Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Repeated $service_name and $service_port across all rules in spec #5645

Closed
mattupstate opened this issue Jun 3, 2020 · 1 comment
Closed

Repeated $service_name and $service_port across all rules in spec #5645

mattupstate opened this issue Jun 3, 2020 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@mattupstate
Copy link

mattupstate commented Jun 3, 2020
edited

quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0:

Kubernetes 1.18

Environment:

  • Minikube:
  • Ubuntu 18.04.3 LTS
  • 4.15.0-66-generic

What happened:

Given the following Ingress resource:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
    name: acme
    namespace: default
    annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/configuration-snippet: |
        proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
        grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
spec:
    tls:
    - hosts:
        - admin.acme.com
        - api.acme.com
        - keycloak.acme.com
        secretName: acme-com
    rules:
    - host: admin.acme.com
        http:
        paths:
            - path: /
            backend:
                serviceName: acme-ui
                servicePort: 80
    - host: api.acme.com
        http:
        paths:
            - path: /
            backend:
                serviceName: acme-web-api
                servicePort: 3000
    - host: keycloak.acme.com
        http:
        paths:
            - backend:
                serviceName: keycloak
                servicePort: 8080
            path: /apiVersion: networking.k8s.io/v1beta1

The following Nginx config was written (unimportant parts removed):

## start server admin.acme.com
server {
    server_name admin.acme.com ;
    
    ...
    
    location / {
        
        set $namespace      "default";
        set $ingress_name   "acme";
        set $service_name   "acme-ui";
        set $service_port   "80";
        set $location_path  "/";
        
    ...
    
}
## end server admin.acme.com

## start server api.acme.com
server {
    server_name api.acme.com ;
    
    ...

    location / {
        
        set $namespace      "default";
        set $ingress_name   "acme";
        set $service_name   "acme-ui";
        set $service_port   "80";
        set $location_path  "/";
        
    ...
    
}
## end server api.acme.com

## start server keycloak.acme.com
server {
    server_name keycloak.acme.com ;
    
    ...
    
    location / {
        
        set $namespace      "default";
        set $ingress_name   "acme";
        set $service_name   "acme-ui";
        set $service_port   "80";
        set $location_path  "/";
        
    ...
    
}
## end server keycloak.acme.com

What you expected to happen:

No idea what went wrong, but I'm pretty certain the $service_name and $service_port variables shouldn't be the same across the three rules and should look like this:

## start server admin.acme.com
server {
    server_name admin.acme.com ;
    
    ...
    
    location / {
        
        set $namespace      "default";
        set $ingress_name   "acme";
        set $service_name   "acme-ui";
        set $service_port   "80";
        set $location_path  "/";
        
    ...
    
}
## end server admin.acme.com

## start server api.acme.com
server {
    server_name api.acme.com ;
    
    ...

    location / {
        
        set $namespace      "default";
        set $ingress_name   "acme";
        set $service_name   "acme-web-api";
        set $service_port   "3000";
        set $location_path  "/";
        
    ...
    
}
## end server api.acme.com

## start server keycloak.acme.com
server {
    server_name keycloak.acme.com ;
    
    ...
    
    location / {
        
        set $namespace      "default";
        set $ingress_name   "acme";
        set $service_name   "keycloak";
        set $service_port   "8080";
        set $location_path  "/";
        
    ...
    
}
## end server keycloak.acme.com

How to reproduce it:

Apologies, but I'm afraid I'm not sure how you would reproduce yet beyond seeing if a similar config results in similar output.

Install minikube/kind

Install the ingress controller

I'm running the controller using the following manifests:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: system:nginx-ingress
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    addonmanager.kubernetes.io/mode: Reconcile
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses/status
    verbs:
      - update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: system::nginx-ingress-role
  namespace: kube-system
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    addonmanager.kubernetes.io/mode: Reconcile
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - ingress-controller-leader-nginx
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: system::nginx-ingress-role-binding
  namespace: kube-system
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: system::nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress
    namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: system:nginx-ingress
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:nginx-ingress
subjects:
  - kind: ServiceAccount
    name: nginx-ingress
    namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-load-balancer-conf
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
data:
  map-hash-bucket-size: "128"
  hsts: "false"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-services
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: udp-services
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  namespace: kube-system
  labels:
    app.kubernetes.io/name: nginx-ingress-controller
    app.kubernetes.io/part-of: kube-system
    addonmanager.kubernetes.io/mode: Reconcile
    # sidecar.jaegertracing.io/inject: "true"
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      # maxUnavailable needs to be 1 so that port conflicts between the old and new pod doesn't happen when using hostPort
      maxUnavailable: 1
      maxSurge: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: nginx-ingress-controller
      app.kubernetes.io/part-of: kube-system
      addonmanager.kubernetes.io/mode: Reconcile
  template:
    metadata:
      labels:
        app.kubernetes.io/name: nginx-ingress-controller
        app.kubernetes.io/part-of: kube-system
        addonmanager.kubernetes.io/mode: Reconcile
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
        promtail.io/scrape: "true"
        linkerd.io/inject: enabled
    spec:
      serviceAccountName: nginx-ingress
      terminationGracePeriodSeconds: 60
      containers:
        - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0
          name: nginx-ingress-controller
          imagePullPolicy: IfNotPresent
          readinessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
          livenessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            timeoutSeconds: 1
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - containerPort: 80
              hostPort: 80
            - containerPort: 443
              hostPort: 443
            # (Optional) we expose 18080 to access nginx stats in url /nginx-status
            - containerPort: 18080
              hostPort: 18080
          args:
            - /nginx-ingress-controller
            - --v=5
            - --configmap=$(POD_NAMESPACE)/nginx-load-balancer-conf
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --annotations-prefix=nginx.ingress.kubernetes.io
            # use minikube IP address in ingress status field
            - --report-node-internal-ip-address
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            # www-data -> 101
            runAsUser: 101

/kind bug
@mattupstate mattupstate added the kind/bug Categorizes issue or PR as related to a bug. label Jun 3, 2020
@aledbf
Copy link
Member

aledbf commented Jun 3, 2020

Closing. Fixed in master #5536
You can use the image quay.io/kubernetes-ingress-controller/nginx-ingress-controller:dev until the next release.

@aledbf aledbf closed this as completed Jun 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aledbf @mattupstate