kong:gke ingress:从上游服务器收到无效响应

kong: gke ingress: An invalid response was received from the upstream server

我在 GKE 上有如下的 kong ingress,它有一个默认路径“/”转发到一个用 nextjs 编写的具有 keycloak 集成的 Web 应用程序。

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myprojqlfingress
  namespace: qlf
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-qlf
    kubernetes.io/ingress.class: kong
    konghq.com/request-buffering: "true"
    konghq.com/response-buffering: "true"
spec:
  tls:
  - secretName: myproject-qlf
    hosts:
    - myproject-qlf.mydomain.net
  rules:
  - host: myproject-qlf.mydomain.net
    http:
      paths:
      - path: /rfm
        pathType: ImplementationSpecific
        backend:
          service:
            name: rfmapi
            port:
              number: 8091
      - path: /mb
        pathType: ImplementationSpecific
        backend:
          service:
            name: mbapi
            port:
              number: 8094
      - path: /custseg
        pathType: ImplementationSpecific
        backend:
          service:
            name: custapi
            port:
              number: 8093
      - path: /energy
        pathType: ImplementationSpecific
        backend:
          service:
            name: energyapi
            port:
              number: 8097
      - path: /airline
        pathType: ImplementationSpecific
        backend:
          service:
            name: airlineapi
            port:
              number: 8096
      - path: /hotel
        pathType: ImplementationSpecific
        backend:
          service:
            name: hotelapi
            port:
              number: 8095
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: datainsightfrontwebapp
            port:
              number: 3000

此处出于保密原因,我更改了域名。

所以在身份验证后它抛出错误:

An invalid response was received from the upstream server

在开发环境中也存在同样的问题,我使用注释修复了它: konghq.com/request-buffering: "true" 但在这种情况下它不起作用。

证书和所有配置工作正常。

有什么想法吗?

我使用以下清单文件解决了这个问题:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: ingress-kong
  name: ingress-kong
  namespace: kong
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-kong
  template:
    metadata:
      annotations:
        kuma.io/gateway: enabled
        traffic.sidecar.istio.io/includeInboundPorts: ""
      labels:
        app: ingress-kong
    spec:
      containers:
      - env:
        - name: KONG_PROXY_LISTEN
          value: 0.0.0.0:8000, 0.0.0.0:8443 ssl http2
        - name: KONG_PORT_MAPS
          value: 80:8000, 443:8443
        - name: KONG_ADMIN_LISTEN
          value: 127.0.0.1:8444 ssl
        - name: KONG_STATUS_LISTEN
          value: 0.0.0.0:8100
        - name: KONG_DATABASE
          value: "off"
        - name: KONG_NGINX_WORKER_PROCESSES
          value: "2"
        - name: KONG_KIC
          value: "on"
        - name: KONG_ADMIN_ACCESS_LOG
          value: /dev/stdout
        - name: KONG_ADMIN_ERROR_LOG
          value: /dev/stderr
        - name: KONG_PROXY_ERROR_LOG
          value: /dev/stderr
        - name: KONG_CLIENT_BODY_BUFFER_SIZE
          value: 124m
        - name: KONG_CLIENT_MAX_BODY_SIZE
          value: "0"
        - name: KONG_NGINX_PROXY_PROXY_BUFFER_SIZE
          value: 160k
        - name: KONG_NGINX_PROXY_PROXY_BUFFERS
          value: 64 160k
        image: kong:2.7
        lifecycle:
          preStop:
            exec:
              command:
              - /bin/sh
              - -c
              - kong quit
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /status
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: proxy
        ports:
        - containerPort: 8000
          name: proxy
          protocol: TCP
        - containerPort: 8443
          name: proxy-ssl
          protocol: TCP
        - containerPort: 8100
          name: metrics
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /status
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
      - env:
        - name: CONTROLLER_KONG_ADMIN_URL
          value: https://127.0.0.1:8444
        - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
          value: "true"
        - name: CONTROLLER_PUBLISH_SERVICE
          value: kong/kong-proxy
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        image: kong/kubernetes-ingress-controller:2.2.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: ingress-controller
        ports:
        - containerPort: 8080
          name: webhook
          protocol: TCP
        - containerPort: 10255
          name: cmetrics
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /readyz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
      serviceAccountName: kong-serviceaccount

这意味着以下参数是必需的:

- name: KONG_CLIENT_BODY_BUFFER_SIZE
  value: 124m
- name: KONG_CLIENT_MAX_BODY_SIZE
  value: "0"
- name: KONG_NGINX_PROXY_PROXY_BUFFER_SIZE
  value: 160k
- name: KONG_NGINX_PROXY_PROXY_BUFFERS
  value: 64 160k