Hi,
I a; experiencing a weird issue with Kong Ingress Controller v0.9.0 on a Kubernetes cluster 1.20
I have set up an ingress resource with a host and a TLS secret pointing to a certificate, like below:
spec:
rules:
- host:
http:
paths:
- backend:
service:
name:
port:
number:
path: /
pathType: Prefix
tls:
secretName:
hosts:
However when I deploy Kong Ingress Controller and run an openssl on the DNS to get the certificate,
some time the certificate that is returned in the Default self signed certificate of Kong and not the certificate that is in the Secret.
The problem is intermittent. 1 of every 4 times the certificate returned is the Default Kong certificate
I would like to know why this is happenning and how could I fix it?
Checking your ingress controller and Kong container logs (kubectl logs PODNAME -c ingress-controller and kubectl logs PODNAME -c proxy for each of your pods) should provide additional clues to the issue.
Offhand, possible causes are that:
With multiple replicas in DB-backed mode, one of the Kong instances is unable to connect to or otherwise retrieve updates from the database. If so, this should be clear from error logs.
On sufficiently old versions of Kong in DB-backed mode (I forget the precise affected versions, but your controller version is old enough that you may be using an affected Kong version), differences in the system clock can prevent instances from seeing update events. There’s no easy way to detect if this has occurred. Only upgrading Kong can address this permanently, though restarting an affected node will pull the latest configuration.
With multiple replicas in DB-less mode, one of the controller instances may be unable to update its Kong instance. The controller container logs will indicate the reason if so.
Exhaustion of some internal NGINX resources can prevent a Kong instance from processing configuration updates. You should see error messages that refer to timers if this is the case. Upgrading Kong should be the first course of action in this case. If the issue persists on the latest version of Kong, you’ll want to file a bug report at Issues · Kong/kong · GitHub .
Thanks Travis, As usual your advices are very helpful. I will concentrate on the DB-less mode causes. I run only one replica, so I am a little bit surprised that this issue occurs intermittently. Your hint about the exhaustion of the NGINX resource seems to be a quite plausible cause of that issue. I will investigate that option.
Thank you very much for your help.