Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Path based routing only works with base path #2132

Closed
evillgenius75 opened this issue Feb 22, 2018 · 13 comments
Closed

Path based routing only works with base path #2132

evillgenius75 opened this issue Feb 22, 2018 · 13 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@evillgenius75
Copy link

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
Bug Report

NGINX Ingress controller version:
10.2 and 11.0

Kubernetes version (use kubectl version):
1.9.3 and 1.8.2

Environment:
Azure AKS and Azure ACS-Engine Cluster

  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release): Debian GNU/Linux 8 (jessie):Ubuntu 16.04
  • Kernel (e.g. uname -a): 4.11.0-1015-azure
  • Install tools: AKS and ACS-Engine
  • Others:
    kube-lego for TLS management

What happened:
Ingress rule to do TLS secure path based routing only routes correctly to default path "/" and not the second service on path "/hello2"

What you expected to happen:
If I go to http://url/ the service that is expected is return, however if I go to http://url/hello2 I get a generic 404 Not Found

How to reproduce it (as minimally and precisely as possible):

  1. helm install stable/nginx-ingress or helm install stable/nginx --set controller.image.tag=0.11.0
  2. Wait for service to return external IP from Azure ALB kubectl get svc -w
  3. Map new Public IP with a DNS Name either in Azure directly or using DNS Provider
    3a. If using Azure provided DNS use this script:
#!/bin/bash

# Public IP address
IP="52.224.125.195" #replace with Public IP address assigned to ngnix service in K8s

# Name to associate with public IP address
DNSNAME="demo-aks-ingress"

# Get resource group and public ip name
RESOURCEGROUP=$(az network public-ip list --query "[?contains(ipAddress, '$IP')].[resourceGroup]" --output tsv)
PIPNAME=$(az network public-ip list --query "[?contains(ipAddress, '$IP')].[name]" --output tsv)

# Update public ip address with dns name
az network public-ip update --resource-group $RESOURCEGROUP --name  $PIPNAME --dns-name $DNSNAME

3b. Get FQDN of PublicIP az network public-ip list --query "[?contains(ipAddress, '52.224.125.195')].[dnsSettings.fqdn]" --output tsv

  1. Install kube-lego and modify LEGO_EMAIL to a real email address
    helm install stable/kube-lego \
    --set config.LEGO_EMAIL=user@contoso.com \
    --set config.LEGO_URL=https://acme-v01.api.letsencrypt.org/directory

  2. Create 2 services to host behind proxy
    helm repo add azure-samples https://azure-samples.github.io/helm-charts/
    helm install azure-samples/aks-helloworld
    helm install azure-samples/aks-helloworld --set title="AKS Ingress Demo" --set serviceName="ingress-demo"

  3. Create an ingress yaml. Be sure to change host entry to the FQDn retrieved in step 3b or one you created in your own DNS provider:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    kubernetes.io/tls-acme: "true"
    ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - demo-aks-ingress.eastus.cloudapp.azure.com
    secretName: tls-secret
  rules:
  - host: demo-aks-ingress.eastus.cloudapp.azure.com
    http:
      paths:
      - path: /
        backend:
          serviceName: aks-helloworld
          servicePort: 80
      - path: /hello2
        backend:
          serviceName: ingress-demo
          servicePort: 80

Anything else we need to know:
Both web services are working correctly. If I switch the name of the services you can see the different backends but only when using base path "/"
TLS is working correctly and site is signed as expected.

nginx.conf file:

daemon off;

worker_processes 1;
pid /run/nginx.pid;

worker_rlimit_nofile 346615;

worker_shutdown_timeout 10s ;

events {
    multi_accept        on;
    worker_connections  16384;
    use                 epoll;
}

http {

    real_ip_header      X-Forwarded-For;

    real_ip_recursive   on;

    set_real_ip_from    0.0.0.0/0;

    geoip_country       /etc/nginx/geoip/GeoIP.dat;
    geoip_city          /etc/nginx/geoip/GeoLiteCity.dat;
    geoip_org           /etc/nginx/geoip/GeoIPASNum.dat;
    geoip_proxy_recursive on;

    aio                 threads;
    aio_write           on;

    tcp_nopush          on;
    tcp_nodelay         on;

    log_subrequest      on;

    reset_timedout_connection on;

    keepalive_timeout  75s;
    keepalive_requests 100;

    client_header_buffer_size       1k;
    client_header_timeout           60s;
    large_client_header_buffers     4 8k;
    client_body_buffer_size         8k;
    client_body_timeout             60s;

    http2_max_field_size            4k;
    http2_max_header_size           16k;

    types_hash_max_size             2048;
    server_names_hash_max_size      1024;
    server_names_hash_bucket_size   64;
    map_hash_bucket_size            64;

    proxy_headers_hash_max_size     512;
    proxy_headers_hash_bucket_size  64;

    variables_hash_bucket_size      128;
    variables_hash_max_size         2048;

    underscores_in_headers          off;
    ignore_invalid_headers          on;

    limit_req_status                503;

    include /etc/nginx/mime.types;
    default_type text/html;

    gzip on;
    gzip_comp_level 5;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component;
    gzip_proxied any;
    gzip_vary on;

    # Custom headers for response

    server_tokens on;

    # disable warnings
    uninitialized_variable_warn off;

    # Additional available variables:
    # $namespace
    # $ingress_name
    # $service_name
    log_format upstreaminfo '$the_real_ip - [$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status';

    map $request_uri $loggable {

        default 1;
    }

    access_log /var/log/nginx/access.log upstreaminfo if=$loggable;

    error_log  /var/log/nginx/error.log notice;

    resolver 10.0.0.10 valid=30s;

    # Retain the default nginx handling of requests without a "Connection" header
    map $http_upgrade $connection_upgrade {
        default          upgrade;
        ''               close;
    }

    map $http_x_forwarded_for $the_real_ip {

        default          $remote_addr;

    }

    # trust http_x_forwarded_proto headers correctly indicate ssl offloading
    map $http_x_forwarded_proto $pass_access_scheme {
        default          $http_x_forwarded_proto;
        ''               $scheme;
    }

    # validate $pass_access_scheme and $scheme are http to force a redirect
    map "$scheme:$pass_access_scheme" $redirect_to_https {
        default          0;
        "http:http"      1;
        "https:http"     1;
    }

    map $http_x_forwarded_port $pass_server_port {
        default           $http_x_forwarded_port;
        ''                $server_port;
    }

    map $pass_server_port $pass_port {
        443              443;
        default          $pass_server_port;
    }

    # Obtain best http host
    map $http_host $this_host {
        default          $http_host;
        ''               $host;
    }

    map $http_x_forwarded_host $best_http_host {
        default          $http_x_forwarded_host;
        ''               $this_host;
    }

    server_name_in_redirect off;
    port_in_redirect        off;

    rewrite_log             on;

    ssl_protocols TLSv1.2;

    # turn on session caching to drastically improve performance

    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_session_timeout 10m;

    # allow configuring ssl session tickets
    ssl_session_tickets on;

    # slightly reduce the time-to-first-byte
    ssl_buffer_size 4k;

    # allow configuring custom ssl ciphers
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    ssl_ecdh_curve auto;

    proxy_ssl_session_reuse on;

    upstream default-ingress-demo-80 {

        # Load balance algorithm; empty for round robin, which is the default
        least_conn;

        keepalive 32;

        server 10.244.2.35:80 max_fails=0 fail_timeout=0;

    }

    upstream default-aks-helloworld-80 {

        # Load balance algorithm; empty for round robin, which is the default
        least_conn;

        keepalive 32;

        server 10.244.2.34:80 max_fails=0 fail_timeout=0;

    }

    upstream default-kube-lego-nginx-8080 {

        # Load balance algorithm; empty for round robin, which is the default
        least_conn;

        keepalive 32;

        server 10.244.2.33:8080 max_fails=0 fail_timeout=0;

    }

    upstream upstream-default-backend {

        # Load balance algorithm; empty for round robin, which is the default
        least_conn;

        keepalive 32;

        server 10.244.2.31:8080 max_fails=0 fail_timeout=0;

    }

    ## start server _
    server {
        server_name _ ;

        listen 80 default_server  backlog=511;

        listen [::]:80 default_server  backlog=511;

        set $proxy_upstream_name "-";

        listen 443  default_server  backlog=511 ssl http2;

        listen [::]:443  default_server  backlog=511 ssl http2;

        # PEM sha: 6ffc997c0748dca2604bd8fea0e35d31a6bce41f
        ssl_certificate                         /ingress-controller/ssl/default-fake-certificate.pem;
        ssl_certificate_key                     /ingress-controller/ssl/default-fake-certificate.pem;

        more_set_headers                        "Strict-Transport-Security: max-age=15724800; includeSubDomains;";

        location / {
            port_in_redirect off;

            set $proxy_upstream_name "upstream-default-backend";

            set $namespace      "";
            set $ingress_name   "";
            set $service_name   "";

            client_max_body_size                    "1m";

            proxy_set_header Host                   $best_http_host;

            # Pass the extracted client certificate to the backend

            proxy_set_header ssl-client-cert        "";
            proxy_set_header ssl-client-verify      "";
            proxy_set_header ssl-client-dn          "";

            # Allow websocket connections
            proxy_set_header                        Upgrade           $http_upgrade;

            proxy_set_header                        Connection        $connection_upgrade;

            proxy_set_header X-Real-IP              $the_real_ip;

            proxy_set_header X-Forwarded-For        $the_real_ip;

            proxy_set_header X-Forwarded-Host       $best_http_host;
            proxy_set_header X-Forwarded-Port       $pass_port;
            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
            proxy_set_header X-Original-URI         $request_uri;
            proxy_set_header X-Scheme               $pass_access_scheme;

            # Pass the original X-Forwarded-For
            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

            # mitigate HTTPoxy Vulnerability
            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
            proxy_set_header Proxy                  "";

            # Custom headers to proxied server

            proxy_connect_timeout                   5s;
            proxy_send_timeout                      60s;
            proxy_read_timeout                      60s;

            proxy_buffering                         "off";
            proxy_buffer_size                       "4k";
            proxy_buffers                           4 "4k";
            proxy_request_buffering                 "on";

            proxy_http_version                      1.1;

            proxy_cookie_domain                     off;
            proxy_cookie_path                       off;

            # In case of errors try the next upstream server before returning an error
            proxy_next_upstream                     error timeout invalid_header http_502 http_503 http_504;

            proxy_pass http://upstream-default-backend;

            proxy_redirect                          off;

        }

        # health checks in cloud providers require the use of port 80
        location /healthz {
            access_log off;
            return 200;
        }

        # this is required to avoid error if nginx is being monitored
        # with an external software (like sysdig)
        location /nginx_status {
            allow 127.0.0.1;
            allow ::1;
            deny all;

            access_log off;
            stub_status on;
        }

    }
    ## end server _

    ## start server aks182east.evillgenius.com
    server {
        server_name aks182east.evillgenius.com ;

        listen 80;

        listen [::]:80;

        set $proxy_upstream_name "-";

        listen 443  ssl http2;

        listen [::]:443  ssl http2;

        # PEM sha: 3781aeafb6f20fc098e2b98486f2561e7c816d7e
        ssl_certificate                         /ingress-controller/ssl/default-tls-secret.pem;
        ssl_certificate_key                     /ingress-controller/ssl/default-tls-secret.pem;

        ssl_trusted_certificate                 /ingress-controller/ssl/default-tls-secret-full-chain.pem;
        ssl_stapling                            on;
        ssl_stapling_verify                     on;

        more_set_headers                        "Strict-Transport-Security: max-age=15724800; includeSubDomains;";

        location /hello2 {
            port_in_redirect off;

            set $proxy_upstream_name "default-aks-helloworld-80";

            set $namespace      "default";
            set $ingress_name   "hello-world-ingress";
            set $service_name   "aks-helloworld";

            # enforce ssl on server side
            if ($redirect_to_https) {

                return 308 https://$best_http_host$request_uri;

            }

            client_max_body_size                    "1m";

            proxy_set_header Host                   $best_http_host;

            # Pass the extracted client certificate to the backend

            proxy_set_header ssl-client-cert        "";
            proxy_set_header ssl-client-verify      "";
            proxy_set_header ssl-client-dn          "";

            # Allow websocket connections
            proxy_set_header                        Upgrade           $http_upgrade;

            proxy_set_header                        Connection        $connection_upgrade;

            proxy_set_header X-Real-IP              $the_real_ip;

            proxy_set_header X-Forwarded-For        $the_real_ip;

            proxy_set_header X-Forwarded-Host       $best_http_host;
            proxy_set_header X-Forwarded-Port       $pass_port;
            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
            proxy_set_header X-Original-URI         $request_uri;
            proxy_set_header X-Scheme               $pass_access_scheme;

            # Pass the original X-Forwarded-For
            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

            # mitigate HTTPoxy Vulnerability
            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
            proxy_set_header Proxy                  "";

            # Custom headers to proxied server

            proxy_connect_timeout                   5s;
            proxy_send_timeout                      60s;
            proxy_read_timeout                      60s;

            proxy_buffering                         "off";
            proxy_buffer_size                       "4k";
            proxy_buffers                           4 "4k";
            proxy_request_buffering                 "on";

            proxy_http_version                      1.1;

            proxy_cookie_domain                     off;
            proxy_cookie_path                       off;

            # In case of errors try the next upstream server before returning an error
            proxy_next_upstream                     error timeout invalid_header http_502 http_503 http_504;

            proxy_pass http://default-aks-helloworld-80;

            proxy_redirect                          off;

        }

        location /.well-known/acme-challenge {
            port_in_redirect off;

            set $proxy_upstream_name "default-kube-lego-nginx-8080";

            set $namespace      "default";
            set $ingress_name   "kube-lego-nginx";
            set $service_name   "kube-lego-nginx";

            # enforce ssl on server side
            if ($redirect_to_https) {

                return 308 https://$best_http_host$request_uri;

            }

            client_max_body_size                    "1m";

            proxy_set_header Host                   $best_http_host;

            # Pass the extracted client certificate to the backend

            proxy_set_header ssl-client-cert        "";
            proxy_set_header ssl-client-verify      "";
            proxy_set_header ssl-client-dn          "";

            # Allow websocket connections
            proxy_set_header                        Upgrade           $http_upgrade;

            proxy_set_header                        Connection        $connection_upgrade;

            proxy_set_header X-Real-IP              $the_real_ip;

            proxy_set_header X-Forwarded-For        $the_real_ip;

            proxy_set_header X-Forwarded-Host       $best_http_host;
            proxy_set_header X-Forwarded-Port       $pass_port;
            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
            proxy_set_header X-Original-URI         $request_uri;
            proxy_set_header X-Scheme               $pass_access_scheme;

            # Pass the original X-Forwarded-For
            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

            # mitigate HTTPoxy Vulnerability
            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
            proxy_set_header Proxy                  "";

            # Custom headers to proxied server

            proxy_connect_timeout                   5s;
            proxy_send_timeout                      60s;
            proxy_read_timeout                      60s;

            proxy_buffering                         "off";
            proxy_buffer_size                       "4k";
            proxy_buffers                           4 "4k";
            proxy_request_buffering                 "on";

            proxy_http_version                      1.1;

            proxy_cookie_domain                     off;
            proxy_cookie_path                       off;

            # In case of errors try the next upstream server before returning an error
            proxy_next_upstream                     error timeout invalid_header http_502 http_503 http_504;

            proxy_pass http://default-kube-lego-nginx-8080;

            proxy_redirect                          off;

        }

        location / {
            port_in_redirect off;

            set $proxy_upstream_name "default-ingress-demo-80";

            set $namespace      "default";
            set $ingress_name   "hello-world-ingress";
            set $service_name   "ingress-demo";

            # enforce ssl on server side
            if ($redirect_to_https) {

                return 308 https://$best_http_host$request_uri;

            }

            client_max_body_size                    "1m";

            proxy_set_header Host                   $best_http_host;

            # Pass the extracted client certificate to the backend

            proxy_set_header ssl-client-cert        "";
            proxy_set_header ssl-client-verify      "";
            proxy_set_header ssl-client-dn          "";

            # Allow websocket connections
            proxy_set_header                        Upgrade           $http_upgrade;

            proxy_set_header                        Connection        $connection_upgrade;

            proxy_set_header X-Real-IP              $the_real_ip;

            proxy_set_header X-Forwarded-For        $the_real_ip;

            proxy_set_header X-Forwarded-Host       $best_http_host;
            proxy_set_header X-Forwarded-Port       $pass_port;
            proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
            proxy_set_header X-Original-URI         $request_uri;
            proxy_set_header X-Scheme               $pass_access_scheme;

            # Pass the original X-Forwarded-For
            proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

            # mitigate HTTPoxy Vulnerability
            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
            proxy_set_header Proxy                  "";

            # Custom headers to proxied server

            proxy_connect_timeout                   5s;
            proxy_send_timeout                      60s;
            proxy_read_timeout                      60s;

            proxy_buffering                         "off";
            proxy_buffer_size                       "4k";
            proxy_buffers                           4 "4k";
            proxy_request_buffering                 "on";

            proxy_http_version                      1.1;

            proxy_cookie_domain                     off;
            proxy_cookie_path                       off;

            # In case of errors try the next upstream server before returning an error
            proxy_next_upstream                     error timeout invalid_header http_502 http_503 http_504;

            proxy_pass http://default-ingress-demo-80;

            proxy_redirect                          off;

        }

    }
    ## end server aks182east.evillgenius.com

    # default server, used for NGINX healthcheck and access to nginx stats
    server {
        # Use the port 18080 (random value just to avoid known ports) as default port for nginx.
        # Changing this value requires a change in:
        # https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go
        listen 18080 default_server  backlog=511;
        listen [::]:18080 default_server  backlog=511;
        set $proxy_upstream_name "-";

        location /healthz {
            access_log off;
            return 200;
        }

        location /nginx_status {
            set $proxy_upstream_name "internal";

            access_log off;
            stub_status on;

        }

        location / {

            set $proxy_upstream_name "upstream-default-backend";
            proxy_pass          http://upstream-default-backend;
        }

    }
}

stream {
    log_format log_stream [$time_local] $protocol $status $bytes_sent $bytes_received $session_time;

    access_log /var/log/nginx/access.log log_stream;

    error_log  /var/log/nginx/error.log;

    # TCP services

    # UDP services

}
@mrdfuse
Copy link

mrdfuse commented Mar 4, 2018

I run into the same issue just by following the AKS tutorial: https://docs.microsoft.com/en-us/azure/aks/ingress

@mrdfuse mrdfuse mentioned this issue Mar 4, 2018
Closed
@aledbf
Copy link
Member

aledbf commented Mar 4, 2018

Closing. The issue with the article is the prefix of the annotations, it should be nginx.ingress.kubernetes.io

@aledbf aledbf closed this as completed Mar 4, 2018
@aledbf
Copy link
Member

aledbf commented Mar 4, 2018

@evillgenius75 please reopen if you have more questions

@0xmichalis
Copy link

We are still seeing this even with the new annotation.

/reopen

@k8s-ci-robot
Copy link
Contributor

@Kargakis: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this:

We are still seeing this even with the new annotation.

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@0xmichalis
Copy link

Versions:

kubernetes v1.9.7
quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.14.0
k8s.gcr.io/defaultbackend:1.3

@k8s-ci-robot k8s-ci-robot reopened this May 16, 2018
@0xmichalis
Copy link

/kind bug

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label May 16, 2018
@derekrgoss
Copy link

derekrgoss commented Jul 2, 2018
edited

I am also encountering this with:

quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.16.2
gcr.io/google_containers/defaultbackend:1.4

@aledbf , essentially all ingress paths except for root get ignored as long as I am attempting to use https. Is this a known issue?

I'm trying to use nginx ingress with ssl-passthrough so that my backend Tomcat-based containers can perform TLS termination. Our application requires dual authentication so that x509 user certificate details can be passed along (DOD requirement).

Do you have any thoughts as to why only the root ingress path is being used and all others ignored? Any help is appreciated.

Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/auth-tls-error-page":"https://failblog.cheezburger.com/","nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream":"true","nginx.ingress.kubernetes.io/auth-tls-secret":"icodes-test/icodestestcasecret","nginx.ingress.kubernetes.io/auth-tls-verify-client":"on","nginx.ingress.kubernetes.io/auth-tls-verify-depth":"1","nginx.ingress.kubernetes.io/configuration-snippet":"set_by_lua $client_cert \"return ngx.var.ssl_client_raw_cert:gsub('\\\\n',' ')\";\nproxy_set_header X-SSL-CERT $client_cert;\nproxy_set_header SSL_CLIENT_CERT $client_cert;\nproxy_set_header javax.servlet.request.X509Certificate $client_cert;\nproxy_set_header com.cdmtech.ciw.sso.user.cert $client_cert;\n","nginx.ingress.kubernetes.io/secure-backends":"true"},"creationTimestamp":"2018-06-26T21:01:01Z","generation":6,"name":"icodes-test-ingress","namespace":"icodes-test","resourceVersion":"1101904","selfLink":"/apis/extensions/v1beta1/namespaces/icodes-test/ingresses/icodes-test-ingress","uid":"07ed05c0-7984-11e8-a925-42010a8a0256"},"spec":{"rules":[{"host":"icodes-test.tapslo.com","http":{"paths":[{"backend":{"serviceName":"ciwserver-service","servicePort":443},"path":"/"},{"backend":{"serviceName":"cb-service","servicePort":443},"path":"/ConveyanceBuilder"},{"backend":{"serviceName":"slp-service","servicePort":443},"path":"/SLP"},{"backend":{"serviceName":"ciwadmin-service","servicePort":443},"path":"/ciwadmin"},{"backend":{"serviceName":"ciwserver-service","servicePort":443},"path":"/cas"},{"backend":{"serviceName":"ciwserver-service","servicePort":443},"path":"/ciw-sso-tools"},{"backend":{"serviceName":"culs-service","servicePort":443},"path":"/culs"},{"backend":{"serviceName":"ciwserver-service","servicePort":443},"path":"/ebs"},{"backend":{"serviceName":"ciwserver-service","servicePort":443},"path":"/ICODESPortal"},{"backend":{"serviceName":"ciwserver-service","servicePort":443},"path":"/MBS"},{"backend":{"serviceName":"ciwserver-service","servicePort":443},"path":"/ROOT"}]}}],"tls":[{"hosts":["icodes-test.tapslo.com"],"secretName":"icodestestsecret"}]}}
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  creationTimestamp: 2018-06-29T23:02:28Z
  generation: 16
  name: icodes-test-ingress
  namespace: icodes-test
  resourceVersion: "1883657"
  selfLink: /apis/extensions/v1beta1/namespaces/icodes-test/ingresses/icodes-test-ingress
  uid: 7eb2752a-7bf0-11e8-a925-42010a8a0256
spec:
  rules:
  - host: icodes-test.tapslo.com
    http:
      paths:
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /
      - backend:
          serviceName: cb-service
          servicePort: 443
        path: /ConveyanceBuilder
      - backend:
          serviceName: cb-service
          servicePort: 443
        path: /ConveyanceBuilder/*
      - backend:
          serviceName: slp-service
          servicePort: 443
        path: /SLP
      - backend:
          serviceName: slp-service
          servicePort: 443
        path: /SLP/*
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ciwadmin
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ciwadmin/*
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /cas
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /cas/*
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ciw-sso-tools
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ciw-sso-tools/*
      - backend:
          serviceName: culs-service
          servicePort: 443
        path: /culs
      - backend:
          serviceName: culs-service
          servicePort: 443
        path: /culs/*
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ebs
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ebs/*
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ICODESPortal
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ICODESPortal/*
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /MBS
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /MBS/*
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ROOT
      - backend:
          serviceName: ciwserver-service
          servicePort: 443
        path: /ROOT/*
  tls:
  - hosts:
    - icodes-test.tapslo.com
    secretName: icodestestsecret
status:
  loadBalancer:
    ingress:
    - ip: 35.203.143.32

Controller deployment:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "16"
  creationTimestamp: 2018-06-29T22:54:01Z
  generation: 16
  labels:
    app: ingress-nginx
  name: nginx-ingress-controller
  namespace: ingress-nginx
  resourceVersion: "1833952"
  selfLink: /apis/extensions/v1beta1/namespaces/ingress-nginx/deployments/nginx-ingress-controller
  uid: 50ce2c5f-7bef-11e8-a925-42010a8a0256
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-nginx
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
      creationTimestamp: null
      labels:
        app: ingress-nginx
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
        - --configmap=$(POD_NAMESPACE)/nginx-configuration
        - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
        - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx
        - --annotations-prefix=nginx.ingress.kubernetes.io
        - --enable-ssl-passthrough
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.16.2
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: nginx-ingress-controller
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          name: https
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        securityContext:
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsUser: 33
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: nginx-ingress-serviceaccount
      serviceAccountName: nginx-ingress-serviceaccount
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: 2018-06-29T22:54:01Z
    lastUpdateTime: 2018-06-29T22:54:01Z
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  observedGeneration: 16
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

@aledbf
Copy link
Member

aledbf commented Aug 2, 2018
edited

Do you have any thoughts as to why only the root ingress path is being used and all others ignored? Any help is appreciated.

Please remove /* from all the paths

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 31, 2018
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 30, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@aledbf @mrdfuse @0xmichalis @k8s-ci-robot @evillgenius75 @fejta-bot @derekrgoss