Hello together,
on my kubernetes cluster I have a Kuma Mesh running with a delegated Kong Gateway.
First I had only one Api with an ingress rule running. All worked like a charm. But when adding another ingress with the same port 80 (with different path), none of both routes are working anymore.
I am getting following error in the kong gateway pod:
2022/10/11 12:24:52 [error] 1113#0: *16687 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 10.224.0.6, server: kong, request: "GET /inspector HTTP/2.0", upstream: "http://10.0.181.253:80/inspector", host: "testing.example.net"
EDIT: I think this has something to do with mTLS enabled in the mesh. The kong sidecar expects a client certificate to communicate with the sidecar proxy of the inspector pod.
Is there a way to disable this at the kong sidecar?
EDIT2: Even with disabled mTLS this can’t be resolved…
Both are running in the same namespace with the kuma sidecar annotation.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: inspector-ingress
namespace: testing
annotations:
cert-manager.io/cluster-issuer: acme-http01-cert-issuer
spec:
ingressClassName: kong
tls:
- hosts:
- testing.example.net
secretName: acme-http01-cert-issued
rules:
- host: testing.example.net
- http:
paths:
- path: /inspector
pathType: ImplementationSpecific
backend:
service:
name: inspector
port:
number: 80
- path: /inspector
pathType: ImplementationSpecific
backend:
service:
name: inspector
port:
number: 443
apiVersion: v1
kind: Service
metadata:
name: inspector
namespace: testing
labels:
app: inspector
spec:
selector:
app: inspector
ports:
- protocol: TCP
port: 443
targetPort: 443
name: https
- protocol: TCP
port: 80
targetPort: 80
name: http
These are my values how the kong gateway is configured:
# Basic values.yaml configuration for Kong for Kubernetes (with the ingress controller)
image:
repository: kong
tag: "3.0"
env:
prefix: /kong_prefix/
database: "off"
log_level: "debug"
ingressController:
enabled: true
installCRDs: false
image:
tag: "2.7"
podAnnotations:
kuma.io/gateway: enabled
kuma.io/sidecar-injection: enabled
Here I added some tcp configuration to have access to a mqtt broker.
spec:
template:
spec:
containers:
- name: proxy
env:
- name: KONG_STREAM_LISTEN
value: 0.0.0.0:1883
ports:
- containerPort: 1883
name: mqtt
protocol: TCP
spec:
ports:
- name: mqtt
port: 1883
protocol: TCP
targetPort: 1883
And here how I have kuma configured:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin
apiVersion: kuma.io/v1alpha1
kind: TrafficPermission
mesh: default
metadata:
namespace: testing
name: all-traffic-allowed
spec:
sources:
- match:
kuma.io/service: '*'
destinations:
- match:
kuma.io/service: '*'
A lot of information. Hopefully someone can help me with this one. Thanks in advance! 