Closed eminaktas closed 1 month ago
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
helm -n <ingresscontrollernamespace> get values <helmreleasename>
How to reproduce this issue:
You can create a minikube cluster and apply the helm values and ingress object that I provided.
We followed this documentation to deploy: https://kubernetes.github.io/ingress-nginx/user-guide/multiple-ingress/
/cc @alperencelik
Can you confirm that both the instances of the ingress-nginx controller have been made unique as described here https://kubernetes.github.io/ingress-nginx/faq/#multiple-controller-in-one-cluster
/remove-kind bug /kind support
Can you confirm that both the instances of the ingress-nginx controller have been made unique as described here https://kubernetes.github.io/ingress-nginx/faq/#multiple-controller-in-one-cluster
/remove-kind bug /kind support
Hi @longwuyuan, thanks for you quick response. Since I want to deploy them to in the same namespace I set all the values as described in the documentation. Nothing worked. I started to believe that we might be hitting a bug. You can also check the helm values that we applied.
Hi @eminaktas , For analyzing the problem based on the logs and config, I was trying to look at these values ;
--set controller.electionID=nginx-two-leader \
--set controller.ingressClassResource.name=nginx-two \
--set controller.ingressClass=nginx-two \
--set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \
--set controller.ingressClassResource.enabled=true \
--set controller.ingressClassByName=true
for both instances of the controller.
But the info posted is too cumbursome to look at. For example the values file is so big and jam packed that its hard to quickly check only these values.
That leads to the second problem that the error message prints the name of a ingress resource and says it contains a invalid class. But there is no output of kubectl describe ing $ingressname
or a cat $ingressfile.yaml
.
If you can help out making the info more usable, maybe some kind of analysis will be easier. For example, the values file can only be limited to whatever you are customizing as the other keys will be configured from the default values file.
In any case you get the idea of how to debug this.
Hi, I provided the information as described in the ticket details. I agree that it is hard to dig into. Anyway, I think the below should help to show what we have done with the helm deployment.
internal controller:
--set controller.electionID=internal-ingress-controller-leader \
--set controller.ingressClassResource.name=internal-nginx-cloud-qa-f1 \
--set controller.ingressClass=internal-nginx-cloud-qa-f1 \
--set controller.ingressClassResource.controllerValue="k8s.io/internal-ingress-nginx" \
--set controller.ingressClassResource.enabled=true \
--set controller.ingressClassByName=true
external controller:
--set controller.electionID=ingress-controller-leader \
--set controller.ingressClassResource.name=nginx-cloud-qa-f1 \
--set controller.ingressClass=nginx-cloud-qa-f1 \
--set controller.ingressClassResource.controllerValue="k8s.io/external-ingress-nginx" \
--set controller.ingressClassResource.enabled=true \
--set controller.ingressClassByName=true
Here, I provided all the resources. Here is the output of the kubectl describe ing $ingressname
Name: internal-test
Labels: <none>
Namespace: cloud-qa-f1
Address: 192.168.49.50
Ingress Class: internal-nginx-cloud-qa-f1
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
internal-qa-f1.test.com
/nginx-service nginx-service:80 (10.244.1.15:80)
Annotations: kubernetes.io/ingress.class: internal-nginx-cloud-qa-f1
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 3m52s (x182 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x182 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x182 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x181 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x181 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x181 over 93m) nginx-ingress-controller Scheduled for sync
Name: test
Labels: <none>
Namespace: cloud-qa-f1
Address: 192.168.49.50
Ingress Class: nginx-cloud-qa-f1
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
qa-f1.test.com
/nginx-service nginx-service:80 (10.244.1.15:80)
Annotations: kubernetes.io/ingress.class: nginx-cloud-qa-f1
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 3m52s (x182 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x182 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x182 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x181 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x181 over 93m) nginx-ingress-controller Scheduled for sync
Normal Sync 3m52s (x181 over 93m) nginx-ingress-controller Scheduled for sync
There is no customization only followed the documentation. I am willing to debug it but I am not familiar with the nginx ingress controller code, if you can point me I am willing to debug it.
To state the obvious, get the output of kubectl get ing $ingressname -o yaml
and compare the value for the ingress.spec.ingressClassName
field , to explain the error message that you posted about the ingressClass being invalid ;
"Ignoring ingress because of error while validating ingress class" ingress="cloud-qa-f1/test" error="ingress d
oes not contain a valid IngressClass"
To state the obvious, get the output of
kubectl get ing $ingressname -o yaml
and compare the value for theingress.spec.ingressClassName
field , to explain the error message that you posted about the ingressClass being invalid ;"Ignoring ingress because of error while validating ingress class" ingress="cloud-qa-f1/test" error="ingress d oes not contain a valid IngressClass"
I did it already. There is no typo or wrong definition. If you've checked it you'd also see it 👍
Here are the values of ingressClassNames internal-nginx-cloud-qa-f1
and nginx-cloud-qa-f1
k get ingressclass
NAME CONTROLLER PARAMETERS AGE
internal-nginx-cloud-qa-f1 k8s.io/internal-ingress-nginx <none> 18h
nginx-cloud-qa-f1 k8s.io/external-ingress-nginx <none> 18h
Those are valid values.
can you share screen on meet.jit.si. I have looked at the info you posted and its possible that you are worrying about info level log messages. You have not posted a test in complete analyical details that shows that a curl is failing with unexpected response etc etc
can you share screen on meet.jit.si. I have looked at the info you posted and its possible that you are worrying about info level log messages. You have not posted a test in complete analyical details that shows that a curl is failing with unexpected response etc etc
I shared that log because it was the only thing I was able to notice to be honest. I think we can ignore that log I am not sure but it could be ValidatingWebhook
because the scope is *
. However, the configuration in nginx controller pods both include the both ingress resource definition which I believe should only include the referred one.
Of course I can, thanks for taking this seriously: https://meet.jit.si/ingress-nginx-debugging
if this issue is resolved, please close the issue. thanks
@longwuyuan
Thank you for your time and support. I was able to find the issue after the meeting. We were setting the rbac.scope=true
which prevents creating the ClusterRole (ingress-nginx/templates/clusterrole.yaml
) and ClusterRoleBinding (ingress-nginx/templates/clusterrolebinding.yaml
). When I set the configuration to false
it got resolved and the issue hasn't repeated yet.
So, by default rbac.scope
is set to false however, it is unclear for me why do we set it to false to create the resources?
No idea which template consumes that key but the manifests we publish are explicit about the role/rolebinding related keys, so my guess is that a outside key is only existing to support user customization (that is highly and seriously not recommended)
What happened:
We have two ingress-nginx controllers deployed in a namespace. One for internal, the other one is for external. When we deploy the ingress resources with related ingress class name, we see that both ingress controllers reconciles the both objects.
logs when I apply an ingress object (at the same time both deployments reports the same logs)
``` ingress-nginx-4-11-1-internal-controller-594984bbdd-f5xjk I0807 12:41:14.932245 7 store.go:436] "Ignoring ingress because of error while validating ingress class" ingress="cloud-qa-f1/test" error="ingress d oes not contain a valid IngressClass" ingress-nginx-4-11-1-internal-controller-594984bbdd-gffj8 I0807 12:41:14.932162 7 store.go:436] "Ignoring ingress because of error while validating ingress class" ingress="cloud-qa-f1/test" error="ingress d oes not contain a valid IngressClass" ingress-nginx-4-11-1-internal-controller-594984bbdd-6vkbl I0807 12:41:14.932469 7 store.go:436] "Ignoring ingress because of error while validating ingress class" ingress="cloud-qa-f1/test" error="ingress d oes not contain a valid IngressClass" ingress-nginx-4-11-1-internal-controller-594984bbdd-gffj8 W0807 12:41:14.937048 7 controller.go:333] ignoring ingress internal-test in cloud-qa-f1 based on annotation : ingress does not contain a valid Ingr essClass ingress-nginx-4-11-1-internal-controller-594984bbdd-gffj8 I0807 12:41:14.937062 7 main.go:107] "successfully validated configuration, accepting" ingress="cloud-qa-f1/internal-test" ingress-nginx-4-11-1-internal-controller-594984bbdd-6vkbl I0807 12:41:14.938739 7 store.go:436] "Ignoring ingress because of error while validating ingress class" ingress="cloud-qa-f1/internal-test" error=" ingress does not contain a valid IngressClass" ingress-nginx-4-11-1-internal-controller-594984bbdd-gffj8 I0807 12:41:14.938816 7 store.go:436] "Ignoring ingress because of error while validating ingress class" ingress="cloud-qa-f1/internal-test" error=" ingress does not contain a valid IngressClass" ingress-nginx-4-11-1-internal-controller-594984bbdd-f5xjk I0807 12:41:14.938960 7 store.go:436] "Ignoring ingress because of error while validating ingress class" ingress="cloud-qa-f1/internal-test" error=" ingress does not contain a valid IngressClass" ```What you expected to happen:
Since we are deploying two different ingress classes with different controller value, controllers should only be applying the configuration from related Ingresses. This happens when each controller runs the sync process and reconciles both objects.
For example, for above resources, they get same IP. Even though, both controller has it own IP can their own ingress class definitions.
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
Kubernetes version (use
kubectl version
):Environment:
Cloud provider or hardware configuration:
minikube
OS (e.g. from /etc/os-release):
Linux
Kernel (e.g.
uname -a
):Linux minikube 6.6.26-linuxkit #1 SMP Sat Apr 27 04:13:19 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux
Install tools: minikube
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
Basic cluster related info:
kubectl version
kubectl get nodes -o wide
How was the ingress-nginx-controller installed:
helm ls -A | grep -i ingress