Почему Microk8s ingress не редиректит к поду?

Question

[Даниил Сидоров]

Добрый день. Впервые сталкиваюсь с kubernetes и возможно мой вопрос покажется глупым. У меня есть сервер (Ubuntu 22.04) с установленным microk8s и я пытаюсь настроить конфигурацию для веб-приложения с Nginx. Все запускается нормально и я могу подключиться к серверу напрямую через SSH. Ingress контроллер и приложение находятся в разных неймспейсах. Когда я пытаюсь зайти на сайт, то получаю 503 ошибку. Причем я вижу эти подключения в логах Ingress, но не в webapp.

Мои конфиги: deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-deployment
  labels:
    app: myapp
spec:
  revisionHistoryLimit: 3
  replicas: 1
  selector:
    matchLabels:
      environment: production
      app: myapp
  template:
    metadata:
      labels:
        environment: production
        app: myapp
    spec:
      imagePullSecrets:
        - name: docker-token
      volumes:
        - name: vendor-dir
          emptyDir: {}
        - name: upload-dir
          emptyDir: {}
        - name: runtime-dir
          emptyDir: {}
        - name: assets-dir
          emptyDir: {}
        - name: host-config
          configMap:
            name: backend-host-config
      initContainers:
        - name: app-dependencies
          image: myimage
          imagePullPolicy: Always
          command: [ 'sh', '-c', 'composer install --no-interaction --classmap-authoritative' ]
          envFrom: &envFrom
            - secretRef:
                name: backend-env
          volumeMounts: &volumeMounts
            - mountPath: /var/www/vendor
              name: vendor-dir
            - mountPath: /var/www/web/upload
              name: upload-dir
            - mountPath: /var/www/runtime
              name: runtime-dir
        - name: app-migrations
          image: myimage
          imagePullPolicy: Always
          envFrom: *envFrom
          volumeMounts: *volumeMounts
          command: [ 'sh', '-c', './yii migrate --interactive=0' ]
        - name: app-cache-clear
          image: myimage
          imagePullPolicy: Always
          envFrom: *envFrom
          volumeMounts: *volumeMounts
          command: [ 'sh', '-c', './yii cache/flush-all --interactive=0' ]
      containers:
        - name: app
          securityContext:
            {}
          image: myimage
          imagePullPolicy: Always
          envFrom: *envFrom
          volumeMounts: *volumeMounts
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /health
              port: http
          resources:
            {}
        - name: webapp
          image: nginx:alpine
          volumeMounts:
            - mountPath: /var/www/web/assets
              name: assets-dir
            - mountPath: /etc/nginx/conf.d
              name: host-config

host-config.yaml

kind: ConfigMap
apiVersion: v1
metadata:
  name: backend-host-config
data:
  default.conf: |
    server {
      root /var/www/web;
      index index.php index.html index.htm;
  
      location /health {
          return 200;
      }
  
      sendfile off;
  
      location / {
           try_files $uri $uri/ /index.php$is_args$args;
      }
  
      location ~ \.php$ {
          try_files $uri /index.php =404;
          fastcgi_pass localhost:9000;
          fastcgi_index index.php;
          fastcgi_buffers 16 16k;
          fastcgi_buffer_size 32k;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          #fixes timeouts
          fastcgi_read_timeout 600;
          include fastcgi_params;
      }
  
      location ~ /\.ht {
          deny all;
      }
  
      location /.well-known/acme-challenge/ {
          root /var/www/letsencrypt/;
          log_not_found off;
      }
    }

ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-deployment
  labels:
    name: myapp
  annotations:
    kubernetes.io/ingressClassName: public
    nginx.ingress.kubernetes.io/backend-protocol: http
    nginx.ingress.kubernetes.io/client-body-buffer-size: 1M
    nginx.ingress.kubernetes.io/fastcgi-index: index.php
    nginx.ingress.kubernetes.io/fastcgi-params-configmap: default/fastcgi-config
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/http2-push-preload: "true"
spec:
  rules:
    - host: "myapp.site"
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: myapp-deployment
                port:
                  name: http

service.yaml

apiVersion: v1
kind: Service
metadata:
  name: myapp-deployment
  labels:
    app: myapp
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
    - port: 9000
      name: fastcgi
  selector:
    app: myapp
    environment: production

Вот логи, которые записываются при попытке зайти на сайт:

[ip] - - [26/Oct/2023:17:39:48 +0000] "GET / HTTP/1.1" 503 592 "-" [User-Agent] 472 0.000 [default-myapp-deployment-http] [] - - - - 0ac9bd0d9863ce5a065dba8b8b553321

kubectl get service myapp-deployment

NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)           AGE
myapp-deployment     ClusterIP   10.152.183.181   <none>        80/TCP,9000/TCP   2d11h

kubectl get ingress

NAME                 CLASS    HOSTS          ADDRESS     PORTS   AGE
myapp-deployment     public   myapp.site     127.0.0.1   80      4h37m

Во всем этом меня смущает, что external-ip имеет значение "none" и Ingress имеет адрес 127.0.0.1. Перепробовал уже массу вариантов, но приблизиться к решению проблемы с 503 ошибкой пока никак не выходит. Буду рад любым подсказкам.

Comments

[Иван Корюков]

Код 503 на ингресс-контроллере с вероятностью 99.9% означает, что ингресс не знает куда направить запрос. Например нет ни одного пода.

То что у service приложения нет внешнего ip это нормально.

А вы проверяли что под вообще отвечает если напрямую в него запрос сделать? У вас очень странные конфиги. Я не знаю специфику вашего случая, но на мой вкус тут много неправильных вещей.

Answer 1

[Дмитрий Шицков]

1. Точно ли обращение идет по хосту myapp.site указанному в ингрессе? Судя по логу - нет
   
2. Что в kubectl get deploy и kubectl get pod? что в логах pod (kubectl logs myapp-deployment-...)?
   

Comments

[Даниил Сидоров]

1) Да
2)

kubectl get deploy --all-namespaces
NAMESPACE      NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
kube-system    coredns                     1/1     1            1           7d18h
kube-system    kubernetes-dashboard        1/1     1            1           7d18h
kube-system    dashboard-metrics-scraper   1/1     1            1           7d18h
kube-system    metrics-server              1/1     1            1           7d18h
kube-system    calico-kube-controllers     1/1     1            1           7d18h
cert-manager   cert-manager-cainjector     1/1     1            1           3h22m
cert-manager   cert-manager                1/1     1            1           3h22m
cert-manager   cert-manager-webhook        1/1     1            1           3h22m
myapp          myapp-yii                   1/1     1            1           8h

kubectl get pod --all-namespaces
NAMESPACE      NAME                                         READY   STATUS    RESTARTS   AGE
kube-system    kubernetes-dashboard-fc86bcc89-6lg2j         1/1     Running   0          7d18h
kube-system    dashboard-metrics-scraper-5cb4f4bb9c-w4ddd   1/1     Running   0          7d18h
kube-system    coredns-7745f9f87f-hjv54                     1/1     Running   0          7d18h
kube-system    metrics-server-7747f8d66b-xhk7v              1/1     Running   0          7d18h
kube-system    calico-node-xlmmq                            1/1     Running   0          6d
kube-system    calico-kube-controllers-59bd664565-x9ph6     1/1     Running   0          6d
cert-manager   cert-manager-cainjector-69d6f4d488-rz75n     1/1     Running   0          3h24m
cert-manager   cert-manager-75d57c8d4b-nh849                1/1     Running   0          3h24m
cert-manager   cert-manager-webhook-869b6c65c4-jqr4q        1/1     Running   0          76m
myapp          myapp-yii-775597f9d8-2q286                   2/2     Running   0          38m
ingress        nginx-ingress-microk8s-controller-ns42j      1/1     Running   0          6m35s

kubectl logs myapp-yii-775597f9d8-2q286 -n myapp
app container:
[27-Oct-2023 22:49:39] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[27-Oct-2023 22:49:39] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[27-Oct-2023 22:49:39] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
[27-Oct-2023 22:49:39] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
[27-Oct-2023 22:49:39] NOTICE: fpm is running, pid 1
[27-Oct-2023 22:49:39] NOTICE: ready to handle connections

webapp container:
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/10/27 22:49:39 [warn] 1#1: the "http2_push_preload" directive is obsolete, ignored in /etc/nginx/conf.d/default.conf:37
nginx: [warn] the "http2_push_preload" directive is obsolete, ignored in /etc/nginx/conf.d/default.conf:37
2023/10/27 22:49:39 [notice] 1#1: using the "epoll" event method
2023/10/27 22:49:39 [notice] 1#1: nginx/1.25.3
2023/10/27 22:49:39 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14) 
2023/10/27 22:49:39 [notice] 1#1: OS: Linux 5.15.0-87-generic
2023/10/27 22:49:39 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 65536:65536
2023/10/27 22:49:39 [notice] 1#1: start worker processes
2023/10/27 22:49:39 [notice] 1#1: start worker process 21
2023/10/27 22:49:39 [notice] 1#1: start worker process 22
2023/10/27 22:49:39 [notice] 1#1: start worker process 23
2023/10/27 22:49:39 [notice] 1#1: start worker process 24
2023/10/27 22:49:39 [notice] 1#1: start worker process 25
2023/10/27 22:49:39 [notice] 1#1: start worker process 26
2023/10/27 22:49:39 [notice] 1#1: start worker process 27
2023/10/27 22:49:39 [notice] 1#1: start worker process 28
2023/10/27 22:49:39 [notice] 1#1: start worker process 29
2023/10/27 22:49:39 [notice] 1#1: start worker process 30
2023/10/27 22:49:39 [notice] 1#1: start worker process 31
2023/10/27 22:49:39 [notice] 1#1: start worker process 32
10.0.1.1 - - [27/Oct/2023:22:49:47 +0000] "GET /health HTTP/1.1" 200 0 "-" "kube-probe/1.27" "-"
10.0.1.1 - - [27/Oct/2023:22:49:57 +0000] "GET /health HTTP/1.1" 200 0 "-" "kube-probe/1.27" "-"
10.0.1.1 - - [27/Oct/2023:22:50:07 +0000] "GET /health HTTP/1.1" 200 0 "-" "kube-probe/1.27" "-"
10.0.1.1 - - [27/Oct/2023:22:50:17 +0000] "GET /health HTTP/1.1" 200 0 "-" "kube-probe/1.27" "-"
10.0.1.1 - - [27/Oct/2023:22:50:27 +0000] "GET /health HTTP/1.1" 200 0 "-" "kube-probe/1.27" "-"

[Даниил Сидоров]

Если в сервисе прописать

spec:
  externalIPs:
    - [server-ip]

то доступ с браузера напрямую в под проходит

[Дмитрий Шицков]

Даниил Сидоров, имена сервисов, деплоймента, неймспейс у манифестов в вопросе не совпадают с тем что выводят запросы kubectl.
Исходные манифесты корректные, тогда как текущая конфигурация в кластере вероятно нет. Чтобы что-то подсказать мне нужна актуальная информация. Скорее всего в коныиге ингресса не указано полное имя сервиса, предположительно сейчас оно такое: "myapp-yii.myapp"

[Даниил Сидоров]

Дмитрий Шицков, Это текущий конфиг, целиком. Сейчас всё развернул и запускаю через хельм, потому конфиги не совпадают с изначальными.

Открыть конфиг

---
# Source: yii/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: myapp-yii
  labels:
    helm.sh/chart: yii-0.1.0
    app.kubernetes.io/name: yii
    app.kubernetes.io/instance: myapp
    app.kubernetes.io/version: "1.4.0"
    app.kubernetes.io/managed-by: Helm
---
# Source: yii/templates/host-config.yaml
kind: ConfigMap
apiVersion: v1
metadata:
  name: backend-host-config
data:
  default.conf: |
    server {
      client_max_body_size 10m;

      root /var/www/web;

      location /health {
        return 200;
      }

      location / {
          # try to serve file directly, fallback to app.php
          try_files $uri /index.php$is_args$args;
      }

      location ~* ^.+\\.(css|js)$ {
          access_log off;
          log_not_found off;
          expires max;
          add_header Access-Control-Allow-Origin \"*\";
      }

      location ~* ^.+\\.(svg|svgz|eot|otf|woff|woff2|ttf|ttc|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|wav|bmp|rtf)$ {
          access_log off;
          expires max;
          add_header Access-Control-Allow-Origin \"*\";
      }

      location ~ ^/index\\.php(/|$) {
          fastcgi_pass localhost:9000;
          fastcgi_split_path_info ^(.+\\.php)(/.*)$;
          include fastcgi_params;
          fastcgi_send_timeout 300s;
          fastcgi_read_timeout 60s;
          fastcgi_param HTTPS on;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param DOCUMENT_ROOT $realpath_root;
          http2_push_preload on;
          proxy_buffer_size          2048k;
          proxy_buffers              4 2048k;
          proxy_busy_buffers_size    4096k;
          fastcgi_buffers            16 256k;
          fastcgi_buffer_size        512k;
          internal;
      }

      location ~ \\.php$ {
          return 404;
      }
    }
---
# Source: yii/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: myapp-yii
  labels:
    helm.sh/chart: yii-0.1.0
    app.kubernetes.io/name: yii
    app.kubernetes.io/instance: myapp
    app.kubernetes.io/version: "1.4.0"
    app.kubernetes.io/managed-by: Helm
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
    - port: 9000
      name: fastcgi
  selector:
    app.kubernetes.io/name: yii
    app.kubernetes.io/instance: myapp
---
# Source: yii/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-yii
  labels:
    helm.sh/chart: yii-0.1.0
    app.kubernetes.io/name: yii
    app.kubernetes.io/instance: myapp
    app.kubernetes.io/version: "1.4.0"
    app.kubernetes.io/managed-by: Helm
spec:
  revisionHistoryLimit: 3
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: yii
      app.kubernetes.io/instance: myapp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: yii
        app.kubernetes.io/instance: myapp
    spec:
      imagePullSecrets:
        - name: docker-token
      serviceAccountName: myapp-yii
      securityContext:
        {}
      volumes:
        - name: vendor-dir
          emptyDir: { }
        - name: upload-dir
          emptyDir: { }
        - name: runtime-dir
          emptyDir: { }
        - name: assets-dir
          emptyDir: { }
        - name: host-config
          configMap:
            name: backend-host-config
      initContainers:
        - name: app-dependencies
          image: "[app-image]"
          imagePullPolicy: IfNotPresent
          command: ['sh', '-c', 'composer install --no-interaction --classmap-authoritative']
          envFrom: &envFrom
            - secretRef:
                name: backend-env
          volumeMounts:
            - mountPath: /var/www/vendor
              name: vendor-dir
            - mountPath: /var/www/web/upload
              name: upload-dir
            - mountPath: /var/www/runtime
              name: runtime-dir
        - name: app-migrations
          image: "[app-image]"
          imagePullPolicy: IfNotPresent
          envFrom: *envFrom
          volumeMounts:
            - mountPath: /var/www/vendor
              name: vendor-dir
            - mountPath: /var/www/web/upload
              name: upload-dir
            - mountPath: /var/www/runtime
              name: runtime-dir
          command: [ 'sh', '-c', './yii migrate --interactive=0' ]
        - name: app-cache-clear
          image: "[app-image]"
          imagePullPolicy: IfNotPresent
          envFrom: *envFrom
          volumeMounts:
            - mountPath: /var/www/vendor
              name: vendor-dir
            - mountPath: /var/www/web/upload
              name: upload-dir
            - mountPath: /var/www/runtime
              name: runtime-dir
          command: [ 'sh', '-c', './yii cache/flush-all --interactive=0' ]
      containers:
        - name: app
          securityContext:
            {}
          image: "[app-image]"
          envFrom: *envFrom
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - mountPath: /var/www/vendor
              name: vendor-dir
            - mountPath: /var/www/web/upload
              name: upload-dir
            - mountPath: /var/www/runtime
              name: runtime-dir
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /health
              port: http
          resources:
            {}
        - name: webapp
          image: "[webapp-image]"
          volumeMounts:
            - mountPath: /etc/nginx/conf.d
              name: host-config
---
# Source: yii/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-yii
  labels:
    helm.sh/chart: yii-0.1.0
    app.kubernetes.io/name: yii
    app.kubernetes.io/instance: myapp
    app.kubernetes.io/version: "1.4.0"
    app.kubernetes.io/managed-by: Helm
  annotations:
    cert-manager.io/issuer: cert-issuer-staging
    certmanager.k8s.io/issuer: cert-issuer-staging
    ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/backend-protocol: http
    nginx.ingress.kubernetes.io/client-body-buffer-size: 1M
    nginx.ingress.kubernetes.io/fastcgi-index: index.php
    nginx.ingress.kubernetes.io/fastcgi-params-configmap: default/fastcgi-config
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/http2-push-preload: "true"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - "myapp.site"
      secretName: myapp-tls
  rules:
    - host: "myapp.site"
      http:
        paths:
          - path: /
            pathType: ImplementationSpecific
            backend:
              service:
                name: myapp-yii
                port:
                  name: http
---
# Source: yii/templates/issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: cert-issuer-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: "[email]"
    privateKeySecretRef:
      name: myapp-tls
    solvers:
      - http01:
          ingress:
            class: nginx
---
# Source: yii/templates/tests/test-connection.yaml
apiVersion: v1
kind: Pod
metadata:
  name: "myapp-yii-test-connection"
  labels:
    helm.sh/chart: yii-0.1.0
    app.kubernetes.io/name: yii
    app.kubernetes.io/instance: myapp
    app.kubernetes.io/version: "1.4.0"
    app.kubernetes.io/managed-by: Helm
  annotations:
    "helm.sh/hook": test
spec:
  containers:
    - name: wget
      image: busybox
      command: ['wget']
      args: ['myapp-yii:80/health']
  restartPolicy: Never

[Дмитрий Шицков]

Даниил Сидоров, визуально не нашел отклонений. Есть ли посвежее логи с ингресса? Логируется ли что-то в поде при этом?

Что если прокинуть порт сервиса и открыть в браузере, работает так же как и при обращении на Pod?
kubectl -n myapp port-forward svc/myapp-yii 80:80
и с соседней консоли
curl -v localhost:80
Все ок при таком тесте?

[Даниил Сидоров]

Дмитрий Шицков,

Что если прокинуть порт сервиса и открыть в браузере, работает так же как и при обращении на Pod?

Да, также

и с соседней консоли

Да

Вообще не понимаю в чем может быть проблема :(