Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] tilejson.json API create http protocol link in tiles property #55

Open
JinIgarashi opened this issue Feb 23, 2024 · 6 comments
Open

[BUG] tilejson.json API create http protocol link in tiles property #55

JinIgarashi opened this issue Feb 23, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@JinIgarashi
Copy link
Contributor

Description

the protocol of URL in tiles property is http in the response of tilejson.json endpoint. Because of this /cog/map page in titiler does not work.

  • /cog/map URL example

https://titiler-dev.undpgeohub.org/cog/map?tileMatrixSetId=WebMercatorQuad&tile_scale=1&url=https://undpgeohub.blob.core.windows.net/geo-nightlights/test/SVDNB_npp_merged_20231229_20240101.vrt&algorithm=rca&algorithm_params=%7B%22cloud_mask%22:true%7D&rescale=0,1&colormap_name=viridis&return_mask=true

Example

an example URL of tilejson.json

https://titiler-dev.undpgeohub.org/cog/WebMercatorQuad/tilejson.json?tileMatrixSetId=WebMercatorQuad&tile_scale=1&url=https%3A%2F%2Fundpgeohub.blob.core.windows.net%2Fgeo-nightlights%2Ftest%2FSVDNB_npp_merged_20231229_20240101.vrt&algorithm=rca&algorithm_params=%7B%22cloud_mask%22%3Atrue%7D&rescale=0%2C1&colormap_name=viridis&return_mask=true

response

{
   "tilejson":"2.2.0",
   "version":"1.0.0",
   "scheme":"xyz",
   "tiles":[
      "http://titiler-dev.undpgeohub.org/cog/tiles/WebMercatorQuad/{z}/{x}/{y}@1x?url=https%3A%2F%2Fundpgeohub.blob.core.windows.net%2Fgeo-nightlights%2Ftest%2FSVDNB_npp_merged_20231229_20240101.vrt&algorithm=rca&algorithm_params=%7B%22cloud_mask%22%3Atrue%7D&rescale=0%2C1&colormap_name=viridis&return_mask=true"
   ],
   "minzoom":0,
   "maxzoom":8,
   "bounds":[
      -179.99999590682978,
      -65.00263540226379,
      179.9996872808643,
      75.00208333335
   ],
   "center":[
      -0.00015431298274393157,
      4.9997239655431045,
      0
   ]
}
@JinIgarashi JinIgarashi added the bug Something isn't working label Feb 23, 2024
@JinIgarashi
Copy link
Contributor Author

JinIgarashi commented Jun 20, 2024
edited
Loading

currently, kubernetes.io/ingress.class: addon-http-application-routing is used for ingress. I found the below article to migrate it to new one. looks like current add-on will be retired next year. Maybe we need to migrate all ingress to use new one.

https://learn.microsoft.com/en-us/azure/aks/app-routing-migration

also, we may need to enable ssl-passthrough, otherwise load balancer terminates SSL connection and not to pass SSL to pods.

https://stackoverflow.com/questions/77485579/cant-enablie-https-and-http-to-a-clusterip-service-behind-a-ingress-controller

but not sure how to enable ssl-passthrough in addon-http-application-routing. the stackoverflow is for nginx-ingress.

@JinIgarashi
Copy link
Contributor Author

Looks like ssl-passthrough is available for addon. but the below doc says it is diabled as default.

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough

@JinIgarashi
Copy link
Contributor Author 

kubectl describe pod addon-http-application-routing-nginx-ingress-controller-569hwzr -n kube-system
Name:                 addon-http-application-routing-nginx-ingress-controller-569hwzr
Namespace:            kube-system
Priority:             2000001000
Priority Class Name:  system-node-critical
Service Account:      addon-http-application-routing-nginx-ingress-serviceaccount
Node:                 aks-agentpool-39493453-vmss000010/10.240.0.4
Start Time:           Thu, 09 May 2024 09:50:14 +0100
Labels:               app=addon-http-application-routing-nginx-ingress
                      kubernetes.azure.com/managedby=aks
                      pod-template-hash=564f6ccf8
Annotations:          <none>
Status:               Running
IP:                   10.244.5.11
IPs:
  IP:           10.244.5.11
Controlled By:  ReplicaSet/addon-http-application-routing-nginx-ingress-controller-564f6ccf8
Containers:
  addon-http-application-routing-nginx-ingress-controller:
    Container ID:  containerd://682c078e1f268ccf339fe6609a195102656fa98b98f2b6646d111066eef2a099
    Image:         mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller:1.2.1
    Image ID:      mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller@sha256:c5ab93eba814ac962c57e5db3c3481839e7ec57807eb98b13f04ed58e00a948e
    Ports:         80/TCP, 443/TCP
    Host Ports:    0/TCP, 0/TCP
    Args:
      /nginx-ingress-controller
      --ingress-class=addon-http-application-routing
      --configmap=$(POD_NAMESPACE)/addon-http-application-routing-nginx-configuration
      --tcp-services-configmap=$(POD_NAMESPACE)/addon-http-application-routing-tcp-services
      --udp-services-configmap=$(POD_NAMESPACE)/addon-http-application-routing-udp-services
      --annotations-prefix=nginx.ingress.kubernetes.io
      --publish-service=$(POD_NAMESPACE)/addon-http-application-routing-nginx-ingress
    State:          Running
      Started:      Thu, 09 May 2024 09:50:28 +0100
    Ready:          True
    Restart Count:  0
    Liveness:       http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
    Readiness:      http-get http://:10254/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
    Environment:
      KUBERNETES_SERVICE_HOST:       geokube01-dns-fb947d7a.hcp.westeurope.azmk8s.io
      POD_NAME:                      addon-http-application-routing-nginx-ingress-controller-569hwzr (v1:metadata.name)
      POD_NAMESPACE:                 kube-system (v1:metadata.namespace)
      KUBERNETES_PORT_443_TCP_ADDR:  geokube01-dns-fb947d7a.hcp.westeurope.azmk8s.io
      KUBERNETES_PORT:               tcp://geokube01-dns-fb947d7a.hcp.westeurope.azmk8s.io:443
      KUBERNETES_PORT_443_TCP:       tcp://geokube01-dns-fb947d7a.hcp.westeurope.azmk8s.io:443
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-t6mvr (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  kube-api-access-t6mvr:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 CriticalAddonsOnly op=Exists
                             node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason  Age                  From                      Message
  ----    ------  ----                 ----                      -------
  Normal  RELOAD  3m5s (x24 over 41d)  nginx-ingress-controller  NGINX reload triggered due to a change in configuration

looks like no --enable-ssl-passthrough arg in current nginx-ingress controller deployment

@JinIgarashi
Copy link
Contributor Author

JinIgarashi commented Jun 20, 2024
edited
Loading 

kubectl edit deployment addon-http-application-routing-nginx-ingress-controller --namespace kube-system

# add --enable-ssl-passthrough in args section
    spec:
      containers:
      - name: addon-http-application-routing-nginx-ingress-controller
        image: mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller:1.2.1
        args:
        - /nginx-ingress-controller
        - --enable-ssl-passthrough # << add this

# restart ingress controller
kubectl rollout restart deployment addon-http-application-routing-nginx-ingress-controller --namespace kube-system

after did, --enable-ssl-passthrough is still not enabled...

@JinIgarashi
Copy link
Contributor Author

JinIgarashi commented Jun 20, 2024
edited
Loading

  • change setting in configmap

get configmap name for ingress controller

kubectl describe pod -l app=addon-http-application-routing-nginx-ingress --namespace kube-system


    Args:
      /nginx-ingress-controller
      --ingress-class=addon-http-application-routing
      --configmap=$(POD_NAMESPACE)/addon-http-application-routing-nginx-configuration
  • get configmap
kubectl get configmap addon-http-application-routing-nginx-configuration -n kube-system -o yaml

apiVersion: v1
kind: ConfigMap
metadata:
  creationTimestamp: "2022-04-21T19:23:09Z"
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
    app: addon-http-application-routing-ingress-nginx
    kubernetes.io/cluster-service: "true"
  name: addon-http-application-routing-nginx-configuration
  namespace: kube-system
  resourceVersion: "322923562"
  uid: 691c8c47-d8b3-49bb-b543-9419ce83e706
  • edit configmap
kubectl edit configmap addon-http-application-routing-nginx-configuration -n kube-system

how can I add enable ssl passthrough in configmap? looks like adding settings in data section.

https://www.haproxy.com/documentation/kubernetes-ingress/community/configuration-reference/configmap/#ssl-passthrough

  • restart ingress controller
kubectl rollout restart deployment addon-http-application-routing-nginx-ingress-controller --namespace kube-system
  • check pod setting
kubectl describe pod -l app=addon-http-application-routing-nginx-ingress --namespace kube-system

@iferencik
Copy link
Contributor

Alternatively we might consider native Kube routing API. This is an alternative to Ingress

https://learn.microsoft.com/en-us/azure/application-gateway/for-containers/overview

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JinIgarashi @iferencik