Hi, I was trying to use TCPIngress to enable TLS passthrough for my HTTPs upstream service. However, it looks it doesn’t work for me. Here’s what I applied:
apiVersion: configuration.konghq.com/v1beta1
kind: TCPIngress
metadata:
name: mysvc-tls
namespace: default
spec:
rules:
- backend:
serviceName: mysvc
servicePort: 443
host: example.com
port: 9443
Because I was using kind to launch a local Kubernetes cluster, the port 9443 will be ultimately mapped to a node port as below:
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
example-kong-kong-proxy LoadBalancer 10.96.27.58 <pending> 80:30252/TCP,443:32000/TCP,9000:31245/TCP,9443:32763/TCP 19d
So, I was using the master node IP 172.17.0.4
with the node port 32763
to access the upstream service through Kong. But when I was trying to curl it, I got some error as below:
curl -k --resolve example.com:32763:172.17.0.4 https://172.17.0.4:32763
curl: (52) Empty reply from server
Then, I noticed, the proxy logs:
2020/05/11 14:55:10 [warn] 27#0: *60017 stream [lua] handler.lua:604: get_service_for_route(): service with protocol 'http' cannot be used with 'stream' subsystem, context: ngx.timer
172.17.0.4 - - [11/May/2020:14:55:14 +0000] "GET /services HTTP/1.1" 200 648 "-" "curl/7.29.0"
172.17.0.4 [11/May/2020:14:56:28 +0000] TCP 500 0 0 0.182
2020/05/11 14:56:28 [error] 27#0: *62200 stream [lua] handler.lua:960: before(): no Route found with those values while prereading client data, client: 172.17.0.4, server: 0.0.0.0:9443
It looks it’s because my upstream service was using http as its protocol by default. This can be seen by checking the service information using admin API:
{
"next": null,
"data": [
{
"host": "mysvc.default.443.svc",
"created_at": 1589208910,
"connect_timeout": 60000,
"id": "cfc3d65a-baa8-532c-b07d-99794425e593",
"protocol": "http",
"name": "default.mysvc.443",
"read_timeout": 60000,
"port": 80,
"path": "/",
"updated_at": 1589208910,
"client_certificate": null,
"tags": null,
"write_timeout": 60000,
"retries": 5
}
]
}
However, when I was trying to modify this by annotating the service mysvc
as below:
apiVersion: v1
kind: Service
metadata:
annotations:
konghq.com/protocol: tcp
It always fails and there’s error messages appeared in ingress controller’s pod:
E0511 15:09:30.473950 1 controller.go:127] unexpected failure updating Kong configuration:
posting new config to /config: 400 Bad Request {"fields":{"services":[{"path":"value must be null","@entity":["failed conditional validation given value of field 'protocol'"]}]},"name":"invalid declarative configuration","code":14,"message":"declarative config is invalid: {services={{[\"@entity\"]={\"failed conditional validation given value of field 'protocol'\"},path=\"value must be null\"}}}"}
W0511 15:09:30.473985 1 queue.go:112] requeuing default/kubernetes, err posting new config to /config: 400 Bad Request {"fields":{"services":[{"path":"value must be null","@entity":["failed conditional validation given value of field 'protocol'"]}]},"name":"invalid declarative configuration","code":14,"message":"declarative config is invalid: {services={{[\"@entity\"]={\"failed conditional validation given value of field 'protocol'\"},path=\"value must be null\"}}}"}
Is it because the tcp value does not support by the community edition? Or, is there anything I missed?