0
votes

I have a Kubernetes Ingress, pointing to a headless service, pointing finally to an Endpoints object that routes to an external IP address. The following is the configuration for the endpoint

apiVersion: v1
kind: Endpoints
metadata:
  name: my-chart
subsets:
  - addresses:
      - ip: **.**.**.**
    ports:
      - port: 443

However, the upstream connection fails with 'connection reset by peer', and on looking at the logs I see the following error in the Kubernetes nginx-ingress-controller:

2020/01/15 14:39:50 [error] 24546#24546: *240425068 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: *****, server: dev.somehost.com, request: "GET / HTTP/1.1", upstream: "http://**.**.**.**:443/", host: "dev.somehost.com"

My theory is that the combination of http:// and the 443 port is what is triggering this (tested with cURL commands). How do I either 1) Specify a different protocol for the endpoint object or 2) just prevent the prepending of http://

Additional notes: 1) SSL is enabled on the target IP, and if I curl it I can set up a secure connection 2) SSL passthrough doesn't really work here. The incoming and outgoing requests will use two different SSL connections with two different certificates. 3) I want the Ingress host to be the SNI (and it looks like this may default to being the case)

Edit: Ingress controller version: 0.21.0-rancher3

1
what ingress controller you have?Arghya Sadhu
@ArghyaSadhu added the versionpasquers

1 Answers

3
votes

We were able to solve this by adding the following to the metadata of our Ingress

  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/configuration-snippet: |-
      proxy_ssl_server_name on;
      proxy_ssl_name $host;

The first command turns on HTTPS for the backend protocol, and the second command enables SNI