Reputation: 9
Kubernetes Load Balancer Oracle Cloud NGINX ingress controller problem
first post on stack overflow, hope i will get some help :)
I've been struggling for a while trying to get this to work. So basically i have kubernetes cluster in Oracle Cloud. I'm using nginx ingress controller + cert manager for certificates.
When i deployed nginx ingress controller Oracle Cloud provided me with Load Balancer.
So we come to my problem. By default Load Balancer got listeners in cloud using TCP protocol (here is pic) TCP Listener
And in kubernetes service (nginx ingress controller) protocol is tcp also.
When this setup is used it is working all fine.
Also im using SNI (multiple service on one endpoint).
But Oracle Cloud provides WAF that can be used with only http listeners (one more pic) Http listener. So if i intend to use WAF i need to set this http listeners on Load Balancer.
This is nginx ingress service pic where you can see protocol is TCP. TCP nginx ingress service
When i change listeners to http. My domain have this error "ERR_SSL_PROTOCOL_ERROR" when i try to open it on browser.
I tried many things including changing configuration of nginx ingress controller, adding annotations etc..
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
But nothing works i always get that "ERR_SSL_PROTOCOL_ERROR".
So i don't know is this even possible, and by that i mean can there be http listeners that point on tcp protocol (nginx ingress service)?
Any advice would be appreciated.
Thank you in advance.
Upvotes: 1
Views: 1155
Answers (1)
Reputation: 30113
OCI TCP listeners to HTTP listeners backed as HTTPS or SSL passthrough.
You can first create the self-sign SSL certificate if you are attaching it at the LB level.
If you are using cert-manager and saving it into a secret that's fine you can also follow it.
You can go to LoadBalancer and change the Protocol or Listeners to HTTP instead of TCP manually and attach the certificate to LB on the 443 port if you are following that method (as i did).
Next
Go to Nginx ingress controller svc and edit it and change the target port for 443 to http
Now inside your app ingress configuration you can use the annotations it will work without error of 400 Bad request or HTTP requested on HTTPS port
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
Upvotes: 1
Related Questions
- Kubernetes ingress controller cannot find TLS certificate secret
- Kubernetes Ingress Controller Fake Certificate error
- ssl_client_certificate failed 403 forbidden
- nginx ingress-controller error : admission webhook "validate.nginx.ingress.kubernetes.io" denied the request host and path already defined
- Unable to apply Nginx ingress controller
- Unable to SSL Pass through Ingress Nginx Controller
- Kubernetes nginx ingress controller bad gateway
- Nginx Ingress controller set up issues
- Nginx ingress controller still redirect to SSL
- Kubernetes: Nginx Ingress Annotation ----> nginx.ingress.kubernetes.io/secure-backends