Closed darkn3rd closed 1 year ago
Hi @darkn3rd thanks for reporting!
Be sure to check out the docs while you wait for a human to take a look at this :slightly_smiling_face:
Cheers!
I found out that this is the expected behavior. I would like to convert this to an enhancement request for the following:
Describe the bug
After deploying nginx-service with integrated NGINX+ ingress controller,
VirtualServer
configured for services that that are not in the mesh will return 502 bad gateway. This is bad because I want to keep some solutions OUT OF THE MESH so they cannot access protected services.The NSM is configured to have mTLS set to
strict
mode to drop traffic from outside of the service mesh as the cluster has both services that are part of the mesh and services that are not part of the mesh.To Reproduce Steps to reproduce the behavior:
I used helmfile to encapsulate and configure Helm charts.
Install NSM
Install NGINX+ IC
Install External DNS and Cert-Manager NOTE: For real DNS + ACME DNS01 challenge to work, services must have access to r/w DNS (route53, Cloud DNS, Azure DNS, etc). The snippet below is oriented to GKE with GCR + Cloud DNS
Install Ratel outside of mesh
Expected behavior
I expected that the gateway (NGINX+ IC) would route traffic to back-end services that are not meshed in addition to services that are meshed. The reason why this is important, it because ratel is only a client application, and should it ever be compromised, it should NOT be able to reach the private database cluster or any other services on the mesh.
Actual behavior I globally search/replace my registered domain for example.com.
Your environment
nginx/1.21.6 (nginx-plus-r27)
1.22.11
Additional context
I can provide scripts to provision Cloud DNS, GKE, GCR, and configure access with Google Service Accounts and Workload Identity using
gcloud
andgsutil
if needed.I also deployed a backend distributed graph database Dgraph, but since that was suppose to be in the mesh and works fine, I didn't include it here. The Ratel is a client only to bootstrap the client, so it shouldn't have access to the strict service mesh.