Search code examples
.netkubernetesgrpcnginx-ingressgrpc-c#

AKS k8s dotnet gRPC api begind nginx-ingress

I have a following setup:

  • Web app
  • Grpc api

Both deployed on k8s behind nginx-ingress with auto tls provided by cert-manager. When Web app is trying to reach the gRPC api i'm getting 404. The gRPC api is running on 80 without tls so the ingress should terminate SSL. Here is my ingress configuration:

UPDATE:

Requests coming through thanks to help of Mr. Mason. Now I am getting 403 PermissionDEnied response. Any ideas how this can be resolved ?

kind: Service
metadata:
    name: ${AUTH_API_IMAGE}
spec:
    type: ClusterIP
    ports:
    - port: 80 
    - targetPort: 5300
    selector:
        app: ${AUTH_API_IMAGE}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ${AUTH_API_IMAGE}-ingress
  annotations:  
    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - ${AUTH_API_HOST_NAME}
    secretName: ${AUTH_API_IMAGE}-tls-secret
  rules:
  - host: ${AUTH_API_HOST_NAME}
    http:
      paths: 
      - path: /(.*)
        pathType: Prefix
        backend:
          service:
            name: ${AUTH_API_IMAGE}
            port:
              number: 80```
Solution

  • I think you must use SSL if this is a dotnet, however below code works for me.

    With addition of nginx.ingress.kubernetes.io/grpc-backend: 'true' and changing PathType to ImplementationSpecific

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ${AUTH_API_IMAGE}-ingress
  annotations:  
    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
    nginx.ingress.kubernetes.io/grpc-backend: 'true'
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - ${AUTH_API_HOST_NAME}
    secretName: ${AUTH_API_IMAGE}-tls-secret
  rules:
  - host: ${AUTH_API_HOST_NAME}
    http:
      paths: 
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: ${AUTH_API_IMAGE}
            port:
              number: 80```

    and configMap for Ingress

    apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-ingress-controller
  namespace: ingress
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"v1","data":{"ssl-ciphers":"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"nginx-ingress-controller","namespace":"ingress"}}
  selfLink: /api/v1/namespaces/ingress/configmaps/nginx-ingress-controller
data:
  client-body-buffer-size: 32k
  client-header-buffer-size: 32k
  hsts: 'true'
  hsts-max-age: '31536000'
  hsts-preload: 'true'
  http2-max-field-size: 32k
  http2-max-header-size: 32k
  large-client-header-buffers: 32 32k
  proxy-buffer-size: 128k