Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

field ingress.spec.defaultBackend.service.port.number is broken #11517

Open
ahus1 opened this issue Jun 28, 2024 · 5 comments
Open

field ingress.spec.defaultBackend.service.port.number is broken #11517

ahus1 opened this issue Jun 28, 2024 · 5 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@ahus1
Copy link

ahus1 commented Jun 28, 2024
edited
Loading

What happened:

I've set up Minikube with nginx ingress and ssl-passthrough. When I specify in the ingress the port name it works, but it doesn't work when specifying the port number.

I0628 12:18:46.971157       7 nginx.go:804] "Handling TCP connection" remote="192.168.39.1:42486" local="10.244.0.14:443"
I0628 12:18:46.973113       7 tcp.go:74] "TLS Client Hello" host="keycloak.keycloak-namespace.192.168.39.71.nip.io"
I0628 12:18:46.973132       7 tcp.go:84] "passing to" hostport="10.104.89.104:0"
E0628 12:18:46.995568       7 tcp.go:87] "error dialing proxy" err="dial tcp 10.104.89.104:0: connect: connection refused" ip="10.104.89.104" port=0 hostname="keycloak.keycloak-namespace.192.168.39.71.nip.io"

What you expected to happen:

I expected specifying a port number in the Ingress would work as well.

$ kubectl explain ingress.spec.defaultBackend.service.port
KIND:     Ingress
VERSION:  networking.k8s.io/v1

RESOURCE: port <Object>

DESCRIPTION:
     port of the referenced service. A port name or port number is required for
     a IngressServiceBackend.

     ServiceBackendPort is the service port being referenced.

FIELDS:
   name <string>
     name is the name of the port on the Service. This is a mutually exclusive
     setting with "Number".

   number       <integer>
     number is the numerical port number (e.g. 80) on the Service. This is a
     mutually exclusive setting with "Name".

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):

NGINX Ingress controller
  Release:       v1.10.1
  Build:         4fb5aac1dd3669daa3a14d9de3e3cdb371b4c518
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.25.3

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.2", GitCommit:"5835544ca568b757a8ecae5c153f317e5736700e", GitTreeState:"clean", BuildDate:"2022-09-21T14:33:49Z", GoVersion:"go1.19.1", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"30", GitVersion:"v1.30.0", GitCommit:"7c48c2bd72b9bf5c44d21d7338cc7bea77d0ad2a", GitTreeState:"clean", BuildDate:"2024-04-17T17:27:03Z", GoVersion:"go1.22.2", Compiler:"gc", Platform:"linux/amd64"}

Environment: minikube version: v1.33.1

How to reproduce this issue:

Ingress that doesn't work (note that "port.number" is set)

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    javaoperatorsdk.io/previous: 4a06bec1-adbc-4a56-b22d-13540a64baff
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  creationTimestamp: "2024-06-28T10:38:07Z"
  generation: 8
  labels:
    app: keycloak
    app.kubernetes.io/instance: keycloak-kubernetes-quickstart
    app.kubernetes.io/managed-by: keycloak-operator
  name: keycloak-kubernetes-quickstart-ingress
  namespace: keycloak-namespace
  ownerReferences:
  - apiVersion: k8s.keycloak.org/v2alpha1
    kind: Keycloak
    name: keycloak-kubernetes-quickstart
    uid: 7adb441e-f3b2-46a4-9429-e67bf7ffc534
  resourceVersion: "6716"
  uid: a0972d87-f144-4151-818a-bfff7ead1b94
spec:
  defaultBackend:
    service:
      name: keycloak-kubernetes-quickstart-service
      port:
        number: 8443
  ingressClassName: nginx
  rules:
  - host: keycloak.keycloak-namespace.192.168.39.71.nip.io
    http:
      paths:
      - backend:
          service:
            name: keycloak-kubernetes-quickstart-service
            port:
              number: 8443
        path: /
        pathType: Prefix
status:
  loadBalancer:
    ingress:
    - ip: 192.168.39.71

Ingress that works (note that "port.name" is set):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    javaoperatorsdk.io/previous: 4a06bec1-adbc-4a56-b22d-13540a64baff
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  creationTimestamp: "2024-06-28T10:38:07Z"
  generation: 9
  labels:
    app: keycloak
    app.kubernetes.io/instance: keycloak-kubernetes-quickstart
    app.kubernetes.io/managed-by: keycloak-operator
  name: keycloak-kubernetes-quickstart-ingress
  namespace: keycloak-namespace
  ownerReferences:
  - apiVersion: k8s.keycloak.org/v2alpha1
    kind: Keycloak
    name: keycloak-kubernetes-quickstart
    uid: 7adb441e-f3b2-46a4-9429-e67bf7ffc534
  resourceVersion: "7351"
  uid: a0972d87-f144-4151-818a-bfff7ead1b94
spec:
  defaultBackend:
    service:
      name: keycloak-kubernetes-quickstart-service
      port:
        name: https
  ingressClassName: nginx
  rules:
  - host: keycloak.keycloak-namespace.192.168.39.71.nip.io
    http:
      paths:
      - backend:
          service:
            name: keycloak-kubernetes-quickstart-service
            port:
              number: 8443
        path: /
        pathType: Prefix
status:
  loadBalancer:
    ingress:
    - ip: 192.168.39.71

Service

apiVersion: v1
kind: Service
metadata:
  annotations:
    javaoperatorsdk.io/previous: 2622db6d-9abc-4b1b-94fc-f04b6c27a41c
  creationTimestamp: "2024-06-28T10:38:07Z"
  labels:
    app: keycloak
    app.kubernetes.io/instance: keycloak-kubernetes-quickstart
    app.kubernetes.io/managed-by: keycloak-operator
  name: keycloak-kubernetes-quickstart-service
  namespace: keycloak-namespace
  ownerReferences:
  - apiVersion: k8s.keycloak.org/v2alpha1
    kind: Keycloak
    name: keycloak-kubernetes-quickstart
    uid: 7adb441e-f3b2-46a4-9429-e67bf7ffc534
  resourceVersion: "708"
  uid: bc3408f7-da8f-4441-bc2d-5949698c69b1
spec:
  clusterIP: 10.104.89.104
  clusterIPs:
  - 10.104.89.104
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: https
    port: 8443
    protocol: TCP
    targetPort: 8443
  - name: management
    port: 9000
    protocol: TCP
    targetPort: 9000
  selector:
    app: keycloak
    app.kubernetes.io/instance: keycloak-kubernetes-quickstart
    app.kubernetes.io/managed-by: keycloak-operator
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

Configuration logged by Nginx.
You'll see that in one of the configs the PassthroughBackends has set port 0 when it is broken, and a port 8443 when it works.
@ahus1 ahus1 added the kind/bug Categorizes issue or PR as related to a bug. label Jun 28, 2024
@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Jun 28, 2024
This was referenced Jun 28, 2024
Draft
Closed
@longwuyuan
Copy link
Contributor

/triage accepted
This is a similar to of 9030

Unfortunately, what is know is that the field "ingress.spec.defaultBackend" is not working. Since this issue is about a spec further down in that field, we can conclude that the triage for this issue is accepted.

Because the flag "--default-backend-service" passed to the controller works now, it can be considered a workaround.

There is some info in that other issue that the problem was caused by this PR #8825 . I will create a issue to explore reverting what that PR changed

@Gacko any comments

@rikatz @strongjz @tao12345666333 if it is as simple as reverting #8825, would you want to review/consider it

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 28, 2024
@longwuyuan
Copy link
Contributor

@harry1064 any comments

@longwuyuan
Copy link
Contributor

/retitle field ingress.spec.defaultBackend.service.port.number is broken

@k8s-ci-robot k8s-ci-robot changed the title ssl-passthrough fails to contact upstream when ingress specifies a port number but works when specifying a port name field ingress.spec.defaultBackend.service.port.number is broken Jun 29, 2024
@ahus1 ahus1 mentioned this issue Jul 4, 2024
Merged
@github-actions GitHub Actions
Copy link

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.

@github-actions github-actions bot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Jul 30, 2024
@chengjoey
Copy link
Contributor

i can't reproduce this in kind, this is my yaml:

apiVersion: v1
kind: Pod
metadata:
  name: app
  labels:
    app: nginx
spec:
  containers:
  - name: nginx
    image: nginx
    ports:
      - name: http
        containerPort: 80
    resources:
      limits:
        cpu: "0.1"
        memory: "100Mi"
      requests:
        cpu: "0.1"
        memory: "100Mi"
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx
  name: app
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx
  type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: nginx
  name: app
spec:
  defaultBackend:
    service:
      name: app
      port:
        number: 80
  ingressClassName: nginx
  rules:
  - host: localhost
    http:
      paths:
      - backend:
          service:
            name: app
            port:
              number: 80
        path: /
        pathType: Prefix

@github-actions github-actions bot removed the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
[SIG Network] Ingress NGINX
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ahus1 @longwuyuan @k8s-ci-robot @chengjoey