Ingress rule does not work with Service of type LoadBalancer

2/9/2019

I am trying to add an ingress rule to an internal load balancer. As per the dock it can be redirected to a service. It works as long as the service is "ClusterIP" but goes to infinite redirect when its "LoadBalancer"

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: demo-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  tls:
  - hosts:
    - demo.azure.com
    secretName: aks-ingress-tls
  rules:
  - host: demo.azure.com
    http:
      paths:
      - path: /
        backend:
          serviceName: aks-helloworld
          servicePort: 80
      - path: /demo
        backend:
          serviceName: demo-backend
          servicePort: 80

https://demo.azure.com works but https://demo.azure.com/demo doesn’t. Difference is aks-helloworld is a ClusterIP but demo-backend is a LoadBalancer

13:33 $ kubectl get services
NAME                  TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)        AGE
aks-helloworld        ClusterIP      10.0.204.168   <none>         80/TCP         15m
kubernetes            ClusterIP      10.0.0.1       <none>         443/TCP        16h
demo-backend   LoadBalancer   10.0.198.251   23.99.128.86   80:30332/TCP   15h
-- Neil
azure
azure-aks
kubernetes
kubernetes-helm
kubernetes-ingress

3 Answers

2/26/2019

The issue was because of the following headers added by the engine controller.

X-FORWARDED-PROTO: https
X-FORWARDED-PORT: 443

Answer https://stackoverflow.com/a/54880257/747456

-- Neil
Source: StackOverflow

2/10/2019

Why are you exposing the Service as type "LoadBalancer" if you are using Ingress for the resource? You are essentially hitting a the ingress loadbalancer then hitting another service loadbalancer, which is probably causing this redirect issue.

-- Strebel - MSFT
Source: StackOverflow

2/11/2019

For your issue, I don't think it's the problem that one has the type clusterIP and another has the type LoadBalancer. When the traffic coming in through the two ways, they will all redirect to the service, in your case, demo-backend.

See the result of the test on my side:

enter image description here

Access from the Internet:

enter image description here enter image description here

I do not add the TLS, but I think the traffic will all redirect to the service no matter it has the TLS or not. I just change the command with --set serviceType="LoadBalancer" when I install the second application through helm. So you can check if there something wrong with your steps.

But I don't think it's a good way to route traffic both in these two ways to one service. If you use the TLS through Ingress, and it will be no secure when there is the way with LoadBalancer at the same time. Because the traffic will bypass the TLS through LoadBalancer.

Update

With your comment, I think you need to create a deployment for your application, and then create a service with it, the file like this:

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: myapp
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp
        image: yourImage
        ports:
        - containerPort: 80
          name: myapp
---
apiVersion: v1 
kind: Service 
metadata: 
    name: demo-backend 
    labels: 
        app: myapp 
spec: 
    type: ClusterIP 
    selector: 
        app: myapp 
    ports: 
    - port: 80
      name: http

The deployment is the basis of the application, the service just accepts the traffic for the pod. So I guess you miss the deployment so that you can access your application.

-- Charles Xu
Source: StackOverflow