harbor-helm icon indicating copy to clipboard operation
harbor-helm copied to clipboard
verified publisher icon goharbor

nginx readiness probe doesn't work under istio

Open R0GG opened this issue 5 years ago • 3 comments

Hello,

It seems that the readiness probe of nginx does not work under istio because nginx proxy forwards the Host header (proxy_set_header Host $host;) of curl which is 127.0.0.1 (or the pod IP).

As this is an HTTP request, it goes through envoy router which routes the requests based on the HOST http header (in our case is 127.0.0.1). Envoy then fails to match any routes with 127.0.0.1 as HOST header.

A possible fix could be to remove proxy_set_header Host $host; and in the nginx conf something like bellow so that the url match the name of the k8s service.

upstream {{ template "harbor.portal" . }} {
  server {{ template "harbor.portal" . }};
}

location / {
  proxy_pass http://{{ template "harbor.portal" . }}/;
}

related: #406

R0GG avatar Apr 19 '20 14:04 R0GG

update I got it working without the changes of the NGINX conf

Mainly after fixing the NGINX conf with the changes above, you won't be able to issue a docker login because the core-server also redirect the HOST http header.

So i had to create EnvoyFilters (not optimal I think):

---
apiVersion: networking.istio.io/v1alpha3
kind:
metadata:
  name: harbor-portal
  namespace: harbor
spec:
  workloadSelector:
    labels:
      app: harbor
  configPatches:
  - applyTo: VIRTUAL_HOST
    context: ANY
    match:
      routeConfiguration:
        name: "harbor-harbor-portal.harbor.svc.cluster.local:80"
    patch:
      operation: MERGE
      value:
        domains:
          - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: harbor-core-registry-5000
  namespace: harbor
spec:
  workloadSelector:
    labels:
      app: harbor
  configPatches:
  - applyTo: VIRTUAL_HOST
    context: ANY
    match:
      routeConfiguration:
        name: "harbor-harbor-registry.harbor.svc.cluster.local:5000"
    patch:
      operation: MERGE
      value:
        domains:
          - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: harbor-core
  namespace: harbor
spec:
  workloadSelector:
    labels:
      app: harbor
  configPatches:
  - applyTo: VIRTUAL_HOST
    context: ANY
    match:
      routeConfiguration:
        name: "harbor-harbor-core.harbor.svc.cluster.local:80"
    patch:
      operation: MERGE
      value:
        domains:
          - "*"

R0GG avatar May 27 '20 08:05 R0GG

I personally don't have experience using Istio, and I don't think this chart has been verified on Istio.

Let me keep this open for reference and comment by other istio users.

reasonerjt avatar Jun 24 '20 09:06 reasonerjt

A better solution would be to just exclude the nginx deployment and use the workaround in https://github.com/goharbor/harbor/issues/11906.

jabbors avatar Jan 03 '22 12:01 jabbors

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Feb 08 '24 09:02 github-actions[bot]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

github-actions[bot] avatar Mar 10 '24 09:03 github-actions[bot]