0

I am struggling to get my nginx ingress (on AWS EKS) working with path rules and TLS.

The ingress is from here

A snippet from the Ingress looks like:

spec:
  tls:
  - hosts:
      - example.com
    secretName: ingress-tls
  rules:
  - host: example.com
  - http:
      paths:
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 443

This ingress creates the AWS network load balancer, with a URL like https://xyz.elb.us-west-1.amazonaws.com/

I am updating the ingress-tls secret with a certificate using cert-manager.

When I access the ingress using the NLB URL https://xyz.elb.us-west-1.amazonaws.com/api, I get

  1. GOOD: Correct routing based on the path rules from the ingress definition (i.e. it ​goes to my api-service as expected)
  2. BAD: Certificate errors since I'm not accessing the ingress with the domain that the certificate is for.

When I access the ingress using the correct domain e.g. https://example.com/api which is what I want to do, I get:

  1. BAD: 404, it doesn't respect my path rules, and goes to upstream-default-backend instead.
  2. GOOD: certificate all good, it’s the one for example.com that cert-manager configured.

I tried removing the host: example.com from the rules:, which gives me:

  1. GOOD: Correct routing based on the path rules from the ingress definition
  2. BAD: Certificate errors, it serves up the default ingress “Fake” certificate instead of the one for example.com, I guess since the host is missing from the rules, though not sure of the exact reason.

Can someone please help me get

  1. GOOD
  2. GOOD

I’m at a loss here.

4

1 回答 1

1

在盯着这个又看了几个小时之后,我挖掘了这个讨厌的 lua 块 nginx.conf,我找到了它!也许有一天有人会遇到这个问题,并且可能会发现这很有用。

问题是:

  rules:
  - host: example.com
  - http:

这是定义(我认为) host没有转发规则的,然后是一些 http没有主机的转发规则。我的意图显然是转发规则是针对主机的。

那将是:

  rules:
  - host: example.com
    http:

我不得不说,如果可能的话,我现在比以前更不喜欢 YAML。

于 2021-04-06T05:59:05.027 回答