Skip to content

Service does not create LB listeners using HTTP protocol. #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sjvp opened this issue Jun 4, 2018 · 4 comments
Closed

Service does not create LB listeners using HTTP protocol. #208

sjvp opened this issue Jun 4, 2018 · 4 comments
Labels
enhancement feature

Comments

@sjvp
Copy link
Member

sjvp commented Jun 4, 2018

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

CCM Version: Whatever is deployed to ashburn.
Environment:

  • Kubernetes version (use kubectl version): 1.9.7
  • OS (e.g. from /etc/os-release): OL7u4
  • Kernel (e.g. uname -a): UEK4.1
  • Others:

What happened?

Public LB created using protocol TCP. No x-forwarded-proto header after TLS termination.

What you expected to happen?

Public LB created using protocol HTTP, such that x-forwarded-proto header is added after TLS termination.

How to reproduce it (as minimally and precisely as possible)?

Follow your example: tutorial-ssl.md.

To dump out http headers, instead try echoserver:

---
apiVersion: apps/v1beta1 
kind: Deployment
metadata:
  name: echoserver 
spec:
  template:
    metadata:
      labels:
        app: echoserver
    spec:
      containers:
      - name: echoserver 
        image: gcr.io/google_containers/echoserver:1.8 
        ports:
        - containerPort: 8080
---
kind: Service
apiVersion: v1
metadata:
  name: echo-service
  annotations:
    service.beta.kubernetes.io/oci-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/oci-load-balancer-tls-secret: ssl-certificate-secret
spec:
  selector:
    app: echoserver
  type: LoadBalancer
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8080

If you manually switch the LB port 443 listener to HTTP, then the expected headers appear.

Anything else we need to know?

It would also be preferrable to support RFC7239 headers, but that is a separate issue.
@owainlewis owainlewis self-assigned this Jun 4, 2018
@owainlewis owainlewis added the bug label Jun 4, 2018
@owainlewis owainlewis removed their assignment Jun 4, 2018
@prydie
Copy link
Contributor

prydie commented Jul 3, 2018

Hi @sjvp, thanks for the detailed bug report.

This is a bit of a tricky one. We don't set the LB to HTTP mode as Kubernetes Service type=LoadBalancer are intended to provision L4 load balancers rather than L7. That said, the lines are blurred by supporting SSL termination.

We could potentially use HTTP mode when SSL termination is enabled. Thoughts @jhorwit2?

@jhorwit2
Copy link
Member

jhorwit2 commented Jul 9, 2018

@prydie I don't see any reason why we can't as other clouds do the same for LB services like aws. What we want to avoid is attempting to make this into an ingress controller with path route support.

@harveylowndes harveylowndes mentioned this issue Aug 24, 2018
Merged
@sjvp
Copy link
Member Author

sjvp commented Sep 11, 2018

@prydie - has this change been rolled out, as it does not appear to be working for me in IAD?

@owainlewis
Copy link
Member

@sjvp it's part of the next CCM release which is not yet (at time of writing) part of the managed Kubernetes offering. It should be released fairly soon (next couple of weeks at most I would assume). See https://github.com/oracle/oci-cloud-controller-manager/releases/tag/0.6.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@prydie @owainlewis @jhorwit2 @harveylowndes @sjvp