Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Route53 DNS problems #11460

Closed
kishorpacefin opened this issue Jun 13, 2024 · 6 comments
Closed

Route53 DNS problems #11460

kishorpacefin opened this issue Jun 13, 2024 · 6 comments
Labels
kind/support Categorizes issue or PR as a support question. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@kishorpacefin
Copy link

Hi,

I want to add a new SSL certificate to my Kubernetes cluster, and here’s how my routing works:

Suppose my main URL is abc.com and my ingress host URL is qwe.com.

So, when I hit abc.com, it routes like this: abc.com -> Route 53 -> API Gateway -> Ingress Host (qwe.com) -> Backend Service.

I get the response while seeing abc.com in the browser, with backend routing happening behind the scenes. Thus, my ingress URL remains hidden.

Current Ingress Configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dev-router-master
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
spec:
  ingressClassName: nginx
  rules:
    - host: qwe.com
      http:
        paths:
          - path: /api/dao
            pathType: Prefix
            backend:
              service:
                name: kyc-service
                port:
                  number: 80

Problem After Adding SSL:

After adding SSL to my NGINX ingress controller, whenever I hit abc.com, I am able to access the application, but it forwards the site from abc.com to qwe.com, and I see qwe.com in the browser.

Updated Ingress Configuration with SSL:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dev-router-master
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - abc.com
        - qwe.com
      secretName: secret-key
  rules:
    - host: abc.com
      http:
        paths:
          - path: /api/dao
            pathType: Prefix
            backend:
              service:
                name: kyc-service
                port:
                  number: 80
    - host: qwe.com
      http:
        paths:
          - path: /api/dao
            pathType: Prefix
            backend:
              service:
                name: kyc-service
                port:
                  number: 80

Desired Result:
Whenever I hit abc.com, I should get a response on abc.com only, with all backend routing happening invisibly.

Cluster Information:

Kubernetes Version: AKS cluster with version 1.26.10
Ingress-NGINX Version:
yaml
Copy code
NGINX Ingress controller
Release: v1.3.0
Build: 2b7b74854d90ad9b4b96a5011b9e8b67d20bfb8f
Repository: https://github.com/kubernetes/ingress-nginx
NGINX Version: nginx/1.19.10
  • How was the ingress-nginx-controller installed:
  kubectl describe deployment.apps/ingress-nginx-controller -n ingress-nginx
Name:                   ingress-nginx-controller
Namespace:              ingress-nginx
CreationTimestamp:      Mon, 16 Oct 2023 17:20:30 +0530
Labels:                 app.kubernetes.io/component=controller
                        app.kubernetes.io/instance=ingress-nginx
                        app.kubernetes.io/name=ingress-nginx
                        app.kubernetes.io/part-of=ingress-nginx
                        app.kubernetes.io/version=1.3.0
Annotations:            deployment.kubernetes.io/revision: 1
Selector:               app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:           app.kubernetes.io/component=controller
                    app.kubernetes.io/instance=ingress-nginx
                    app.kubernetes.io/name=ingress-nginx
  Service Account:  ingress-nginx
  Containers:
   controller:
    Image:       registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5
    Ports:       80/TCP, 443/TCP, 8443/TCP
    Host Ports:  0/TCP, 0/TCP, 0/TCP
    Args:
      /nginx-ingress-controller
      --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
      --election-id=ingress-controller-leader
      --controller-class=k8s.io/ingress-nginx
      --ingress-class=nginx
      --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
      --validating-webhook=:8443
      --validating-webhook-certificate=/usr/local/certificates/cert
      --validating-webhook-key=/usr/local/certificates/key
    Requests:
      cpu:      100m
      memory:   90Mi
    Liveness:   http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
    Readiness:  http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Environment:
      POD_NAME:        (v1:metadata.name)
      POD_NAMESPACE:   (v1:metadata.namespace)
      LD_PRELOAD:     /usr/local/lib/libmimalloc.so
    Mounts:
      /usr/local/certificates/ from webhook-cert (ro)
  Volumes:
   webhook-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  ingress-nginx-admission
    Optional:    false
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Progressing    True    NewReplicaSetAvailable
  Available      True    MinimumReplicasAvailable
OldReplicaSets:  <none>
NewReplicaSet:   ingress-nginx-controller-85b7678f89 (1/1 replicas created)
Events:          <none>

Can anyone help me achieve this without showing my ingress NGINX host URL?
@kishorpacefin kishorpacefin added the kind/bug Categorizes issue or PR as related to a bug. label Jun 13, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Jun 13, 2024
@longwuyuan
Copy link
Contributor

/retitle Route53 DNS problems
/remove-kind bug
/kind support

@k8s-ci-robot k8s-ci-robot changed the title I have added ssl certificate on my ingress nginx controller , but while accessing my main url it is showing ingress nginx host url on web browser. without adding ssl it is working fine Route53 DNS problems Jun 13, 2024
@k8s-ci-robot k8s-ci-robot added kind/support Categorizes issue or PR as a support question. and removed kind/bug Categorizes issue or PR as related to a bug. labels Jun 13, 2024
@kishorpacefin
Copy link
Author

Hi @longwuyuan and @strongjz
can you help me on this problem it is very critical , so please help me on this .

@longwuyuan
Copy link
Contributor

Your issue description is not showing any problem with the ingress-nginx controller because routing and TLS works for all users.

So what is the problem with the ingress-nginx controller when you say this below

After adding SSL to my NGINX ingress controller, whenever I hit abc.com, I am able to access the application, but it forwards the site from abc.com to qwe.com, and I see qwe.com in the browser.

I suggest ;

  • Click the new-bug report button and see the questions asked in the template there
  • Edit your issue-description and remove all the imaginary hypothetical info
  • Answer all the questions asked in the new bug report template in the issue description
  • Ensure that you provide the information formatted in markdown
  • Incluse the kubectl describe output for all the related resources
  • Include the curl commands and outputs with -v
  • Include the logs of the ingress-nginx controller
  • Refer the output of the curl command output to state the unexpected response
  • Mock write the response you expect to the curl command you executed

My guess is that you are not reporting any problem in the ingress-nginx controller code. It is very likely you are referring to some kind of application design or platform design related problem, and the ingress-nginx controller is a component.

You are confusing readers here by first saying that you are yourself likely having a CNAME record that is doing is causing some redirection here

So, when I hit abc.com, it routes like this: abc.com -> Route 53 -> API Gateway -> Ingress Host (qwe.com) -> Backend Service.

And then you are sort of claiming that you DO NOT expect the redirection via CNAME here

Whenever I hit abc.com, I should get a response on abc.com only,

If you are trying to solve a problem that is NOT in the ingress-nginx controller code but somewhere in your DNS or application/platform design, then you have better chances to discuss this in the kubernetes-users channel of the K8S slack. There are more users & experts there, when compared to limited resources here.

@longwuyuan
Copy link
Contributor

Since there is no evident problem to work on in the ingress-nginx controller scope, I will close this issue for now.

Feel free to re-open the issue after you have posted the information that shows a problem that the project needs to solve in the ingress-nginx controller.

/close

@k8s-ci-robot
Copy link
Contributor

@longwuyuan: Closing this issue.

In response to this:

Since there is no evident problem to work on in the ingress-nginx controller scope, I will close this issue for now.

Feel free to re-open the issue after you have posted the information that shows a problem that the project needs to solve in the ingress-nginx controller.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support Categorizes issue or PR as a support question. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[sig-network] Ingress-Nginx
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@longwuyuan @k8s-ci-robot @kishorpacefin