Closed zzjin closed 3 weeks ago
After testing, it was found that the issue was not related to ns/certname. The problem was resolved by changing fallbackForInvalidSecret from true to false
cc @2456868764
当 fallbackForInvalidSecret 为 True时候,会查找当前 Ingress 的 namespace 下 , secretName 对应的 secret 是否存在,如果不存在,再到 higress-https configmap 根据 hostName查找。所以当 Ingress 变更 hostName 和 secretName 时候,对应secret 是否已经存在?cert-manager 用 letsencrypt 生成 secret 有秒级别延时。
对应的secret是异步申请的,创建ingress的时候并不存在,而是一段时间后才被创建出来,secret生成后对应的Gateway中并没有增加https的内容,重启controller后恢复
复现情况用 cert-manager selfsign 模式:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: k8s-ca-issuer
spec:
ca:
secretName: ca-key-pair
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: network-hgrzpprwzkyc
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: 'false'
nginx.ingress.kubernetes.io/backend-protocol: HTTP
spec:
ingressClassName: higress
rules:
- host: test.custom.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: httpbin
port:
number: 80
tls:
- hosts:
- test.custom.com
secretName: network-hgrzpprwzkyc
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: network-hgrzpprwzkyc
spec:
secretName: network-hgrzpprwzkyc
dnsNames:
- test.custom.com
issuerRef:
name: k8s-ca-issuer ### 指定为自签名发行人
kind: ClusterIssuer
一起 apply
kubectl apply -f test.yaml -n ns-admin
调试 controller,增加日志输出:发现 ingress apply 时刻是找不着这个secret: network-hgrzpprwzkyc
重新打开 127.0.0.1:8888/debug/configz 接口刷新一下, 发现就可以发现 secretName
5.这里代码逻辑如下:
Updated: It seems related to fallbackHttps feature:
Higress cannot sync/update ingress https route, when change one ingress's host and tls name.
Base ingress:
Change to:
And apply. higress can generate right http gateway rds, but cannot do https.
Restart higress-controller, https gateway gens right.
command
curl localhost:15014/debug/configz
to higress-controller shows:after restart higress-controller, config shows:
higress version: 1.4.2 kubernetes version: 1.27.1