I am deploying an Ingress on my K8S cluster. All my configs look good.
My Ingress is defined like this :
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: 50m
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
creationTimestamp: 2018-10-20T23:40:47Z
generation: 1
labels:
type: jenkins
name: jenkins-ingress
namespace: helm-gcp-test-jenkins
resourceVersion: "59946"
selfLink: /apis/extensions/v1beta1/namespaces/helm-gcp-test-jenkins/ingresses/jenkins-tls
uid: 91c5fd22-d4c1-11e8-a0e9-6691b5512bd6
spec:
rules:
- host: master.ingress.proj.csp-test.shoo.company.com
http:
paths:
- backend:
serviceName: jenkins-master
servicePort: 8090
path: /
status:
loadBalancer:
ingress:
- ip: 35.187.16.8
The deployed Ingress looks like :
NAME HOSTS ADDRESS PORTS AGE
jenkins master.ingress.proj.csp-test.shoo.company.com
35.187.16.8 80 21m
Since I'm deploying this in GCP, I have a LB as well.
As you can see the Ingress is supposed to route traffic to jenkins-master
on port 8090
This service is present in the same namespace.
# kubectl get -n helm-gcp-test-jenkins svc jenkins-master
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
jenkins-master ClusterIP 100.71.2.206 <none> 8090/TCP,30005/TCP 13m
From within the cluster if I do curl http://100.71.2.206:8090
, I can successfully see the main page of my application, which means that setup is OK.
Now when I try to access the Ingress from my Browser, this is all that I see.
When I look at the logs of my Ingress controller pod, they have the following ERROR:
2018/10/20 23:44:05 [error] 1084#1084: *538 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.250.0.2, server: master.ingress.proj.csp-test.shoo.company.com, request: "GET / HTTP/1.1", upstream: "https://100.96.0.35:8090/", host: "master.ingress.proj.csp-test.shoo.company.com"
10.250.0.2 - [10.250.0.2] - - [20/Oct/2018:23:44:05 +0000] "GET / HTTP/1.1" 502 174 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15" 438 0.002 [helm-gcp-test-jenkins-jenkins-master-8090] 100.96.0.35:8090 0 0.002 502 60a2a0827ecfa7f0f43997c3b90e5eea
2018/10/20 23:44:06 [error] 1084#1084: *542 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.250.0.2, server: master.ingress.proj.csp-test.shoo.company.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://100.96.0.35:8090/favicon.ico", host: "master.ingress.proj.csp-test.shoo.company.com", referrer: "http://master.ingress.proj.csp-test.shoo.company.com/"
10.250.0.2 - [10.250.0.2] - - [20/Oct/2018:23:44:06 +0000] "GET /favicon.ico HTTP/1.1" 502 174 "http://master.ingress.proj.csp-test.shoo.company.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15" 447 0.003 [helm-gcp-test-jenkins-jenkins-master-8090] 100.96.0.35:8090 0 0.002 502 80769268e1fe1fccd33ed2b58720672e
Not sure what this error is. Any ideas ? Am I using the wrong Annotations ?
Look at theofficial List of Annotation.
There is no nginx.ingress.kubernetes.io/secure-backends: "true"
. Also, you use the HTTP in this case you don't need to nginx.ingress.kubernetes.io/secure-backends: true"
.
The annotation
nginx.ingress.kubernetes.io/ssl-passthrough
instructs the controller to send TLS connections directly to the backend instead of letting NGINX decrypt the communication. See also TLS/HTTPS in the User guide. !!! note SSL Passthrough is disabled by default and requires starting the controller with the--enable-ssl-passthrough
flag. !!! attention Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough invalidates all the other annotations set on an Ingress object.
Make sure you enable ssl-passthrough in controller, or you can remove this annotation since you don't use the SSL.