haproxy-ingress 总是发送 404

haproxy-ingress always sends 404

我在 aws 托管的 kubernetes 集群 (v1.21.2-eks-06eac09) 和单个 service/deployment 中有一个 haproxy-ingress(v0.13.5,默认 helm 设置)。该服务已启动并且 运行 并且可以通过 curl 成功调用并且 haproxy 统计页面显示具有正确 ip 的绿色后端。对我来说一切看起来都不错,但是如果我调用 url 我会得到默认的 404 后端,除非我使用相同的服务配置默认后端。这让我得出结论,主机或路径映射一定有问题,对吧?。是我的配置有问题还是其他地方有问题?

这是我的入口资源:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-service
  namespace: my-service
  annotations:
    haproxy-ingress.github.io/affinity: "cookie"
    haproxy-ingress.github.io/backend-server-naming: "pod"
    haproxy-ingress.github.io/secure-backends: "true"
    haproxy-ingress.github.io/session-cookie-dynamic: "true"
    haproxy-ingress.github.io/session-cookie-keywords: "indirect nocache httponly maxidle 900"
    haproxy-ingress.github.io/session-cookie-preserve: "true"
    haproxy-ingress.github.io/session-cookie-same-site: "true"
    haproxy-ingress.github.io/slots-min-free: "0"
    haproxy-ingress.github.io/ssl-redirect: "false"
    haproxy-ingress.github.io/strict-host: "true"
spec:
  ingressClassName: haproxy-ingress
  tls:
    - secretName: my-service-tls
  rules:
    - http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: my-service
                port:
                  number: 443
      host: my-service.dev.aws.company.local
#  defaultBackend:
#    service:
#      name: my-service
#      port:
#        number: 443

入口类:

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: haproxy-ingress
spec:
  controller: haproxy-ingress.github.io/controller

helm 安装命令:

helm install haproxy-ingress haproxy-ingress/haproxy-ingress --create-namespace --namespace ingress-controller --set controller.service.type=ClusterIP --version 0.13.5

从haproxy.conf

生成的后端
backend my-service_my-service_https
    mode http
    balance roundrobin
    acl https-request ssl_fc
    http-request set-header X-Original-Forwarded-For %[hdr(x-forwarded-for)] if { hdr(x-forwarded-for) -m found }
    http-request del-header x-forwarded-for
    option forwardfor
    cookie INGRESSCOOKIE insert preserve attr SameSite=None secure indirect nocache httponly maxidle 900 dynamic
    dynamic-cookie-key "Ingress"
    http-response set-header Strict-Transport-Security "max-age=15768000" if https-request
    server my-service-0 10.19.25.214:443 weight 1 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets verify none check inter 2s

从 haproxy.conf

生成的前端
frontend _front_https
    mode http
    bind :443 ssl alpn h2,http/1.1 crt-list /etc/haproxy/maps/_front_bind_crt.list ca-ignore-err all crt-ignore-err all
    option httplog
    http-request set-var(req.path) path
    http-request set-var(req.host) hdr(host),field(1,:),lower
    http-request set-var(req.base) var(req.host),concat(\#,req.path)
    http-request set-var(req.hostbackend) var(req.base),map_dir(/etc/haproxy/maps/_front_https_host__prefix.map)
    http-request set-header X-Forwarded-Proto https
    http-request del-header X-SSL-Client-CN
    http-request del-header X-SSL-Client-DN
    http-request del-header X-SSL-Client-SHA1
    http-request del-header X-SSL-Client-Cert
    use_backend %[var(req.hostbackend)] if { var(req.hostbackend) -m found }
    use_backend %[var(req.defaultbackend)]
    default_backend _error404

生成maps/_front_https_host__prefix.map

my-service.dev.aws.company.local#/ my-service_my-service_https

我找到问题了!我的 tls 定义中的主机部分丢失了。这样就没有生成 /etc/haproxy/maps_front_https_host__begin.map 并且在我生成的前端部分 (http-request set-var(req.hostbackend) var(req.base),lower,map_beg(/etc/haproxy/maps/_front_https_host__begin.map)) 中没有映射配置。

我完全正常工作的 ingress 现在看起来像这样(我将注释移到了配置映射中):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-service
  namespace: my-service
spec:
  ingressClassName: haproxy-ingress
  tls:
    - secretName: my-service-tls
      hosts:
       - my-service.dev.aws.company.local
  rules:
    - http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: my-service
                port:
                  number: 443
      host: my-service.dev.aws.company.local