How to link AKS ingress external IP to Azure DNS zone?

5/18/2021

I'm attempting to add an ingress to my AKS cluster and link that to a domain I have purchased but the site always fails to load in the browser. It doesn't matter whether I use the IP address of DNS name, it fails all the same.

I have added a DNS zone and an entry that points to a frontend IP configuration on the load balancer.

enter image description here

This IP corresponds to the external IP of the ingress.

I can also run a curl request which appears to return details of my react application

curl -v -k --resolve oconnorevents.co.uk:443:20.90.138.208 https://oconnorevents.co.uk

* Added oconnorevents.co.uk:443:20.90.138.208 to DNS cache
* Hostname oconnorevents.co.uk was found in DNS cache
*   Trying 20.90.138.208:443...
* Connected to oconnorevents.co.uk (20.90.138.208) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=oconnorevents.co.uk; O=aks-ingress-tls
*  start date: May 18 18:41:04 2021 GMT
*  expire date: May 18 18:41:04 2022 GMT
*  issuer: CN=oconnorevents.co.uk; O=aks-ingress-tls
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1c41bb41a30)
> GET / HTTP/2
> Host: oconnorevents.co.uk
> user-agent: curl/7.75.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Tue, 18 May 2021 22:31:05 GMT
< content-type: text/html
< content-length: 3179
< last-modified: Tue, 18 May 2021 19:15:59 GMT
< etag: "60a4126f-c6b"
< accept-ranges: bytes
< strict-transport-security: max-age=15724800; includeSubDomains
<
<!doctype html><html lang="en"><head><meta charset="utf-8"/><link rel="icon" href="/favicon.ico"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="Web site created using create-react-app"/><link rel="apple-touch-icon" href="/logo192.png"/><link rel="manifest" href="/manifest.json"/><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,500,700&display=swap"/><title>React App</title><link href="/static/css/main.6dea0f05.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>!function(e){function r(r){for(var n,a,i=r[0],c=r[1],l=r[2],s=0,p=[];s<i.length;s++)a=i[s],Object.prototype.hasOwnProperty.call(o,a)&&o[a]&&p.push(o[a][0]),o[a]=0;for(n in c)Object.prototype.hasOwnProperty.call(c,n)&&(e[n]=c[n]);for(f&&f(r);p.length;)p.shift()();return u.push.apply(u,l||[]),t()}function t(){for(var e,r=0;r<u.length;r++){for(var t=u[r],n=!0,i=1;i<t.length;i++){var c=t[i];0!==o[c]&&(n=!1)}n&&(u.splice(r--,1),e=a(a.s=t[0]))}return e}var n={},o={1:0},u=[];function a(r){if(n[r])return n[r].exports;var t=n[r]={i:r,l:!1,exports:{}};return e[r].call(t.exports,t,t.exports,a),t.l=!0,t.exports}a.e=function(e){var r=[],t=o[e];if(0!==t)if(t)r.push(t[2]);else{var n=new Promise((function(r,n){t=o[e]=[r,n]}));r.push(t[2]=n);var u,i=document.createElement("script");i.charset="utf-8",i.timeout=120,a.nc&&i.setAttribute("nonce",a.nc),i.src=function(e){return a.p+"static/js/"+({}[e]||e)+"."+{2:"edb3d180",4:"2f2d3220",5:"40109260"}[e]+".chunk.js"}(e);var c=new Error;u=function(r){i.onerror=i.onload=null,clearTimeout(l);var t=o[e];if(0!==t){if(t){var n=r&&("load"===r.type?"missing":r.type),u=r&&r.target&&r.target.src;c.message="Loading chunk "+e+" failed.\n("+n+": "+u+")",c.name="ChunkLoadError",c.type=n,c.request=u,t[1](c)}o[e]=void 0}};var l=setTimeout((function(){u({type:"timeout",target:i})}),12e4);i.onerror=i.onload=u,document.head.appendChild(i)}return Promise.all(r)},a.m=e,a.c=n,a.d=function(e,r,t){a.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},a.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},a.t=function(e,r){if(1&r&&(e=a(e)),8&r)return e;if(4&r&&"object"==typeof e&&e&&e.__esModule)return e;var t=Object.create(null);if(a.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:e}),2&r&&"string"!=typeof e)for(var n in e)a.d(t,n,function(r){return e[r]}.bind(null,n));return t},a.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return a.d(r,"a",r),r},a.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},a.p="/",a.oe=function(e){throw console.error(e),e};var i=this["webpackJsonpoconnorevents.react"]=this["webpackJsonpoconnorevents.react"]||[],c=i.push.bind(i);i.push=r,i=i.slice();for(var l=0;l<i.length;l++)r(i[l]);var f=c;t()}([])</script><script src="/static/js/3.5e3399a8.chunk.js"></script><script src="/static/js/main.8eab695a.chunk.js"></script></body></html>* Connection #0 to host oconnorevents.co.uk left intact

This is the details of my ingress

Name:             ingress
Namespace:        default
Address:          20.90.138.208
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  aks-ingress-tls terminates oconnorevents.co.uk
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  oconnorevents.co.uk
                       /(.*)   svc-oconnorevents-react:80 (10.244.0.41:80)
Annotations:           kubernetes.io/ingress.class: nginx
                       nginx.ingress.kubernetes.io/rewrite-target: /$2
                       nginx.ingress.kubernetes.io/use-regex: true
Events:
  Type    Reason  Age               From                      Message
  ----    ------  ----              ----                      -------
  Normal  Sync    0s (x2 over 23s)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    0s (x2 over 23s)  nginx-ingress-controller  Scheduled for sync

This is the .yaml for my ingress...

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
  tls:
  - hosts:
    - oconnorevents.co.uk
    secretName: aks-ingress-tls
  rules:
  - host: oconnorevents.co.uk
    http:
      paths:
      - path: /(.*)
        pathType: Prefix
        backend:
          service:
            name: svc-oconnorevents-react
            port:
              number: 80

And this is the service and app that it's pointing to

apiVersion: v1
kind: Service
metadata:
  name: svc-oconnorevents-react
  labels:
    version: dev
    product: oconnorevents-react
spec:
  selector:
    app: oconnorevents-react
  type: ClusterIP
  ports:
  - port: 80

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dep-oconnorevents-react
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oconnorevents-react
  template:
    metadata:
      labels:
        app: oconnorevents-react
    spec:
      containers:
      - name: oconnorevents-react
        image: oconnorevents.azurecr.io/oconnoreventsreact:#{Build.BuildId}#
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: "0.10"
      imagePullSecrets:
        - name: acr-secret

I feel I am close but where am I going wrong here?

-- Konzy262
azure
azure-aks
kubernetes

1 Answer

5/20/2021

What kind of error are you getting when accessing via a browser?

The curl request is succeeding because you’re explicitly ignoring the self-signed certificate with ‘-k’.

-- Michael B
Source: StackOverflow