I have a problem with enabling CORS on Istio ingress. As Istio Ingress documentation states, "ingresskubernetes.io" annotations are ignored.
Is it possible to enable CORS on Istio ingress?
The ingress in my configuration uses a virtual host and app is exposed on "api.my-domain.com". The web application fails with this error if it tries to request the app : "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin (...) is therefore not allowed access."
Could someone suggest a solution to this issue ?
With the Ngnix ingress controller, I could just use "ingress.kubernetes.io/enable-cors": "true" but now this annotation will not work.
In Istio, you can add a Virtual Service to specify corsPolicy of a destination service. In the case of Istio Ingress, the backend service of the Ingress must be specified as the destination service.
Related
I have a quick question on Kubernetes ingress. I have both Nginx ingress controller and AWS ALB ingress controller and ingress resources for both Nginx and AWS ALB in a single cluster. Both of these ingress resources are pointed to a single service and deployment file, meaning, bothe the ingress resources are pointed to the same service. However, when I hit the Nginx ingress URL, I'm able to see the desired page, but with the AWS ALB ingress, I can only see the apache default page. I know this doesn't sound practical, but I'm trying to test out something with both these ingress resources. Just wanted to understand, where am I missing out on seeing the application for AWS ALB ingress URL.
Posting this community wiki answer to point that the issue to this question was resolved in the comments.
Feel free to edit and expand.
The solution to the issue:
AWS ALB Ingress was pointing to the default apache document root in the pod. I modified the document root to the application data and was able to see my application page open up!
Additional resources that could be useful in this particular example:
Tecmint.com: Change root directory of a apache web server - how to change the apache2: DocumentRoot
Github.com: Kubernetes sigs: AWS load balancer controller: Docs: Examples - examples of ALB that satisfies Ingress resource.
I have a k8s service defined as type: LoadBalancer which sets an external LB. Can I identify on application level that an incoming request is routed from the LoadBlancer?
Are there any guaranteed http headers? Can I define custom headers for that service that would be added to all incoming requests?
If your internal ingress is using nginx as an ingress controller you can add a custom header that will indicate that.
ELB guide says that:
Application Load Balancers and Classic Load Balancers add X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port headers to the request.
Have you already been trying using these ones?
I got yaml file for specifying ssl certificate (provided by aws certificate manager)to load balancer for kubernetes deployment. But, we are running kubernetes cluster in aws china account where certification manager option is not available. Now if I have SSL certificate provided by Godaddy, how can I install it? Is any other alternative ways to install certificate rather than load balancer? Can I install it in my tomcat container itself and build new image with it?
As far as I know, you cannot setup an ELB deployed with a kubernetes Service to use a certificate which is NOT an ACM certificate. In fact, if you take a look at the possibile annotations here you'll see that the only annotation available to select a certificate is service.beta.kubernetes.io/aws-load-balancer-ssl-cert and the documentation for that annotation says the following:
ServiceAnnotationLoadBalancerCertificate is the annotation used on the
service to request a secure listener. Value is a valid certificate ARN.
For more, see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-listener-config.html
CertARN is an IAM or CM certificate ARN, e.g. arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
As you ask, you can for sure terminate your ssl inside your kubernetes Pod and make the ELB a simple TCP proxy.
In order to do so, you need to add the following annotation to your Service manifest:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'tcp'
Also, you will need to forward both your http and https ports in order to handle http to https redirect correctly inside you pod.
If you need more specific help, please post you current manifest.
Just wondering if anyone has any luck/solution when using AWS SDK to access AWS resource such as S3 when service injected with Istio sidecar.
As Istio's document points out:
traffic will go through Istio sidecar, you will need white list the DNS or IPs.
https is not available. Can only do by changing the format to something like "http://www.google.com:443"
However, AWS SDK handles the https connection hence I can't rewrite the URL. Subsequently, I'll get an "http: server gave HTTP response to HTTPS client" error.
Many thanks.
I'm trying to setup IAP with a HTTPS load balancer as per instructions here: https://cloud.google.com/iap/docs/load-balancer-howto
My backend is gke cluster that has a ingress on port 80 to access http web server.
Frontend is https with a valid certificate.
The traffic is routed without any issues from LB to web server through HTTPS FE, but when I want to enable IAP using command as below:
gcloud beta compute backend-services update k8s-be-30324--34c500f0e91c741a --iap=enabled --global
It returns the following output:
WARNING: IAP only protects requests that go through the Cloud Load Balancer. See the IAP documentation for important security best practices: https://cloud.google.com/iap/
WARNING: IAP has been enabled for a backend service that does not use HTTPS. Data sent from the Load Balancer to your VM will not be encrypted.
ERROR: (gcloud.beta.compute.backend-services.update) There was a problem modifying the resource:
- Invalid value for field 'resource.iap': ''. Backend service with IAP enabled requires at least one HTTPS proxy.
Any advice is appreciated! Thanks
So I figured out a workaround is to use the same LB that is created with ingress for kubernetes cluster instead using a custom one. Of course to avoid leaking unauthorized access FE for http must be removed from the LB.