search

compumike / hairpin-proxy

PROXY protocol support for internal-to-LoadBalancer traffic for Kubernetes Ingress users. If you've had problems with ingress-nginx, cert-manager, LetsEncrypt ACME HTTP01 self-check failures, and the PROXY protocol, read on.
MIT License
569 stars 62 forks source link

hairpin proxy controller does not update coredns config map #18

Open bpereto opened 2 years ago

bpereto commented 2 years ago 
I, [2022-04-08T15:35:38.303359 #1]  INFO -- : Corefile has changed! New contents:
.:53 {
    rewrite name foo.foo.ch hairpin-proxy.hairpin-proxy.svc.cluster.local # Added by hairpin-proxy
          errors
          health
          kubernetes cluster.local in-addr.arpa ip6.arpa {
             pods insecure
             fallthrough in-addr.arpa ip6.arpa
          }
          prometheus :9153
          forward . /etc/resolv.conf
          cache 30
          loop
          reload
          loadbalance
      }
Sending updated ConfigMap to Kubernetes API server...

but the resulting config map then does not contain the updated config with rewrites:

kubectl get configmap -n kube-system coredns -o=jsonpath='{.data.Corefile}'

      .:53 {
          errors
          health
          kubernetes cluster.local in-addr.arpa ip6.arpa {
             pods insecure
             fallthrough in-addr.arpa ip6.arpa
          }
          prometheus :9153
          forward . /etc/resolv.conf
          cache 30
          loop
          reload
          loadbalance
      }

What do i miss? I use the standard ingress-nginx (no Target override necessary.)

leoslf commented 1 year ago

Hi @bpereto,

What do i miss? I use the standard ingress-nginx (no Target override necessary.)

I guess you have to apply some ingress that uses the domains you want it to rewrite in spec.tls.hosts, since hairpin-proxy in fact just scans for the ingresses for their spec.tls.hosts and have them updated to the coredns configmap in kube-system.

e.g.

      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: foo
        namespace: foo
      spec:
        tls:
          - hosts:
              - a.foo.com
              - b.foo.com
            secretName: foo-staging
        rules:
          - host: "*.foo.com"
            http:
              paths:
                - path: /
                  pathType: Prefix
                  backend:
                    service:
                      name: hello-world
                      port:
                        number: 5678

Besides, just in case, using bitnami helm chart for ingress-nginx-controller requires setting fullnameOverride: ingress-nginx-controller in the values.

Thanks, Leo