Route53 DNS problems

[kishorpacefin]

Hi,

I want to add a new SSL certificate to my Kubernetes cluster, and here’s how my routing works:

Suppose my main URL is abc.com and my ingress host URL is qwe.com.

So, when I hit abc.com, it routes like this: abc.com -> Route 53 -> API Gateway -> Ingress Host (qwe.com) -> Backend Service.

I get the response while seeing abc.com in the browser, with backend routing happening behind the scenes. Thus, my ingress URL remains hidden.

Current Ingress Configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dev-router-master
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
spec:
  ingressClassName: nginx
  rules:
    - host: qwe.com
      http:
        paths:
          - path: /api/dao
            pathType: Prefix
            backend:
              service:
                name: kyc-service
                port:
                  number: 80

Problem After Adding SSL:

After adding SSL to my NGINX ingress controller, whenever I hit abc.com, I am able to access the application, but it forwards the site from abc.com to qwe.com, and I see qwe.com in the browser.

Updated Ingress Configuration with SSL:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dev-router-master
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - abc.com
        - qwe.com
      secretName: secret-key
  rules:
    - host: abc.com
      http:
        paths:
          - path: /api/dao
            pathType: Prefix
            backend:
              service:
                name: kyc-service
                port:
                  number: 80
    - host: qwe.com
      http:
        paths:
          - path: /api/dao
            pathType: Prefix
            backend:
              service:
                name: kyc-service
                port:
                  number: 80

Desired Result: Whenever I hit abc.com, I should get a response on abc.com only, with all backend routing happening invisibly.

Cluster Information:

Kubernetes Version: AKS cluster with version 1.26.10
Ingress-NGINX Version:
yaml
Copy code
NGINX Ingress controller
Release: v1.3.0
Build: 2b7b74854d90ad9b4b96a5011b9e8b67d20bfb8f
Repository: https://github.com/kubernetes/ingress-nginx
NGINX Version: nginx/1.19.10

• How was the ingress-nginx-controller installed:

  kubectl describe deployment.apps/ingress-nginx-controller -n ingress-nginx
Name:                   ingress-nginx-controller
Namespace:              ingress-nginx
CreationTimestamp:      Mon, 16 Oct 2023 17:20:30 +0530
Labels:                 app.kubernetes.io/component=controller
                        app.kubernetes.io/instance=ingress-nginx
                        app.kubernetes.io/name=ingress-nginx
                        app.kubernetes.io/part-of=ingress-nginx
                        app.kubernetes.io/version=1.3.0
Annotations:            deployment.kubernetes.io/revision: 1
Selector:               app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:           app.kubernetes.io/component=controller
                    app.kubernetes.io/instance=ingress-nginx
                    app.kubernetes.io/name=ingress-nginx
  Service Account:  ingress-nginx
  Containers:
   controller:
    Image:       registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5
    Ports:       80/TCP, 443/TCP, 8443/TCP
    Host Ports:  0/TCP, 0/TCP, 0/TCP
    Args:
      /nginx-ingress-controller
      --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
      --election-id=ingress-controller-leader
      --controller-class=k8s.io/ingress-nginx
      --ingress-class=nginx
      --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
      --validating-webhook=:8443
      --validating-webhook-certificate=/usr/local/certificates/cert
      --validating-webhook-key=/usr/local/certificates/key
    Requests:
      cpu:      100m
      memory:   90Mi
    Liveness:   http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
    Readiness:  http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Environment:
      POD_NAME:        (v1:metadata.name)
      POD_NAMESPACE:   (v1:metadata.namespace)
      LD_PRELOAD:     /usr/local/lib/libmimalloc.so
    Mounts:
      /usr/local/certificates/ from webhook-cert (ro)
  Volumes:
   webhook-cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  ingress-nginx-admission
    Optional:    false
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Progressing    True    NewReplicaSetAvailable
  Available      True    MinimumReplicasAvailable
OldReplicaSets:  <none>
NewReplicaSet:   ingress-nginx-controller-85b7678f89 (1/1 replicas created)
Events:          <none>

Can anyone help me achieve this without showing my ingress NGINX host URL?

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[longwuyuan]

/retitle Route53 DNS problems /remove-kind bug /kind support

[kishorpacefin]

Hi @longwuyuan and @strongjz can you help me on this problem it is very critical , so please help me on this .

[longwuyuan]

Your issue description is not showing any problem with the ingress-nginx controller because routing and TLS works for all users.

So what is the problem with the ingress-nginx controller when you say this below

After adding SSL to my NGINX ingress controller, whenever I hit abc.com, I am able to access the application, but it forwards the site from abc.com to qwe.com, and I see qwe.com in the browser.

I suggest ;

• Click the new-bug report button and see the questions asked in the template there
• Edit your issue-description and remove all the imaginary hypothetical info
• Answer all the questions asked in the new bug report template in the issue description
• Ensure that you provide the information formatted in markdown
• Incluse the kubectl describe output for all the related resources
• Include the curl commands and outputs with -v
• Include the logs of the ingress-nginx controller
• Refer the output of the curl command output to state the unexpected response
• Mock write the response you expect to the curl command you executed

My guess is that you are not reporting any problem in the ingress-nginx controller code. It is very likely you are referring to some kind of application design or platform design related problem, and the ingress-nginx controller is a component.

You are confusing readers here by first saying that you are yourself likely having a CNAME record that is doing is causing some redirection here

So, when I hit abc.com, it routes like this: abc.com -> Route 53 -> API Gateway -> Ingress Host (qwe.com) -> Backend Service.

And then you are sort of claiming that you DO NOT expect the redirection via CNAME here

Whenever I hit abc.com, I should get a response on abc.com only, 

If you are trying to solve a problem that is NOT in the ingress-nginx controller code but somewhere in your DNS or application/platform design, then you have better chances to discuss this in the kubernetes-users channel of the K8S slack. There are more users & experts there, when compared to limited resources here.

[longwuyuan]

Since there is no evident problem to work on in the ingress-nginx controller scope, I will close this issue for now.

Feel free to re-open the issue after you have posted the information that shows a problem that the project needs to solve in the ingress-nginx controller.

/close

[k8s-ci-robot]

@longwuyuan: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/11460#issuecomment-2169265956): >Since there is no evident problem to work on in the ingress-nginx controller scope, I will close this issue for now. > >Feel free to re-open the issue after you have posted the information that shows a problem that the project needs to solve in the ingress-nginx controller. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.