nginx ingress controller tls termination passthrough

7/21/2021

Just deployed my docker image to Azure AKS and created nginx ingress controller. My image has the SSL certificate and handles SSL itself. So, I need a passthrough route to my container.

When I navigate to https://just-poc.live famous nginx 502 gateway displays as below;

Apparently, nginx couldn't find a route to send https traffic.

What should I do to make nginx controller to route the traffic to my socket-poc deployment?

enter image description here

nginx ingress controller

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    kubernetes.io/ingress.class: nginx       
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
  - http:
      paths:     
      - path: /(.*)
        pathType: Prefix
        backend:
          service:
            name: socket-poc
            port:
              number: 8081            

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: socket-poc
spec:
  replicas: 1
  selector:
    matchLabels:
      app: socket-poc
  template:
    metadata:
      labels:
        app: socket-poc
    spec:      
      containers:
      - name: socket-poc
        image: myownacrrepo.azurecr.io/socket:8081
        env:
        - name: TOOLBAR_COLOR
          value: "green"                
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 300m
            memory: 512Mi
        ports:
        - containerPort: 8081
          
---
apiVersion: v1
kind: Service
metadata:
  name: socket-poc
spec:
  type: ClusterIP
  ports:
  - port: 8081
  selector:
    app: socket-poc

kubectl get services displays below;

NAME                                               TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)                      AGE
aks-helloworld-one                                 ClusterIP      10.0.34.79    <none>          80/TCP                       57m
nginx-ingress-ingress-nginx-controller             LoadBalancer   10.0.74.62    20.93.213.132   80:31262/TCP,443:30706/TCP   35m
nginx-ingress-ingress-nginx-controller-admission   ClusterIP      10.0.177.29   <none>          443/TCP                      35m
socket-poc                                         ClusterIP      10.0.64.248   <none>          8081/TCP                     69m

kubectl describe ingress hello-world-ingress displays like this;

Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name:             hello-world-ingress
Namespace:        ingress-basic
Address:          20.93.213.132
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host        Path  Backends
  ----        ----  --------
  *
              /(.*)   socket-poc:8081 (10.244.1.18:8081)
Annotations:  kubernetes.io/ingress.class: nginx
              nginx.ingress.kubernetes.io/rewrite-target: /$1
              nginx.ingress.kubernetes.io/ssl-passthrough: true
              nginx.ingress.kubernetes.io/use-regex: true
Events:
  Type    Reason  Age                From                      Message
  ----    ------  ----               ----                      -------
  Normal  Sync    19m (x4 over 35m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    19m (x4 over 35m)  nginx-ingress-controller  Scheduled for sync
-- killjoy
kubernetes
nginx
nginx-ingress
ssl

1 Answer

7/21/2021

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" annotaion was missing. 502 error is gone!

-- killjoy
Source: StackOverflow