[英]Kubernetes - Ingress-nginx routing error (Cannot connect frontend to backend)
Need some serious help here.这里需要一些认真的帮助。 Thanks in advance.提前致谢。
I am trying to deploy a microservice based Java application.我正在尝试部署基于微服务的 Java 应用程序。 I am able to get to the frontend service(webapp) on my browser, but I am unable to connect it with the backend (auth service) and hence it shows authentication failure.我可以在我的浏览器上访问前端服务(webapp),但我无法将它与后端(auth 服务)连接,因此它显示身份验证失败。
HTML LOGIN FORM form points to "/login?referrerURL=" HTML LOGIN FORM 表单指向“/login?referrerURL=”
I checked the ingress nginx logs:我检查了入口 nginx 日志:
Service "default/auth-srv" does not have any active Endpoint.
Service "default/voice-srv" does not have any active Endpoint.
Service "default/reporting-srv" does not have any active Endpoint.
Service "default/webapp-srv" does not have any active Endpoint.
The ingress nginx config file:入口 nginx 配置文件:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: 'true'
spec:
rules:
- host: <domain_name>
http:
paths:
- path: /auth/?(.*)
backend:
serviceName: auth-srv
servicePort: 8080
- path: /emotion/?(.*)
backend:
serviceName: emotion-srv
servicePort: 8080
- path: /storage/?(.*)
backend:
serviceName: storage-srv
servicePort: 8080
- path: /voice/?(.*)
backend:
serviceName: voice-srv
servicePort: 8080
- path: /backend/?(.*)
backend:
serviceName: backend-srv
servicePort: 8080
- path: /reporting/?(.*)
backend:
serviceName: reporting-srv
servicePort: 8080
## frontend
- path: /?(.*)
backend:
serviceName: webapp-srv
servicePort: 8080
How is the webapp(frontend) connecting to auth service internally? webapp(前端)如何在内部连接到 auth 服务?
Using the below endpoint使用以下端点
http://ingress-nginx-controller.ingress-nginx.svc.cluster.local/auth
Above endpoint obtained from: Using the pattern === http://name-of-service.namespace.svc.cluster.local以上端点来自:使用模式=== http://name-of-service.namespace.svc.cluster.local
namespaces:命名空间:
$ kubectl get namespace
NAME STATUS AGE
default Active 10h
ingress-nginx Active 10h
kube-node-lease Active 10h
kube-public Active 10h
kube-system Active 10h
$ kubectl get service -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.100.99.130 <loadbalancer>.amazonaws.com 80:32794/TCP,443:30053/TCP 10h
ingress-nginx-controller-admission ClusterIP 10.100.230.126 <none> 443/TCP
Webapp (frontend) pod logs: Webapp(前端)pod 日志:
2020-07-28 20:57:08.139 INFO 1 --- [io-8080-exec-10] com.symtrain.controller.AdminController : Auth Controller User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
2020-07-28 20:57:08.139 INFO 1 --- [io-8080-exec-10] com.symtrain.controller.AdminController : Auth Controller URL: http://testprod.symtrain.com/index
2020-07-28 20:57:08.139 INFO 1 --- [io-8080-exec-10] com.symtrain.controller.AdminController : Auth Controller flag:::::: Not IE
2020-07-28 20:57:08.139 INFO 1 --- [io-8080-exec-10] com.symtrain.controller.AdminController : Auth Controller URL inside normal return:
Some extra information for deployments:部署的一些额外信息:
$ kubectl get deploy
NAME READY UP-TO-DATE AVAILABLE AGE
auth-depl 2/2 2 2 4h40m
backend-depl 2/2 2 2 4h40m
emotion-depl 2/2 2 2 4h40m
reporting-depl 2/2 2 2 4h40m
storage-depl 2/2 2 2 4h40m
voice-depl 2/2 2 2 4h40m
webapp-depl 2/2 2 2 4h40m
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
auth-srv ClusterIP 10.100.258.118 <none> 8080/TCP 4h41m
backend-srv ClusterIP 10.100.132.251 <none> 8080/TCP 4h41m
emotion-srv ClusterIP 10.100.32.154 <none> 8080/TCP 4h41m
kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 10h
reporting-srv ClusterIP 10.100.64.80 <none> 8080/TCP 4h41m
storage-srv ClusterIP 10.100.36.25 <none> 8080/TCP 4h41m
voice-srv ClusterIP 10.100.212.180 <none> 8080/TCP 4h41m
webapp-srv ClusterIP 10.100.21.170 <none> 8080/TCP 4h41m
Endpoints端点
kubectl get endpoints
NAME ENDPOINTS AGE
auth-srv 192.168.14.60:8080,192.168.44.116:8080 4h53m
backend-srv 192.168.32.14:8080,192.168.37.180:8080 4h53m
emotion-srv 192.168.58.110:8080,192.168.6.148:8080 4h53m
kubernetes 192.168.118.66:443,192.168.82.184:443 10h
reporting-srv 192.168.31.233:8080,192.168.33.218:8080 4h53m
storage-srv 192.168.23.217:8080,192.168.38.48:8080 4h53m
voice-srv 192.168.4.211:8080,192.168.59.186:8080 4h53m
webapp-srv 192.168.31.164:8080,192.168.62.143:8080 4h53m
Auth backend Deployment and Service: Auth 后端部署和服务:
$ kubectl describe deploy auth-depl
Name: auth-depl
Namespace: default
CreationTimestamp: Tue, 28 Jul 2020 16:32:44 +0000
Labels: <none>
Annotations: deployment.kubernetes.io/revision: 1
Selector: app=auth
Replicas: 2 desired | 2 updated | 2 total | 2 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: app=auth
Containers:
auth:
Image: <my_image_name>
Port: 8080/TCP
Host Port: 0/TCP
Environment: <none>
Mounts: <none>
Volumes: <none>
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
Progressing True NewReplicaSetAvailable
OldReplicaSets: <none>
NewReplicaSet: auth-depl-787446c4db (2/2 replicas created)
Events: <none>
#####################################
$ kubectl describe svc auth-srv
Name: auth-srv
Namespace: default
Labels: <none>
Annotations: <none>
Selector: app=auth
Type: ClusterIP
IP: 10.100.218.108
Port: auth 8080/TCP
TargetPort: 8080/TCP
Endpoints: 192.168.14.60:8080,192.178.44.136:8080
Session Affinity: None
Events: <none>
NOTE: I am altering the IPs here for security purposes .注意:出于安全目的,我在这里更改了 IP 。
As per the error messages, it could be that the labels you are using inside of the Service may be a cause for concern.根据错误消息,可能是您在服务内部使用的标签引起了关注。 Your service will lookup pods based on their pod labels.您的服务将根据 Pod 标签查找 Pod。
kubectl get pods --show-labels
nginx 1/1 Running 0 16m app=nginx
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
Kubectl run bb --image=busybox - it - - wget - o- auth-serv:8080
controllers/nginx-deployment.yaml控制器/nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 8080
if the above does not resolve the problem, then you might want to look at policies.如果上述方法不能解决问题,那么您可能需要查看政策。 Maybe, you could create a new ingress.network policy policy based on your pod labels to ensure that traffic hits your pods.也许,您可以根据您的 pod 标签创建一个新的 ingress.network policy 策略,以确保流量到达您的 pod。 ( https://kube.netes.io/docs/concepts/services.networking.network-policies/ ) ( https://kube.netes.io/docs/concepts/services.networking.network-policies/ )
You are trying to hit /login?referrerURL= and this path is not defined in your ingress rules.您正在尝试访问/login?referrerURL=并且此路径未在您的入口规则中定义。
EDIT:编辑:
It's not common to use ingress service internally within the cluster.在集群内部使用入口服务并不常见。 Ingress resource is designed to manage external access to internal services. Ingress 资源旨在管理对内部服务的外部访问。
Note this is also a security concern as you are exposing the auth service (which is a backend service used by your UI layer) externally.请注意,这也是一个安全问题,因为您在外部公开身份验证服务(这是您的 UI 层使用的后端服务)。
A quick solution for me was to delete the service and recreate it.对我来说,一个快速的解决方案是删除该服务并重新创建它。 This is only if all your configs that others have suggested are correct仅当其他人建议的所有配置都正确时
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.