Closed jfpucheu closed 1 week ago
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
/remove-kind bug
this message
"passing to" hostport="127.0.0.1:442" ->
shows a loopback ipaddress and it sort of implies you want a TLS connection to the ingress-controller pod on its internal loopback interface. Does not make sense. Much more data is needed as to understand this.
Please try to add info here like ;
kubectl describe
for the related ingress resourcekubectl get all -n ingress-nginx
look like/remove-kind bug /kind support
"shows a loopback ipaddress and it sort of implies you want a TLS connection to the ingress-controller pod on its internal loopback interface" ---> that is the subject .... it is not what we want. it is SSL Passtrough set up , we should never see the request going to 127.0.0.1:442. But sometimes on some reloads it's append when --disable-full-test is set
There are 2 aspects. If the state was in transit to being reconciled and a new connection for tls-passthrough was attempted, then this would be expected.
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev
on Kubernetes Slack.
Hit this bug also. In big clusters with big number of ingresses it takes ages to reload config without --disable-full-test. So this option used often. And really it breaks nginx.ingress.kubernetes.io/ssl-passthrough=true annotation.
It is possible that large volume of change being done concurrently, will cause delay in reload and error during reload.
But the description of this issue is not enough to take any practical action on. We already know about the large sixe change reload performance. There is work in progress to mitigate that large size reload and security problem.
If this issue is only about large size reload breaking ssl-passthrough even then there is no action item here for the project because when the controller process is stuck, then many things will break and not only ssl-passthrough. Having more compute or memory at the time and on the node where the reload process is happening may be a temporary workaround. This is inherited from nginx as vanilla nginx also will reload delay if the number of changes is too bug and all concurrent.
Plain ssl-passthrough works without problems as even other software use it https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#kubernetesingress-nginx .
Since there is no action-item tracking here in this issue I will close it because it is adding to the tally of open issues.
/close
@longwuyuan: Closing this issue.
What happened: Ingress using ssl-passthrough stop working on some nginx config reload and finaly the request is sent to nginx and the fake certificate is display because no certificates are set on this ingress because it is ssl-passthrough
for example:
a full restart of nginx solve the issue during some times..
What you expected to happen:
Nginx-ingress-controller should continue to redirect request tcp to 10.105.235.186:5556 all time
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
Kubernetes version (use
kubectl version
):Environment:
Cloud provider or hardware configuration:
OS (e.g. from /etc/os-release): centos7, Ubuntu 22
Kernel (e.g.
uname -a
): 5.15.0-60-generic #66-UbuntuInstall tools:
Basic cluster related info:
How was the ingress-nginx-controller installed:
apply of https://github.com/kubernetes/ingress-nginx/blob/main/deploy/static/provider/cloud/deploy.yaml from flux
flags:
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES ingress-nginx-admission-create-v56th 0/1 Completed 0 7d6h 172.16.11.105 ccnp-mgt01-worker-fmvrf
ingress-nginx-admission-patch-dbg54 0/1 Completed 0 7d6h 172.16.21.161 ccnp-mgt01-worker-x64nk
ingress-nginx-controller-jlj7q 1/1 Running 0 7h20m 172.16.16.79 ccnp-mgt01-ingress-6dd82
ingress-nginx-controller-nbwkt 1/1 Running 0 7h20m 172.16.14.43 ccnp-mgt01-ingress-hrzsn
Current State of the controller:
Current state of ingress object, if applicable:
How to reproduce this issue:
Create an ingress with ssl-passthrough:
add the parameter: --disable-full-test to ingress-controller
after some time and config reload the issue appear
Anything else we need to know:
the issue seems to be present only with --disable-full-test parameter set. A restart of nginx reload all the config and solve the issue temporarly