Question

我正在使用ingress-nginx系统https://github.com/kubernetes/ingress-nginx。我正在广泛使用这个项目。 Jenkins，Consul，Prometheus等人使用完全相同的入口配置工作得很好。

我可以通过kubectl端口转发直接访问我的保管库。但是当我尝试通过我的nginx-ingress访问它时，我返回了503

kubectl port-forward vault-vault-f9778f86d-srr9n 8200:8200 -n vault

  curl 127.0.0.1:8200/v1/1
    {"errors":["Vault is sealed"]}

➜  vault curl -L vault.me.com/v1/1
<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body bgcolor="white">
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx/1.13.8</center>
</body>
</html>

查看日志，我会看到以下内容以响应vault.me.com curl

10.233.104.128 - [10.233.104.128] - - [19/Apr/2018:20:42:56 +0000] "GET / HTTP/1.1" 308 187 "-" "curl/7.43.0" 77 0.000 [] - - - -
10.233.104.128 - [10.233.104.128] - - [19/Apr/2018:20:42:56 +0000] "GET / HTTP/1.1" 503 213 "-" "curl/7.43.0" 77 0.000 [] - - - -

如果我试图访问我的领事后端，我会看到以下内容。

10.233.104.128 - [10.233.104.128] - - [19/Apr/2018:20:43:34 +0000] "GET / HTTP/1.1" 308 187 "-" "curl/7.43.0" 78 0.000 [consul-consul-consul-8500] - - - -
10.233.104.128 - [10.233.104.128] - - [19/Apr/2018:20:43:39 +0000] "GET / HTTP/1.1" 308 187 "-" "curl/7.43.0" 78 0.000 [consul-consul-consul-8500] - - - -
10.233.104.128 - [10.233.104.128] - - [19/Apr/2018:20:43:39 +0000] "GET / HTTP/1.1" 301 39 "-" "curl/7.43.0" 78 0.002 [consul-consul-consul-8500] 10.233.114.4:8500 39 0.002 301
10.233.104.128 - [10.233.104.128] - - [19/Apr/2018:20:43:39 +0000] "GET /ui/ HTTP/1.1" 200 30178 "-" "curl/7.43.0" 81 0.001 [consul-consul-consul-8500] 10.233.82.19:8500 30178 0.001 200

我不确定最新情况，我也不知道如何调试它。我花了两个小时阅读这个工具的来源，但我没有看到任何东西。

我在某处读到任何不是2xx或3xx的响应都会失败nginx的后端运行状况检查，并且会从后端池中删除以进行路由。这将表现为我所看到的503。确实，保险库的确会返回非2xx或3xx，这样才有意义。

vault curl -v 127.0.0.1:8200
* Rebuilt URL to: 127.0.0.1:8200/
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8200
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Cache-Control: no-store
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Thu, 19 Apr 2018 20:46:40 GMT
< Content-Length: 19
<
404 page not found

有没有办法更改nginx尝试进行健康检查的网址，或者完全禁用健康检查

https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/ 从nginx的文档中可以看出，如果后端组中只有一台服务器，则无论返回代码如何，都不应将其标记为不可用。

怎么回事？

请注意，如果组中只有一台服务器，则 fail_timeout和max_fails参数被忽略，服务器被忽略从未标记为不可用。

k get svc -n vault
NAME          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
vault-vault   ClusterIP   10.233.47.151   <none>        8200/TCP   1h

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-internal
  name: vault
  namespace: vault
spec:
  rules:
  - host: vault.me.com
    http:
      paths:
      - backend:
          serviceName: vault-vault
          servicePort: 8200
        path: /
  tls:
  - hosts:
    - me.com
    - vault.me.com
    secretName: wildcard-secret

Answer 1

Unsealing the vault through the port-forward method will change the state of the kubernetes pod level healthchecking, which is what is queried by ingress-nginx to determine if a backend is valid or not.

Once the vault is unsealed you can access the backend as you expect.

At the time of writing, the vault CLI does not appear to respect http 308 redirects. Which gives you a very unhelpful error about golang's parser library. I wasted several hours on this. I hope this information helps someone.

https://github.com/hashicorp/vault/issues/4401

Ingress-nginx for kubernetes for vault。怀疑缺乏成功的健康检查

1 个答案: