Comments (17)
Hi @Ngob,
Thanks for opening up this issue.
It seems like KongIngress's Proxy struct doesn't have a Protocols field which has to be added.
I'll try to send out a PR for this soon.
from kubernetes-ingress-controller.
@hbagdi it seems there's a bug where
kind: KongIngress
proxy:
protocol: https
does not do anything, whereas annotating a service like
kind: Service
annotations:
konghq.com/protocol: https
fixes the issue.
I can create a new issue if you'd like. I'm using Helm Chart 1.11.0 and Kong tag 2.2 btw.
from kubernetes-ingress-controller.
Hey @jam01, You could follow my example.
kind: Service
apiVersion: v1
metadata:
name: stke-egress-svc
annotations:
konghq.com/client-cert: stke-egress-secret
konghq.com/protocol: https
spec:
type: ExternalName
externalName: tke.kubernetes.oa.com
ports:
- name: https
port: 443
targetPort: 443
protocol: TCP
---
kind: Secret
apiVersion: v1
metadata:
name: stke-egress-secret
type: kubernetes.io/tls
data:
tls.crt: $YOUR_TLS_CRT
tls.key: $YOUR_TLS_KEY
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: stke-egress-ing
annotations:
kubernetes.io/ingress.class: "kong"
proxy:
protocols:
- https
route:
protocols:
- https
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: stke-egress-ing
annotations:
kubernetes.io/ingress.class: "kong"
konghq.com/override: stke-egress-ing
konghq.com/strip-path: "true"
konghq.com/protocols: https
spec:
rules:
- host:
http:
paths:
- path: /external/stke
backend:
serviceName: stke-egress-svc
servicePort: https
from kubernetes-ingress-controller.
I know its an old and closed issue and after upgrading kong from 1.3 to 2.4. we have faced the same issue and the fix was to add the new annotation in the service for ExternalName
konghq.com/protocol: https,
from kubernetes-ingress-controller.
if you want to make kong proxy to https://myproject.cloudfunctions.net
there are some points to make it:
kind: Service
apiVersion: v1
metadata:
name: demo-service
annotations:
konghq.com/protocol: https
spec:
ports:
- protocol: TCP
port: 443
type: ExternalName
externalName: myproject.cloudfunctions.net
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-ingress
annotations:
kubernetes.io/ingress.class: kong
konghq.com/preserve-host: "false"
konghq.com/host-header: "myproject.cloudfunctions.net"
konghq.com/strip-path: "false"
spec:
rules:
- http:
paths:
- path: /demo
backend:
serviceName: demo-service
servicePort: 443
from kubernetes-ingress-controller.
Thanks you for the fix, I will try it as soon as possible.
from kubernetes-ingress-controller.
@hbagdi Can you provide a demo or a document? Because it failed when I try the above example. Only a little different
that is I didn't use a plugin.
This is my yaml file:
kind: Service
apiVersion: v1
metadata:
name: fooservice
namespace: test
spec:
type: ExternalName
externalName: tke.kubernetes.oa.com
ports:
- name: http
port: 80
protocol: TCP
- name: https
port: 443
protocol: TCP
---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
name: foo-ingress
namespace: test
proxy:
path: /foo-prod
protocol: https
route:
strip_path: true
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo-ingress
namespace: test
annotations:
kubernetes.io/ingress.class: "egress" # this is my kong ingress controller
spec:
rules:
- host:
http:
paths:
- path: /foo
backend:
serviceName: fooservice
servicePort: https
when I try to execute: curl https://egress-kong-proxy.infr/foo
It returned:Client sent an HTTP request to an HTTPS server.
And I also tried path: https://egress-kong-proxy.infr/foo-prod
οΌIt returned the same data.
from kubernetes-ingress-controller.
having seemingly the same issue, however curl is giving me Warning: Binary output can mess up your terminal.
from kubernetes-ingress-controller.
@NICK-DUAN I see you have konghq.com/protocol: https
on your Service so that works. The issue is that my Service is created by a Helm Release and there's no way to add the annotation before creation.
My understanding is that proxy: https
on the KongIngress is an equivalent, but it seems broken currently.
from kubernetes-ingress-controller.
@NICK-DUAN I see you have
konghq.com/protocol: https
on your Service so that works. The issue is that my Service is created by a Helm Release and there's no way to add the annotation before creation.My understanding is that
proxy: https
on the KongIngress is an equivalent, but it seems broken currently.
No, it's not equal.
I also use a helm chart to deploy my https service, you can make a custom chart for it. And add this annotations in your values.yaml
.
This is my chart yaml file, it's a quite simple chart, but works for me.
---
{{ $ingressClass := .Values.ingressController.ingressClass }}
{{- range .Values.custom_plugins }}
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: egress-plugin-{{ .name }}
annotations:
kubernetes.io/ingress.class: {{ $ingressClass | quote }}
{{- if .global }}
labels:
global: 'true'
{{- end }}
plugin: {{ .plugin_name }}
config:
{{- toYaml .config | nindent 2 }}
---
{{- end }}
{{- range .Values.routes }}
kind: KongIngress
apiVersion: configuration.konghq.com/v1
metadata:
name: {{ .name }}-egress-ing
route:
preserve_host: {{ .preserve_host | default "false" }}
{{- if .route }}
{{- range $key, $value := .route }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
upstream:
host_header: {{ .host_header | default .url }}
{{- if .upstream }}
{{- range $key, $value := .upstream }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
---
{{- if .endpoint }}
apiVersion: v1
kind: Endpoints
metadata:
name: {{ .name }}-egress-svc
subsets:
- addresses:
- ip: {{ .endpoint }}
ports:
- port: {{ .external_port | default 80 }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .name }}-egress-svc
annotations:
{{- if .service_path }}
konghq.com/path: {{ .service_path }}
{{- end }}
konghq.com/override: {{ .name }}-egress-ing
spec:
ports:
- port: 80
targetPort: {{ .external_port | default 80 }}
protocol: {{ .protocol | default "TCP" }}
---
{{- else }}
apiVersion: v1
kind: Service
metadata:
name: {{ .name }}-egress-svc
annotations:
{{- if .service_path }}
konghq.com/path: {{ .service_path }}
{{- end }}
konghq.com/override: {{ .name }}-egress-ing
spec:
type: ExternalName
externalName: {{ .url }}
ports:
- name: {{ .port_name | default "http" }}
port: {{ .port | default 80 }}
targetPort: {{ .external_port | default 80 }}
protocol: {{ .protocol | default "TCP" }}
---
{{- end }}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ .name }}-egress-ing
annotations:
kubernetes.io/ingress.class: {{ $ingressClass | quote }}
{{- if .plugin_string }}
konghq.com/plugins: {{ .plugin_string }}
{{- end }}
{{- if .strip_path }}
konghq.com/strip-path: {{ .strip_path | quote }}
{{- end }}
{{- if .https }}
konghq.com/override: {{ .name }}-egress-ing
konghq.com/protocols: "https"
{{- end }}
spec:
rules:
- host:
http:
paths:
- path: {{ .path }}
backend:
serviceName: {{ .name }}-egress-svc
servicePort: {{ .port | default "http" }}
---
{{- end }}
And you can make your service config like this:
routes:
- name: stkeapi
https: true
cert: xxxxxxx
key: xxxxxxxx
port: 443
external_port: 443
path: /external/stke/api
strip_path: true
url: api.kubernetes.oa.com
- name: stke
https: true
cert: xxxxxxxx
key: xxxxxxx
port: 443
external_port: 443
path: /external/stke
strip_path: true
url: tke.kubernetes.oa.com
from kubernetes-ingress-controller.
Right, a custom chart is indeed a workaround, but not one that makes sense for us. We'd still like to confirm with @hbagdi whether we're using the proxy property incorrectly or if it's a bug.
from kubernetes-ingress-controller.
@jam01 Could you show your yaml file?
from kubernetes-ingress-controller.
I have the same issue with proxy to cloudfunction, have you fixed it @zffocussss?
from kubernetes-ingress-controller.
the annotation konghq.com/host-header
only works with service not for ingress, but it seems not work with service with ExternalName type
from kubernetes-ingress-controller.
I have the same issue with proxy to cloudfunction, have you fixed it @zffocussss?
@thaonguyen-ct
you can make it,by writing a plugin and using kong.service.set_target(host, port) in access phase. In this case host is the FQDN ,port is 443.
Finally, bind this plugin to ingress with konghq.com/plugins: your-kongplugin-name
from kubernetes-ingress-controller.
@thaonguyen-ct
KongPlugin defination
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: static
plugin: static
config:
host: myproject.cloudfunctions.net
port: 443
handler.lua
local kong = kong
local re_match = ngx.re.match
local plugin = {
PRIORITY = 101, -- set the plugin priority, which determines plugin execution order
VERSION = "0.1"
}
-- runs in the 'access_by_lua_block'
function plugin:access(plugin_conf)
do
local host = plugin_conf.host
local port = plugin_conf.port
kong.service.set_target(host, port)
end
end
return plugin
schema.lua
local typedefs = require "kong.db.schema.typedefs"
-- Grab pluginname from module name
local plugin_name = ({...})[1]:match("^kong%.plugins%.([^%.]+)")
local schema = {
name = plugin_name,
fields = {
-- the 'fields' array is the top-level entry with fields defined by Kong
{consumer = typedefs.no_consumer}, -- this plugin cannot be configured on a consumer (typical for auth plugins)
{protocols = typedefs.protocols_http}, {
config = {
-- The 'config' record is the custom part of the plugin schema
type = "record",
fields = {
{host = {type = "string", required = true}},
{port = {type = "number", required = true}}
}
}
}
}
}
return schema
----
kind: Service
apiVersion: v1
metadata:
name: demo-service
annotations:
konghq.com/protocol: https
spec:
ports:
- protocol: TCP
port: 443
type: ExternalName
externalName: myproject.cloudfunctions.net
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-ingress
annotations:
kubernetes.io/ingress.class: kong
konghq.com/preserve-host: "false"
konghq.com/plugins: static
konghq.com/strip-path: "false"
spec:
rules:
- http:
paths:
- path: /demo
backend:
serviceName: demo-service
servicePort: 443
from kubernetes-ingress-controller.
Thanks, I got answer here finally to fix this problem "400 The plain HTTP request was sent to HTTPS port"
konghq.com/protocol: https
This annotations should be added in External service.
My full YAML for reference.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
konghq.com/preserve-host: "false"
name: test-gateway-kong-ingress
namespace: staging
spec:
ingressClassName: kong
rules:
- host: resource.xxx.com
http:
paths:
- backend:
service:
name: my-external-service
port:
number: 443
path: /api
pathType: Prefix
tls:
- hosts:
- resource.xxx.com
secretName: resource-tls-secret
---
apiVersion: v1
kind: Service
metadata:
name: my-external-service
namespace: staging
annotations:
konghq.com/protocol: https
spec:
type: ExternalName
externalName: api.stage.xxx.com
from kubernetes-ingress-controller.
Related Issues (20)
- validating webhook is sent to non-leader pod will cause the webhook fail in gateway discovery mode
- kong open telemetry plugin header_type datadog not valid option and rejected by admission webhook HOT 6
- Test Request: Kong Gateway [OSS|EE] version 3.7.0.0-rc.4 HOT 4
- Release 3.1.5 HOT 2
- Automated test ensuring `ResolveDependencies` is implemented for all supported object types HOT 1
- konnect update failures after realm added to key-auth plugin HOT 2
- Istio e2e test cases fails when istio bumped to 1.22.0 HOT 1
- Improve changelog processing to prevent conflicts
- Feature request for BackendLBPolicy
- Test Request: Kong Gateway EE version 3.7.0.0-rc.5 HOT 2
- Support custom entities in last known good configuration HOT 1
- Upgrade guide about upgrade to GWAPI v1.1 and KIC v3.2
- HTTPRoute status is reconciled regardless of `Gateway`'s `AllowedRoutes` and/or `--gateway-to-reconcile` flag
- Adjust translator golden test to cover KongClient with fallback configuration propagation
- Implement an isolated integration test covering fallback configuration propagation
- Generate cache snapshot before building current config only if cache changed
- Emit k8s events for fallback configuration
- Expose fallback configuration metrics HOT 1
- Admission webhook observability
- KIC + Konnect with sanitizer enabled continues to update consumer resources HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-ingress-controller.