search

nginxinc / kubernetes-ingress

NGINX and NGINX Plus Ingress Controllers for Kubernetes
https://docs.nginx.com/nginx-ingress-controller
Apache License 2.0
4.65k stars 1.96k forks source link

Upgrade To Version 2.4.0 With "-disable-ipv6=true" Cannot Reach Upstream (NginxPlus) #3165

Closed EthanLR-LsdOpen closed 1 year ago

EthanLR-LsdOpen commented 1 year ago

Describe the bug We've recently upgraded NginxPlus from v2.1.2 to v2.4.0 IPv6 listeners have been added since that release. Since TKGi clusters don't support IPv6, we've added -disable-ipv6=true to our deployment manifest

however, not all is well because we get 404 errors when trying to connect to our respective hosts (upstreams)

logs indicate 

10.200.57.53 - - [18/Oct/2022:09:08:12 +0000] "POST /v1/auth/kubernetes-sandbox-infra/login HT
TP/1.1" 404 153 "-" "-" "-"
10.200.57.53 [18/Oct/2022:09:08:12 +0000] TCP 200 5625 1389 0.046 "app.example.com"

configuration file on the nginx-ingress pod indicate they're still listening to IPv6 excerpt of /etc/nginx/conf.d/vault-vault.conf

server {
        listen 80;
        listen [::]:80;

To Reproduce Steps to reproduce the behavior:

  1. Update ingress controller's (NginxPlus) deployment manifest from v2.1.2 to v2.4.0
  2. Include -disable-ipv6=true argument
  3. Update RBAC manifests
  4. Deploy manifests
  5. Check pod logs

Expected behavior Expected the ingress controller to establish connections between pods / services and external networks, accessible without 404 errors.

Your environment

Additional context This in reference to and using the same environment as (this time with NginxPlus):

github-actions[bot] commented 1 year ago

Hi @EthanLR-LsdOpen thanks for reporting!

Be sure to check out the docs while you wait for a human to take a look at this :slightly_smiling_face:

Cheers!

haywoodsh commented 1 year ago

Hi @EthanLR-LsdOpen, I was looking into this. We do not have a edge release for NGINX Plus version of the Ingress Controller, and the solution I proposed in #3138 does not apply to your particular use case. We just released v2.4.1 to include the fix. Could you please deploy the Ingress Controller again with the latest version? I hope this will solve your issue.

EthanLR-LsdOpen commented 1 year ago

Great, v2.4.1 successfully deployed, no ipv6 listeners. Seems to be working smoothly, thanks!

brianehlert commented 1 year ago

I have been surprised at how many TKGi (or similar product) customers we have. And secondly, that any product would disable ipv6 in the way that it does - or even that it does. Considering how long IPv6 has been with us.