aledbf
commented
5 years ago @nabeelio this is correct. Right now we use the lua-resty-dns library where the search and ndots options are not available
Closed nabeelio closed 5 years ago
aledbf
commented
5 years ago @nabeelio this is correct. Right now we use the lua-resty-dns library where the search and ndots options are not available
nabeelio
commented
5 years ago Ah dang... is there a workaround available? Otherwise this renders this ingress unusable for us.
Does the auth-snippet only look for the proxy_* variables? I wonder if forcing the resolver line into the location = /_external-auth-L2NvbmZpZw block would make it work.
I'm trying to find a way to try it manually, but I don't have root access into the container.
aledbf
commented
5 years ago Ah dang... is there a workaround available?
Yes, we are going to replace that library with https://github.com/Kong/lua-resty-dns-client where search and ndots are available
aledbf
commented
5 years ago @nabeelio just in case if you use the full FQDN this works (auth-svc.<namespace>.svc.cluster.local)
nabeelio
commented
5 years ago @aledbf Thanks, seemed like that worked! I hadn't tried it - the other ticket I looked at, it seemed like they were using the full FQDN and it hadn't worked for them. But I see now they're in a different namespace, so maybe that has something to do with it. But that worked and that's good enough for me.
Appreciate the help!
Queuecumber
commented
5 years ago @aledbf was there any progress on replacing that library? I still can't resolve cluster internal addresses without the full FQDN
aledbf
commented
5 years ago @Queuecumber not yet
vmitris
commented
3 years ago This is still reproducing with k8s.gcr.io/ingress-nginx/controller:v0.41.2. For requests coming from within clusters where $host is a FQDN all the requests cannot be resolved. If hardcoded static IP is used it works fine but this is not a solution as there are multiple scenarios when IP is not known at deployment time.
Please reopen it as it seems there is no solution yet. The one proposed by @aledbf with auth-svc.
jastBytes
commented
2 years ago It looks like I have a similar issue. But after a rollout restart of the nginx ingress controller it works and after a while it stops working. We're using k8s.gcr.io/ingress-nginx/controller:v1.0.5 and it seems that out of a sudden DNS resolving for external auth stops working. Restarting the controller fixes it.
digiserg
commented
2 years ago I can't say whether this is a coincidence or not but I've disabled ipv6 DNS resolution and it has resolved the problem for us.
wackazong
commented
1 year ago FYI I managed to work around this in the following way: add a sidecar container to the ingress-nginx-controller pods which contains another nginx server and listens on port 81. Configure that nginx server to pass all requests to the external auth url using proxy_pass. Then, use http://127.0.0.1:81 as auth-url. Since proxy_pass uses the DNS resolution of its own server we have normal DNS resolution here.
The gist: When using the
auth-urlannotation to point to a K8 Service, it doesn't seem to go through the kube-dns resolver.I found a similar report on rancher, here: https://github.com/rancher/rancher/issues/13876 However looking here, I haven't found anything, though maybe my search-foo stinks.
NGINX Ingress controller version:
Kubernetes version (use
kubectl version):Environment:
uname -a):What happened:
When setting up the auth-url to use a deployed service, the DNS lookup isn't done. A message like this is in the logs:
From the debug log:
It does work when it's pointed to the service IP address. I tried adding this to see if it would force it, but it just seems to ignore it and not add it to the config:
How to reproduce it (as minimally and precisely as possible):
Deploy any service, and point the
auth-urlto it:I've attached a log with nginx in debug in case that yields any clues. I see the nginx config. I also attached the nginx config
debug.txt nginx_config.txt