-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help needed - tls secret took long to discover(ingress version: 1.10, kubernetes version: 1.20) #1448
Comments
Hi @kongdewen This seems like a timing issue in the IC - it processed Ingresses before it had processed the referenced Secrets. How many Ingress and secrets resources are handled by the Ingress Controller in your cluster? |
Hey @pleshakov, for this particular ingress.class, it has 183 ingress, total tls secrets in the cluster is 46. |
@kongdewen It is a bug. I will update this issue once I have an ETA for the fix. |
Hi @kongdewen I wonder if you noticed any client traffic disruption during the upgrade. Until the IC fully generates the config for all resources in the cluster, its readiness probe will fail. This is to prevent NGINX from starting accepting client request when its config is only partially generated. That feature should mitigate your problem - although during the IC start, the IC can report warnings about missing secrets - once all resources are processed, the IC will clear all those warnings. After that, the IC will become ready, its readiness probe will succeed. However, we had a bug in that feature - in certain scenarios the IC will become ready almost immediately. We just fixed that bug #1457 , it will be part of the upcoming 1.11.0 (end of this month). For the warnings bug, we will address it in 1.12.0 |
@pleshakov. Thank you. Yes we did see the disruption when we test the upgrade (connection error). we didn't go any further after we saw the service interruption. we did some test, the way helped the situation was to increase |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
Hello,
We updated to the last chart version (0.9.1 with nginx ic 1.11.1), but we still have the problem. If someone have an idea ? |
Hi @Aohzan This bug with warnings hasn't been fixed it yet. They appear during the IC start, but once the IC fully processes all Ingress and related resources in the cluster, the IC will not emit any warnings. Note that until all resources are processed, the IC pod is not in the Ready state, which means it will not receive any incoming traffic from KubeProxy. I wonder if you noticed any traffic disruption or just the warnings? |
Yes, for the warning, I see it will be solved in the next release |
What is the error that you see? |
Full logs:
|
Hi - I do experience similar issue.
It seems if pod is not picking up in few minutes, it is reasonable to kill it .. until it picks up. We have ~80 secrets in namesapce. I'm using version 1.11.1. I tried to roll back up to 1.9 (as mentioned before), but 1.9 also did not help. |
Hi @Aohzan |
Hi @evilezh The pod is in the NotReady state until it processes all the secrets and Ingresses. During that processes, you will see intermittent errors. However, once the processing is finished, there should be no errors. I would not recommend killing the pod. To see how much time it takes for a KIC pod to get ready, you can run the IC with |
Hi @pleshakov , if that would be a case, wouldn't have any issues. By 'pod does not come up' i mean ... if it fails to load secrets. I will do a bit more research. I did also exec into the controller container to check the configuration - it was ok ... only the listen directive was for port 80 only (I guess because of missing TLS). |
I did only a little bit read code :) And few thoughts on start sequence of controller. It would make sense, that on the startup, we load first secrets and then load all ingresses, build configuration, and only then start nginx. And then follow up with updates. Currently those errors are missleading. If i wouldn't lookup in code - I woul think - that nginx can't find secrets in k8s. |
we are seeing a weird problem when upgrade to latest ingress,
when the k8s ingress pods start, it takes couple minutes for actually
find
the tls for the ingresses. It would first report secret missing or invalid type(we did have to switch tls type to kubernetes.io/tls lately to prepare of the upgrade) until sometime later came back to normal:error sample:
secret sample:
ingress sample:
Any ideas what might happened?
The text was updated successfully, but these errors were encountered: