Hello. I am trying to use juju to expose a k8s pod via HTTPS. What does work is this:
client -> HTTPS -> nginx -> HTTP -> pod
But, my pod only speaks HTTPS, so I cannot get this to work:
client -> HTTPS -> nginx -> HTTPS -> pod
From the looks of it, I need to enable HTTPS as a backend protocol (see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol) but that does not appear to be supported by Juju.
Is there any way of doing this?
Unfortunately, right now, HTTPS ingress is not supported via juju expose.
If you are the charm author, you can have the charm create an Ingress Resource directly.
In the kubernetesResources section on the k8s-spec YAML, an example:
kubernetesResources:
ingressResources:
- name: test-ingress
labels:
foo: bar
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- sslexample.foo.com
secretName: testsecret-tls
rules:
- host: sslexample.foo.com
http:
paths:
- path: /
backend:
serviceName: service1
servicePort: 80
Awesome. I think I might have also found a possible miss configuration in the annotations. I’ll gather more info and raise a bug if so. What component of it is a bug?
It’s most likely a charm bug since the only annotations Juju adds are to record the controller and model UUIDs. Perhaps post the details here ans we can figure out where the issue lies.
Sticking with the HTTPS part of the thread, I feel like I’m missing something here. Doesn’t the TLS part secure the client -> nginx part of the conversation with a specific set of certificates? I’m specifically looking to use HTTPS from nginx -> backend service port, and this does not seem to be changing anything. Specifically, I thought I just needed to add nginx.ingress.kubernetes.io/backend-protocol: “HTTPS” to the annotations.
Adding the config to the charm does not expose the port, nor does it create an ingress for the pod. What am I missing?
This is what I was missing:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
But it still does not expose the port.
Can you provide the yaml snippet that your charm is using to send to pod-spec-set?
If I use the name of the container as the name of the ingress resource, it tells me that it is a juju reserved name and does not create it. If I use this, the config is created, but does not seem to get activated in nginx.
version: 2
containers:
- name: %(name)s
image: %(docker_image)s
ports:
- containerPort: %(advertised-port)s
protocol: TCP
config:
ALLOW_ANONYMOUS_LOGIN: 'yes'
OSMNBI_MESSAGE_HOST: %(kafka_host)s
OSMNBI_MESSAGE_DRIVER: kafka
OSMNBI_MESSAGE_PORT: %(kafka_port)s
OSMNBI_DATABASE_DRIVER: mongo
OSMNBI_DATABASE_URI: %(mongo_uri)s
OSMNBI_DATABASE_COMMONKEY: %(DATABASE_COMMONKEY)s
OSMNBI_STORAGE_DRIVER: mongo
OSMNBI_STORAGE_PATH: /app/storage
OSMNBI_STORAGE_COLLECTION: files
OSMNBI_STORAGE_URI: %(mongo_uri)s
OSMNBI_STATIC_DIR: /app/osm_nbi/html_public
OSMNBI_PROMETHEUS_HOST: %(prometheus_host)s
OSMNBI_PROMETHEUS_PORT: %(prometheus_port)s
OSMNBI_LOG_LEVEL: %(log_level)s
kubernetesResources:
ingressResources:
- name: %(name)s-ingress
labels:
foo: bar
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- http:
paths:
- path: /
backend:
serviceName: %(name)s
servicePort: %(advertised-port)sAs a workaround, it appears this will work:
juju config nbi-k8s juju-external-hostname=nbi.$DEFAULT_IP.xip.io
juju expose nbi-k8s
microk8s.kubectl get ingress -n osm -o json | jq '.items[0].metadata.annotations += {"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS"}' | microk8s.kubectl apply -f -