Comments (17)
hbagdi
commented on May 27, 2024
1
Hi @Ngob,
Thanks for opening up this issue.
It seems like KongIngress's Proxy struct doesn't have a Protocols field which has to be added.
I'll try to send out a PR for this soon.
from kubernetes-ingress-controller.
jam01
commented on May 27, 2024
1
@hbagdi it seems there's a bug where
kind: KongIngress
proxy:
protocol: https
does not do anything, whereas annotating a service like
kind: Service
annotations:
konghq.com/protocol: https
fixes the issue.
I can create a new issue if you'd like. I'm using Helm Chart 1.11.0 and Kong tag 2.2 btw.
from kubernetes-ingress-controller.
NICK-DUAN
commented on May 27, 2024
1
Hey @jam01, You could follow my example.
kind: Service
apiVersion: v1
metadata:
name: stke-egress-svc
annotations:
konghq.com/client-cert: stke-egress-secret
konghq.com/protocol: https
spec:
type: ExternalName
externalName: tke.kubernetes.oa.com
ports:
- name: https
port: 443
targetPort: 443
protocol: TCP
---
kind: Secret
apiVersion: v1
metadata:
name: stke-egress-secret
type: kubernetes.io/tls
data:
tls.crt: $YOUR_TLS_CRT
tls.key: $YOUR_TLS_KEY
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: stke-egress-ing
annotations:
kubernetes.io/ingress.class: "kong"
proxy:
protocols:
- https
route:
protocols:
- https
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: stke-egress-ing
annotations:
kubernetes.io/ingress.class: "kong"
konghq.com/override: stke-egress-ing
konghq.com/strip-path: "true"
konghq.com/protocols: https
spec:
rules:
- host:
http:
paths:
- path: /external/stke
backend:
serviceName: stke-egress-svc
servicePort: httpsfrom kubernetes-ingress-controller.
yousafsyed-bg
commented on May 27, 2024
1
I know its an old and closed issue and after upgrading kong from 1.3 to 2.4. we have faced the same issue and the fix was to add the new annotation in the service for ExternalName
konghq.com/protocol: https,
from kubernetes-ingress-controller.
zffocussss
commented on May 27, 2024
1
if you want to make kong proxy to https://myproject.cloudfunctions.net
there are some points to make it:
kind: Service
apiVersion: v1
metadata:
name: demo-service
annotations:
konghq.com/protocol: https
spec:
ports:
- protocol: TCP
port: 443
type: ExternalName
externalName: myproject.cloudfunctions.net
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-ingress
annotations:
kubernetes.io/ingress.class: kong
konghq.com/preserve-host: "false"
konghq.com/host-header: "myproject.cloudfunctions.net"
konghq.com/strip-path: "false"
spec:
rules:
- http:
paths:
- path: /demo
backend:
serviceName: demo-service
servicePort: 443
from kubernetes-ingress-controller.
Ngob
commented on May 27, 2024
Thanks you for the fix, I will try it as soon as possible.
from kubernetes-ingress-controller.
NICK-DUAN
commented on May 27, 2024
@hbagdi Can you provide a demo or a document? Because it failed when I try the above example. Only a little different
that is I didn't use a plugin.
This is my yaml file:
kind: Service
apiVersion: v1
metadata:
name: fooservice
namespace: test
spec:
type: ExternalName
externalName: tke.kubernetes.oa.com
ports:
- name: http
port: 80
protocol: TCP
- name: https
port: 443
protocol: TCP
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: foo-ingress
namespace: test
proxy:
path: /foo-prod
protocol: https
route:
strip_path: true
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo-ingress
namespace: test
annotations:
kubernetes.io/ingress.class: "egress" # this is my kong ingress controller
spec:
rules:
- host:
http:
paths:
- path: /foo
backend:
serviceName: fooservice
servicePort: httpswhen I try to execute: curl https://egress-kong-proxy.infr/foo
It returned:Client sent an HTTP request to an HTTPS server.
And I also tried path: https://egress-kong-proxy.infr/foo-prodοΌIt returned the same data.
from kubernetes-ingress-controller.
jam01
commented on May 27, 2024
having seemingly the same issue, however curl is giving me Warning: Binary output can mess up your terminal.
from kubernetes-ingress-controller.
jam01
commented on May 27, 2024
@NICK-DUAN I see you have konghq.com/protocol: https on your Service so that works. The issue is that my Service is created by a Helm Release and there's no way to add the annotation before creation.
My understanding is that proxy: https on the KongIngress is an equivalent, but it seems broken currently.
from kubernetes-ingress-controller.
NICK-DUAN
commented on May 27, 2024
@NICK-DUAN I see you have
konghq.com/protocol: httpson your Service so that works. The issue is that my Service is created by a Helm Release and there's no way to add the annotation before creation.My understanding is that
proxy: httpson the KongIngress is an equivalent, but it seems broken currently.
No, it's not equal.
I also use a helm chart to deploy my https service, you can make a custom chart for it. And add this annotations in your values.yaml.
This is my chart yaml file, it's a quite simple chart, but works for me.
---
{{ $ingressClass := .Values.ingressController.ingressClass }}
{{- range .Values.custom_plugins }}
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: egress-plugin-{{ .name }}
annotations:
kubernetes.io/ingress.class: {{ $ingressClass | quote }}
{{- if .global }}
labels:
global: 'true'
{{- end }}
plugin: {{ .plugin_name }}
config:
{{- toYaml .config | nindent 2 }}
---
{{- end }}
{{- range .Values.routes }}
kind: KongIngress
apiVersion: configuration.konghq.com/v1
metadata:
name: {{ .name }}-egress-ing
route:
preserve_host: {{ .preserve_host | default "false" }}
{{- if .route }}
{{- range $key, $value := .route }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
upstream:
host_header: {{ .host_header | default .url }}
{{- if .upstream }}
{{- range $key, $value := .upstream }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
---
{{- if .endpoint }}
apiVersion: v1
kind: Endpoints
metadata:
name: {{ .name }}-egress-svc
subsets:
- addresses:
- ip: {{ .endpoint }}
ports:
- port: {{ .external_port | default 80 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .name }}-egress-svc
annotations:
{{- if .service_path }}
konghq.com/path: {{ .service_path }}
{{- end }}
konghq.com/override: {{ .name }}-egress-ing
spec:
ports:
- port: 80
targetPort: {{ .external_port | default 80 }}
protocol: {{ .protocol | default "TCP" }}
---
{{- else }}
apiVersion: v1
kind: Service
metadata:
name: {{ .name }}-egress-svc
annotations:
{{- if .service_path }}
konghq.com/path: {{ .service_path }}
{{- end }}
konghq.com/override: {{ .name }}-egress-ing
spec:
type: ExternalName
externalName: {{ .url }}
ports:
- name: {{ .port_name | default "http" }}
port: {{ .port | default 80 }}
targetPort: {{ .external_port | default 80 }}
protocol: {{ .protocol | default "TCP" }}
---
{{- end }}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ .name }}-egress-ing
annotations:
kubernetes.io/ingress.class: {{ $ingressClass | quote }}
{{- if .plugin_string }}
konghq.com/plugins: {{ .plugin_string }}
{{- end }}
{{- if .strip_path }}
konghq.com/strip-path: {{ .strip_path | quote }}
{{- end }}
{{- if .https }}
konghq.com/override: {{ .name }}-egress-ing
konghq.com/protocols: "https"
{{- end }}
spec:
rules:
- host:
http:
paths:
- path: {{ .path }}
backend:
serviceName: {{ .name }}-egress-svc
servicePort: {{ .port | default "http" }}
---
{{- end }}And you can make your service config like this:
routes:
- name: stkeapi
https: true
cert: xxxxxxx
key: xxxxxxxx
port: 443
external_port: 443
path: /external/stke/api
strip_path: true
url: api.kubernetes.oa.com
- name: stke
https: true
cert: xxxxxxxx
key: xxxxxxx
port: 443
external_port: 443
path: /external/stke
strip_path: true
url: tke.kubernetes.oa.comfrom kubernetes-ingress-controller.
jam01
commented on May 27, 2024
Right, a custom chart is indeed a workaround, but not one that makes sense for us. We'd still like to confirm with @hbagdi whether we're using the proxy property incorrectly or if it's a bug.
from kubernetes-ingress-controller.
NICK-DUAN
commented on May 27, 2024
@jam01 Could you show your yaml file?
from kubernetes-ingress-controller.
thaonguyen-ct
commented on May 27, 2024
I have the same issue with proxy to cloudfunction, have you fixed it @zffocussss?
from kubernetes-ingress-controller.
thaonguyen-ct
commented on May 27, 2024
the annotation konghq.com/host-header only works with service not for ingress, but it seems not work with service with ExternalName type
from kubernetes-ingress-controller.
zffocussss
commented on May 27, 2024
I have the same issue with proxy to cloudfunction, have you fixed it @zffocussss?
@thaonguyen-ct
you can make it,by writing a plugin and using kong.service.set_target(host, port) in access phase. In this case host is the FQDN ,port is 443.
Finally, bind this plugin to ingress with konghq.com/plugins: your-kongplugin-name
from kubernetes-ingress-controller.
zffocussss
commented on May 27, 2024
@thaonguyen-ct
KongPlugin defination
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: static
plugin: static
config:
host: myproject.cloudfunctions.net
port: 443
handler.lua
local kong = kong
local re_match = ngx.re.match
local plugin = {
PRIORITY = 101, -- set the plugin priority, which determines plugin execution order
VERSION = "0.1"
}
-- runs in the 'access_by_lua_block'
function plugin:access(plugin_conf)
do
local host = plugin_conf.host
local port = plugin_conf.port
kong.service.set_target(host, port)
end
end
return plugin
schema.lua
local typedefs = require "kong.db.schema.typedefs"
-- Grab pluginname from module name
local plugin_name = ({...})[1]:match("^kong%.plugins%.([^%.]+)")
local schema = {
name = plugin_name,
fields = {
-- the 'fields' array is the top-level entry with fields defined by Kong
{consumer = typedefs.no_consumer}, -- this plugin cannot be configured on a consumer (typical for auth plugins)
{protocols = typedefs.protocols_http}, {
config = {
-- The 'config' record is the custom part of the plugin schema
type = "record",
fields = {
{host = {type = "string", required = true}},
{port = {type = "number", required = true}}
}
}
}
}
}
return schema
----
kind: Service
apiVersion: v1
metadata:
name: demo-service
annotations:
konghq.com/protocol: https
spec:
ports:
- protocol: TCP
port: 443
type: ExternalName
externalName: myproject.cloudfunctions.net
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-ingress
annotations:
kubernetes.io/ingress.class: kong
konghq.com/preserve-host: "false"
konghq.com/plugins: static
konghq.com/strip-path: "false"
spec:
rules:
- http:
paths:
- path: /demo
backend:
serviceName: demo-service
servicePort: 443
from kubernetes-ingress-controller.
wadexu007
commented on May 27, 2024
Thanks, I got answer here finally to fix this problem "400 The plain HTTP request was sent to HTTPS port"
konghq.com/protocol: https
This annotations should be added in External service.
My full YAML for reference.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
konghq.com/preserve-host: "false"
name: test-gateway-kong-ingress
namespace: staging
spec:
ingressClassName: kong
rules:
- host: resource.xxx.com
http:
paths:
- backend:
service:
name: my-external-service
port:
number: 443
path: /api
pathType: Prefix
tls:
- hosts:
- resource.xxx.com
secretName: resource-tls-secret
---
apiVersion: v1
kind: Service
metadata:
name: my-external-service
namespace: staging
annotations:
konghq.com/protocol: https
spec:
type: ExternalName
externalName: api.stage.xxx.com
from kubernetes-ingress-controller.
Related Issues (20)
- Listener certificates are not used when coming from managed gateways
- Configuration apply error from applying 2 Prometheus plugins against 1 `Service` fails to be parsed
- Frequent kong ingress controller leader re-election happening HOT 3
- When configuring Kong Gateway OSS, KIC tries to apply KongLicense regardless and fails HOT 2
- Cannot apply licenses to DB backed Kong gateways HOT 1
- Update more real-time `status.conditions` for license validity in KongLicense controller
- Support vaults and licenses in config fetcher
- Test Request: Kong Gateway EE kong/kong-gateway-dev:3.6.1.0-rc1 HOT 3
- Startup issue with KIC wipes database HOT 1
- Use generated ValidatingWebhookConfiguration in integration tests
- Release 3.1.1 HOT 1
- Test Request: Kong Gateway EE 3.6.1.1-rc1 HOT 2
- Could not unmarshal config error HOT 13
- Helm Chart - Multiple kong releases - ingress classes overrides HOT 2
- Not able to Use configPatches in KongPlugin Resource HOT 7
- KongPlugin Konnect sync fails when Konnect sanitizer enabled and configFrom used
- Release 3.1.2 HOT 1
- Test Request: Kong Gateway EE kong/kong-gateway-dev:3.4.3.5-rc.1 HOT 2
- `GRPCRoute` conformance HOT 1
- Errors during start KIC HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-ingress-controller.