spec:
selector:
app: sql-server
ports:
- port: 1433
targetPort: 1433
type: LoadBalancer
https://metallb.universe.tf/

Access .NET Core app on Kubernetes on both http and https

Being new to Kubernetes, I am trying to make a simple .NET Core 3 MVC app run on Kubernetes and reply on port 443 as well as port 80. I have a working Docker-Compose setup which I am trying to port to Kubernetes.
Running Docker Desktop CE with nginx-ingress on Win 10 Pro.
So far it is working on port 80. (http://mymvc.local on host Win 10 - hosts file redirects mymvc.local to 127.0.0.1)
My MVC app is running behind service mvc on port 5000.
I've made a self-signed certificate for the domain 'mymvc.local', which is working in the Docker-Compose setup.
This is my ingress file
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: mvc-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- mymvc.local
secretName: mvcsecret-tls
rules:
- host: mymvc.local
http:
paths:
- path: /
backend:
serviceName: mvc
servicePort: 5000
This is my secrets file (keys abbreviated):
apiVersion: v1
kind: Secret
metadata:
name: mvcsecret-tls
data:
tls.crt: MIIDdzCCAl+gAwIBAgIUIok60uPHId5kve+/bZAw/ZGftIcwDQYJKoZIhvcNAQELBQAwKTELMAkGBxGjAYBgN...
tls.key: MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPGN6yq9yzxvDL8fEUJChqlnaTQW6bQX+H0...
type: kubernetes.io/tls
kubectl describes the ingress as follows:
Name: mvc-ingress
Namespace: default
Address: localhost
Default backend: default-http-backend:80 (<none>)
TLS:
mvcsecret-tls terminates mymvc.local
Rules:
Host Path Backends
---- ---- --------
mymvc.local
/ mvc:5000 (10.1.0.27:5000)
Annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-passthrough: true
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 11m nginx-ingress-controller Ingress default/mvc-ingress
Normal UPDATE 11m nginx-ingress-controller Ingress default/mvc-ingress
In my Docker-Compose setup, I have an Nginx reverse proxy redirecting 80 and 443 to my MVC service, but I figured that is the role of ingress on Kubernetes?
My service YAML:
apiVersion: v1
kind: Service
metadata:
name: mvc
labels:
app: mymvc
spec:
ports:
- name: "mvc"
port: 5000
targetPort: 5000
selector:
app: mymvc
type: ClusterIP
EDIT:
Adding 'nginx.ingress.kubernetes.io/rewrite-target: /' to ingress annotations males the https forward work, but the certificate presented is the 'Kubernetes Ingress Controller Fake Certificate' - not my self-signed one.
The solution turned out to be the addition of a second kind of certificate.
Instead of using the secrets file above (where I pasted the contents of my certificates files), I issued kubectl to use my certificate files directly:
kubectl create secret tls mvcsecret-tls --key MyCert.key --cert MyCert.crt
kubectl create secret generic tls-rootca --from-file=RootCA.pem

I can't access https urls served on google cloud kubernetes

All,
I followed this tutorial: https://github.com/ahmetb/gke-letsencrypt.
I have an ingress setup for kubernetes in Google Cloud, I have a static IP address and the secrets are created.
This is my ingress config:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: helloweb
annotations:
kubernetes.io/ingress.global-static-ip-name: helloweb-ip
certmanager.k8s.io/acme-http01-edit-in-place: "true"
labels:
app: hello
spec:
backend:
serviceName: helloweb-backend
servicePort: 8080
tls:
- secretName: dogs-com-tls
hosts:
- app-solidair-vlaanderen.com
I can access http://app-solidair-vlaanderen.com, but not the https url.
If I call describe ingress I get this output:
Name: helloweb
Namespace: default
Address: 35.190.68.173
Default backend: helloweb-backend:8080 (10.32.0.17:8080)
TLS:
dogs-com-tls terminates app-solidair-vlaanderen.com
Rules:
Host Path Backends
---- ---- --------
app-solidair-vlaanderen.com
/.well-known/acme-challenge/Q8kcFSZ0ZUJO58xZyVbK6s-cJIWu-EgwPcDd8NFyoXQ cm-acme-http-solver-mhqnf:8089 (<none>)
Annotations:
url-map: k8s-um-default-helloweb--17a833239f9491d9
backends: {"k8s-be-30819--17a833239f9491d9":"Unknown","k8s-be-32482--17a833239f9491d9":"HEALTHY"}
forwarding-rule: k8s-fw-default-helloweb--17a833239f9491d9
target-proxy: k8s-tp-default-helloweb--17a833239f9491d9
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ADD 45m loadbalancer-controller default/helloweb
Normal CREATE 44m loadbalancer-controller ip: 35.190.68.173
Warning Sync 7m (x22 over 28m) loadbalancer-controller Error during sync: error while evaluating the ingress spec: could not find service "default/cm-acme-http-solver-mhqnf"
Does someone know what I'm missing?
You have some mess up in your ingress definition, why the hosts is under the tls?
Here is an example that is working for me:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ .Values.ingressName }}-ingress
annotations:
kubernetes.io/ingress.global-static-ip-name: {{ .Values.staticIpName }}-static-ip
kubernetes.io/ingress.allow-http: "false"
labels:
...
spec:
tls:
- secretName: sslcerts
rules:
- host: {{ .Values.restApiHost }}
http:
paths:
- backend:
serviceName: rest-api-internal-service
servicePort: 80