Linkerd2: ngnix auth-url port gets ignored
Issue Type:
- [x] Bug report
- [ ] Feature request
What happened:
Enabling linkerd on our nginx ingress controller fails to route the auth-url correctly ignoring the port.
What you expected to happen:
I would expect it to not ignore the por.
How to reproduce it (as minimally and precisely as possible):
1) Create an auth service listening on port 8000
2) Create a service for that deployment listening on port 8000 too
3) Create an ingress with the "nginx.ingress.kubernetes.io/auth-url:" header pointing to that service with the value like "http://[service].[namespace].svc.cluster.local:8000/path"
4) Try to use the service
5) Observe linkerd-proxies involved point to port 80 instead of port 8000
Anything else we need to know?:
In my case:
ingress.kubernetes.io/auth-url: http://ourapiauth.test-linkerd.svc.cluster.local:8000/authprovider/verify
Transforms on nginx.conf line:
set $target http://ourapiauth.test-linkerd.svc.cluster.local:8000/authprovider/verify;
The linked-proxy on the ingress pod show:
DBUG [ 4461.764430s] ourapiauth.test-linkerd.svc.cluster.local:80 linkerd2_proxy::proxy::http::client client request: method=GET uri=http://ourapiauth.test-linkerd.svc.cluster.local/authprovider/verify version=HTTP/2.0 headers=... ... ...
The linkerd-proxy on the receiving pod show:
ERR! [ 66763.192699s] proxy={server=out listen=0.0.0.0:4143 remote=100.96.XX.XX:49748} linkerd2_proxy::app::errors unexpected error: error trying to connect: Connection refused (os error 111) (address: 127.0.0.1:80)
The workarround I am using so far is creating a second service pointing to the same pods, but listening on port 80 instead of 8000
Environment:
- linkerd/namerd version, config files:
Client version: stable-2.6.0
Server version: stable-2.6.0 - Platform, version, and config files (Kubernetes, DC/OS, etc):
ingress controller 1.18.0
k8s 1.12.7
dcodix
All 9 comments
Same here. Without linkerd ingress-nginx reaches the authentication service while with linkerd it doesn't since linkerd attempts to connect to port 80 for some reason although port 5555 (dex in my case) is specified.
mgoltzsche
on 3 Dec 2019
Still relevant in stable-2.7 for me
vic3lord
on 11 Feb 2020
This is going to need to be a change in the ingress-nginx code to add the correct header.
grampelberg
on 11 Feb 2020
What header would it be? I can test it before contributing 馃槉
vic3lord
on 11 Feb 2020
grampelberg
on 11 Feb 2020
Thanks @grampelberg, I added these headers to the config snippet already but I guess it needs to be added to auth-snippet as well.
Will try and update here with the results
vic3lord
on 11 Feb 2020
@vic3lord yeah, the last time I looked, it wasn't possible to add headers to the auth requests. It all ended up being swallowed by the lua stuff and there were no configuration parameters.
grampelberg
on 11 Feb 2020
So @grampelberg, thanks again! it's working and what I had to do is
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configuration
data:
global-auth-url: http://auth-service-here.default.svc.cluster.local:8080/auth/
global-auth-signin: https://public.auth.url/login/
global-auth-cache-key: $remote_user$http_authorization
global-auth-cache-duration: '200 202 5m, 401 1m'
global-auth-snippet: |
proxy_set_header l5d-dst-override auth-service-here.default.svc.cluster.local:8080;
location-snippet: |
proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
I can commit to docs
vic3lord
on 11 Feb 2020
Oh, awesome!! I'd love the PR for docs.
grampelberg
on 11 Feb 2020
Related issues
ihcsim
路
4Comments
vikas027
路
4Comments
klingerf
路
3Comments
olix0r
路
3Comments
steve-fraser
路
4Comments