service not deployed onto NGINX kubernetes

9/9/2018

So this is my current setup.

I have a k8 cluster with nginx controller installed. I installed nginx using helm.

So I have a simple apple service as below:

kind: Pod
apiVersion: v1
metadata:
  name: apple-app
  labels:
    app: apple
spec:
  containers:
    - name: apple-app
      image: hashicorp/http-echo
      args:
        - "-text=apple"

---

kind: Service
apiVersion: v1
metadata:
  name: apple-service
spec:
  selector:
    app: apple
  ports:
    - port: 5678 # Default port for image

and then I did a kubectl apply -f apples.yaml

Now i have an ingress.yaml as below.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
        - path: /apple
          backend:
            serviceName: apple-service
            servicePort: 5678

and then I kubectl -f ingress.yaml

my ingress controller doesnt have an external ip address.

But even without the external ip, I did a

kubectl exec -it nginxdeploy-nginx-ingress-controller-5d6ddbb677-774xc /bin/bash

And tried doing a curl kL http://localhost/apples

and its giving me a 503 error.

Anybody can help on this?

-- Adam
kubernetes
nginx

1 Answer

9/10/2018

I've tested your configuration, and it seems to be working fine to me.

Pod responds fine:

$ kubectl describe pod apple-app

Name:         apple-app
Namespace:    default
Node:         kube-helm/10.156.0.2
Start Time:   Mon, 10 Sep 2018 11:53:57 +0000
Labels:       app=apple
Annotations:  <none>
Status:       Running
IP:           192.168.73.73
...

$ curl http://192.168.73.73:5678
apple

Service responds fine:

$ kubectl get service 

NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
apple-service   ClusterIP   10.111.93.194    <none>        5678/TCP   1m

$ curl http://10.111.93.194:5678
apple

Ingress also responds fine, but by default it redirects http to https:

$ kubectl exec -it nginx-ingress-controller-6c9fcdf8d9-ggrcs -n ingress-nginx /bin/bash

www-data@nginx-ingress-controller-6c9fcdf8d9-ggrcs:/etc/nginx$ curl http://localhost/apple

<html>
<head><title>308 Permanent Redirect</title></head>
<body bgcolor="white">
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx/1.13.12</center>
</body>
</html>

www-data@nginx-ingress-controller-6c9fcdf8d9-ggrcs:/etc/nginx$ curl -k https://localhost/apple
apple

If you check the nginx configuration in controller pod, you will see that redirect configuration for /apple location:

www-data@nginx-ingress-controller-6c9fcdf8d9-ggrcs:/etc/nginx$ more  /etc/nginx/nginx.conf
...

                location /apple {

                        set $namespace      "default";
                        set $ingress_name   "example-ingress";
                        set $service_name   "apple-service";
                        set $service_port   "5678";
                        set $location_path  "/apple";

                        rewrite_by_lua_block {

                        }

                        log_by_lua_block {

                                monitor.call()
                        }

                        if ($scheme = https) {
                                more_set_headers                        "Strict-Transport-Security: max-age=1572
4800; includeSubDomains";
                        }

                        port_in_redirect off;

                        set $proxy_upstream_name "default-apple-service-5678";

                        # enforce ssl on server side
                        if ($redirect_to_https) {

                                return 308 https://$best_http_host$request_uri;

                        }

                        client_max_body_size                    "1m";

                        proxy_set_header Host                   $best_http_host;

                        # Pass the extracted client certificate to the backend

                        # Allow websocket connections
                        proxy_set_header                        Upgrade           $http_upgrade;

                        proxy_set_header                        Connection        $connection_upgrade;

                        proxy_set_header X-Request-ID           $req_id;
                        proxy_set_header X-Real-IP              $the_real_ip;

                        proxy_set_header X-Forwarded-For        $the_real_ip;

                        proxy_set_header X-Forwarded-Host       $best_http_host;
                        proxy_set_header X-Forwarded-Port       $pass_port;
                        proxy_set_header X-Forwarded-Proto      $pass_access_scheme;

                        proxy_set_header X-Original-URI         $request_uri;

                        proxy_set_header X-Scheme               $pass_access_scheme;

                        # Pass the original X-Forwarded-For
                        proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

                        # mitigate HTTPoxy Vulnerability
                        # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
                        proxy_set_header Proxy                  "";

                        # Custom headers to proxied server

                        proxy_connect_timeout                   5s;
                        proxy_send_timeout                      60s;
                        proxy_read_timeout                      60s;

                        proxy_buffering                         "off";
                        proxy_buffer_size                       "4k";
                        proxy_buffers                           4 "4k";
                        proxy_request_buffering                 "on";

                        proxy_http_version                      1.1;

                        proxy_cookie_domain                     off;
                        proxy_cookie_path                       off;

                        # In case of errors try the next upstream server before returning an error
                        proxy_next_upstream                     error timeout;
                        proxy_next_upstream_tries               3;

                        proxy_pass http://default-apple-service-5678;

                        proxy_redirect                          off;

                }

You can disable this default behavior by adding annotations:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
        - path: /apple
          backend:
            serviceName: apple-service
            servicePort: 5678


www-data@nginx-ingress-controller-6c9fcdf8d9-ggrcs:/etc/nginx$ curl http://localhost/apple
apple
-- VAS
Source: StackOverflow