Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Deploying behind NGINX ingress controller #501

Open
pboers1988 opened this issue Aug 6, 2024 · 1 comment
Open

[Question] Deploying behind NGINX ingress controller #501

pboers1988 opened this issue Aug 6, 2024 · 1 comment

Comments

@pboers1988
Copy link

pboers1988 commented Aug 6, 2024
edited
Loading

Hi All,

More a question. At this point in time I'm attempting to deploy the gnmi-server behind an NGINX-ingress inside kubernetes. I'm struggling to tweak the ingress in such a way that it works. When I do a port-forward to the gnmi-server I'm able to query the server with a client. However when I do the same query behind the ingress (TLS enabled) I get the following error:

2024/08/06 16:14:23.062224 /home/runner/work/gnmic/gnmic/app/logging.go:21: [gnmic] rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR
rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR
Error: one or more requests failed

The query I'm attempting is:

Behind the ingress - Error

gnmic -a <address>:443 sub --path "/components" --target <target> --mode once --debug

Port forward - Works

gnmic -a localhost:57400 sub --path "/components" --target <target> --mode once --debug

Ingress status

The ingress is configured correctly and works.

❯ k describe ingress -n streaming gnmic
Name:             gnmic
Labels:           app.kubernetes.io/instance=gnmic
                  app.kubernetes.io/managed-by=Helm
                  app.kubernetes.io/name=gnmic
                  app.kubernetes.io/version=0.34.3
                  helm.sh/chart=gnmic-0.1.0
Namespace:        streaming
Address:          *****
Ingress Class:    nginx-production
Default backend:  <default>
TLS:
  tls-routers-secret terminates gnmi.routers.****
Rules:
  Host                   Path  Backends
  ----                   ----  --------
  gnmi.routers.**  /   gnmic-collector-gnmic-api:57400 (10.246.2.127:57400,10.246.4.115:57400,10.246.6.102:57400 + 1 more...)
Annotations:             cert-manager.io/issuer: letsencrypt
                         meta.helm.sh/release-name: gnmic
                         meta.helm.sh/release-namespace: streaming
                         nginx.ingress.kubernetes.io/backend-protocol: GRPC
                         nginx.ingress.kubernetes.io/service-upstream: true
                         nginx.ingress.kubernetes.io/whitelist-source-range: ******
Events:
  Type    Reason  Age                   From                      Message
  ----    ------  ----                  ----                      -------
  Normal  Sync    8m1s (x20 over 121m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    8m1s (x20 over 121m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    8m1s (x20 over 121m)  nginx-ingress-controller  Scheduled for sync

Certificate status

Name:         tls-routers-secret
Namespace:    streaming
Labels:       app.kubernetes.io/instance=gnmic
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=gnmic
              app.kubernetes.io/version=0.34.3
              helm.sh/chart=gnmic-0.1.0
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2024-08-06T12:29:26Z
  Generation:          1
  Owner References:
    API Version:           networking.k8s.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  gnmic
    UID:                   8c9485af-f5bf-4522-a99b-215fda9f331f
  Resource Version:        431199365
  UID:                     89da4cd4-f10f-4a37-9960-a9ac9dec5713
Spec:
  Dns Names:
    gnmi.*****
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       Issuer
    Name:       letsencrypt
  Secret Name:  tls-routers-secret
  Usages:
    digital signature
    key encipherment
Status:
  Conditions:
    Last Transition Time:  2024-08-06T12:39:51Z
    Message:               Certificate is up to date and has not expired
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2025-08-06T23:59:59Z
  Not Before:              2024-08-06T00:00:00Z
  Renewal Time:            2025-04-06T23:59:59Z
  Revision:                1
Events:                    <none>

The routers I'm attempting to query are very fast, results ususally return in as few ms so I shouldn't be hitting this timeout.

Has anyone had a similar experience? Thanks.
@pboers1988 pboers1988 changed the title Deploying behind NGINX ingress controller [Question] [Question] Deploying behind NGINX ingress controller Aug 6, 2024
@hellt
Copy link
Collaborator

hellt commented Aug 8, 2024

Could it be that your ingress terminates tls and sends http towards the server that expects tls? Or vice versa

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pboers1988 @hellt