I have deployed an ingress in Kubernetes and using two applications on different ingress namespaces.
When I access the APP2 I can reach the website and it's working fine but APP1 is displaying BLANK page. No errors just BLANK and response 200 OK.
Basically I integrated ArgoCd with Azure AD. The integration it is fine but I think ingress rules are not totally fine.
Both Apps are on different namespaces so I have to use two different ingress on different namespaces:
This is the APP1:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-ingress
namespace: argocd
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /argo-cd/$2
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
defaultBackend:
service:
name: argocd-server
port:
number: 443
rules:
- http:
paths:
- path: /argo-cd
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 443
And this is the APP2:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarqube-ingress
namespace: ingress-nginx
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
defaultBackend:
service:
name: sonarqube
port:
number: 9000
tls:
- hosts:
- sq-example
secretName: nginx-cert
rules:
- host: sq.example.com
http:
paths:
- path: /sonarqube(/|$)(.*)
pathType: Prefix
backend:
service:
name: sonarqube
port:
number: 9000
- path: /(.*)
pathType: Prefix
backend:
service:
name: sonarqube
port:
number: 9000
args of ingress deployment:
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --default-ssl-certificate=ingress-nginx/ca-key-pair
- --enable-ssl-passthrough
logs ingress controller pod:
10.200.140.160 - - [03/Nov/2021:15:00:34 0000] "GET /argo-cd HTTP/1.1" 200 831 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 489 0.002 [argocd-argocd-server-443] [] 10.200.140.177:8080, 10.200.140.177:8080 0, 831 0.000, 0.004 502, 200 d491c01cd741fa9f155642f8616b6d9f
2021/11/03 15:09:05 [error] 867#867: *534643 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.200.140.160, server: _, request: "GET /argo-cd/ HTTP/1.1", upstream: "https://10.200.140.177:8080/argo-cd/", host: "10.200.140.211"
10.200.140.160 - - [03/Nov/2021:15:09:05 0000] "GET /argo-cd/ HTTP/1.1" 200 831 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 440 0.006 [argocd-argocd-server-443] [] 10.200.140.177:8080, 10.200.140.177:8080 0, 831 0.000, 0.004 502, 200 8995b914ae6e39d8ca781e1f4f269f50
10.200.140.160 - - [03/Nov/2021:15:09:16 0000] "GET /argo-cd HTTP/1.1" 200 831 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" 489 0.001 [argocd-argocd-server-443] [] 10.200.140.177:8080 831 0.004 200 0adadba11c87f9b88ed75d52e4ca387a
I tryied playing with the path: /argo-cd on APP1 like:
path: /argo-cd/ path: /argo-cd/(/|$)(.) path: /argo-cd/(.) path: /argo-cd/*
but impossible to make it work. Am I doing something wrong here?
Thanks in advance.
CodePudding user response:
The problem is that you didn't configure the argo-cd root path.
Why?
First, it's worth to remind that NGINX Ingress controller by default is Cluster-wide:
- Cluster-wide Ingress Controller (default). The Ingress Controller handles configuration resources created in any namespace of the cluster. As NGINX is a high-performance load balancer capable of serving many applications at the same time, this option is used by default in our installation manifests and Helm chart.
So even if you have configured Ingresses in different namespaces at the end you are using the same NGINX Ingress Controller. You can check it by running:
kubectl get ing -n ingress-nginx
kubectl get ing -n argocd
You can observe that ADDRESS is the same for both ingresses in different namespaces.
Let's assume that I have applied only the first ingress definition (APP1). If I try to reach https://{ingress-ip}/argo-cd I will be redirected to the https://{ingress-ip}/applications website - it works probably because you also setup the defaultBackend setting. Anyway it's not a good approach - you should configure the argo-cd root path correctly.
When I applied the second ingress definition (APP2) I'm also getting the blank page as you - probably because the definitions from both ingresses are mixing and this is causing an issue.
How to setup the argo-cd root path?
Based on this documentation:
Edit the
argocd-serverdeployment to add the--rootpath=/argo-cdflag to the argocd-server command.
It's not really explained in detailed way in the docs, but I figured how to setup it:
First, we need to get current deployment configuration:
kubectl get deploy argocd-server -o yaml -n argocd > argocd-server-deployment.yaml
Now, we need to edit the argocd-server-deployment.yaml file. Under command (in my case it was line 52) we need to add rootpath flag - before:
containers:
- command:
- argocd-server
env:
After:
containers:
- command:
- argocd-server
- --rootpath=/argo-cd
env:
Save it, and run kubectl apply -f argocd-server-deployment.yaml.
Now, it's time to edit ingress definition also - as we setup root path we need to delete nginx.ingress.kubernetes.io/rewrite-target: annotation:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
After these changes, if I reach https://{ingress-ip}/argo-cd I will be redirected to the https://{ingress-ip}/argo-cd/applications. Everything is working properly.