service in kubernetes does not pass through all the headers

Question

I have a following service in open shift

apiVersion: v1
kind: Service
metadata:
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v1
      kind: Mapping
      name: _api_minio
      service: "http://minio-svc:9000"
      prefix: /api/minio/
      rewrite: /
      bypass_auth: true
      host: xxxx
      add_response_headers:
        Strict-Transport-Security: max-age=15552000; includeSubDomains
        X-Frame-Options: SAMEORIGIN
  creationTimestamp: '2020-01-09T15:10:34Z'
  labels:
    platform: xxx
  name: minio
  namespace: xxx
  resourceVersion: 'xxxxx'
  selfLink: /api/v1/namespaces/services/minio
  uid: 2f7619a0-32f2-11ea-9dcc-xxxxxxxx
spec:
  clusterIP:xxxxx
  ports:
    - port: 80
      protocol: TCP
      targetPort: 80
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

So this is a service which proxy the external request to internal minio which our object storage but as soon as I try to reach a url to the object I get:

The request signature we calculated does not match the signature you provided. Check your key and signing method.

which seems that the above service does not pass through all the headers sent from browser. Can anyone shed light on how I can pass through all headers coming in to the service to the internal service which is minio in this case?

Answer 1

In it's most basic configuration, Ambassador routes based off the incoming prefix of the request. Currently, you have Ambassador configured to route requests with prefix: /api/minio/ to the service named minio-svc over port 9000 with prefix: /.

With this configuration, a request to http(s)://{{IP}}/api/minio/ will correctly hit the minio-svc with the prefix rewritten to /. However, if you inspect the network logs, you will see that when minio receives a request with prefix: / it issues a 307 redirect to /minio/ which is not a registered route in Ambassador which is why you see the failure.

The fix for this is to edit you Mapping to route based off the prefix: /minio/ and not rewrite that prefix when sending the request downstream:

apiVersion: v1
kind: Service
metadata:
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v1
      kind: Mapping
      name: _api_minio
      service: "http://minio-svc:9000"
      prefix: /minio/
      rewrite: ""
      bypass_auth: true
      host: xxxx
      add_response_headers:
        Strict-Transport-Security: max-age=15552000; includeSubDomains
        X-Frame-Options: SAMEORIGIN
  creationTimestamp: '2020-01-09T15:10:34Z'
  labels:
    platform: xxx
  name: minio
  namespace: xxx
  resourceVersion: 'xxxxx'
  selfLink: /api/v1/namespaces/services/minio
  uid: 2f7619a0-32f2-11ea-9dcc-xxxxxxxx
spec:
  clusterIP:xxxxx
  ports:
    - port: 80
      protocol: TCP
      targetPort: 80
  sessionAffinity: None
  type: ClusterIP

Now a request to http(s)://{{IP}}/minio/ will be sent to the service minio-svc on port 9000 with prefix: /minio/ which should resolve.

When debugging these kind of larger, GUI application behind a reverse proxy it is very useful to check the network logs of your browser to see if there are resource requests that are failing.

Answer 2

Ambassador should not be stripping any headers from the request so I doubt that is the issue. You can test this by creating a Mapping that just points to a service that echos the headers it is receiving. The below can accomplish that using httpbin.org

---
apiVersion: getambassador.io/v1
kind: Mapping
metadata:
  name: httpbin
spec:
  prefix: /httpbin/
  service: httpbin.org

Now send a request to http(s)://{{LOAD_BALANCER_IP}}/httpbin/headers and it will respond with all of the headers it received from the request. You should see every header you sent plus a couple of more.

Without knowing more about the service you are hitting and the headers it is expecting it is hard to say exactly what is going wrong here so I would start with verifying it is an issue with headers being dropped.