oracle / oci-native-ingress-controller

OCI Native Ingress Controller
https://blogs.oracle.com/cloud-infrastructure/post/oracle-cloud-native-ingress-controller-kubernetes
Universal Permissive License v1.0
20 stars 21 forks source link

Unable to specify a healthcheck protocol for a defaultBackend #97

Open cweeks72 opened 1 month ago

cweeks72 commented 1 month ago

I have an Ingress talking to a service, and I'm using a "defaultBackend" to route all unknown traffic to the service.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ocilbingresshttps
  annotations:
    oci-native-ingress.oraclecloud.com/protocol: HTTP2
    oci-native-ingress.oraclecloud.com/backend-tls-enabled: "false"
    oci-native-ingress.oraclecloud.com/https-listener-port: "443"
    oci-native-ingress.oraclecloud.com/healthcheck-protocol: "http"
    oci-native-ingress.oraclecloud.com/healthcheck-path: "/ping"
spec:
  ingressClassName: ocilb
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: traefik
                port: 
                  name: websecure
  defaultBackend:
    service:
      name: traefik
      port:
        name: websecure

I have specified a healthcheck for the service using the annotations:

    oci-native-ingress.oraclecloud.com/healthcheck-protocol: "http"
    oci-native-ingress.oraclecloud.com/healthcheck-path: "/ping"

Unfortunately, they do not get applied to the "default_ingress" backendset - so it stays as the default - a TCP service, leaving the loadbalancer in the "Critical" smart check status.

From the native ingress log file:

"BackendSetHealthCheckerMap": {
  "bs_c0b815d03fa5fbd": {
   "protocol": "HTTP",
   "urlPath": "/ping",
   "port": 0,
   "returnCode": 200,
   "retries": 3,
   "timeoutInMillis": 3000,
   "intervalInMillis": 10000,
   "responseBodyRegex": "",
   "isForcePlainText": false
  },
  "bs_c2b7f75c1039b6f": {
   "protocol": "HTTP",
   "urlPath": "/ping",
   "port": 0,
   "returnCode": 200,
   "retries": 3,
   "timeoutInMillis": 3000,
   "intervalInMillis": 10000,
   "responseBodyRegex": "",
   "isForcePlainText": false
  },
  "default_ingress": {
   "protocol": "TCP",
   "urlPath": null,
   "port": 0,
   "returnCode": null,
   "retries": 3,
   "timeoutInMillis": 3000,
   "intervalInMillis": 10000,
   "responseBodyRegex": null,
   "isForcePlainText": null
  }
 },

Thanks!

nirpai commented 1 month ago

@cweeks72 Currently we don't have health checks for default ingress. The default health check of TCP is minimalistic and it confirms that the default backends are reachable to LB. If they are critical so posibly they are not rechable. Can you please validate this?

cweeks72 commented 1 month ago

The "Smart Healthcheck" of the loadbalancer is flagged as a critical warning, because of the TCP healthcheck to an HTTP backend. This can only be fixed by changing the healthcheck type to HTTP for the default backendset.

image