Bug 1571133 - Ingress backend should use service port instead of service targetPort
Summary: Ingress backend should use service port instead of service targetPort
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.9.z
Assignee: Rajat Chopra
QA Contact: zhaozhanqi
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-24 07:26 UTC by Hongan Li
Modified: 2018-04-30 19:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-30 19:20:18 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Hongan Li 2018-04-24 07:26:43 UTC
Description of problem:
The Ingress doesn't work if its backend.servicePort use service port, but it works if use service targetPort.

Version-Release number of selected component (if applicable):
openshift v3.9.24
kubernetes v1.9.1+a0ce1bc657

How reproducible:

Steps to Reproduce:
1. enable Ingress and add related cluster role to router
    #oc adm policy add-cluster-role-to-user system:openshift:controller:service-serving-cert-controller system:serviceaccount:default:router
    #oc env dc/router -e ROUTER_ENABLE_INGRESS=true

2. create your project, pod and svc
   #oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json
   #oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json

3. ensure the service port is 27017 and targetPort is 8080.
# oc get svc -o yaml
    - name: http
      port: 27017
      protocol: TCP
      targetPort: 8080
      name: caddy-docker
    sessionAffinity: None
    type: ClusterIP
    loadBalancer: {}

4. create ingress and its backend.servicePort use service port 27017, then curl the host "foo.bar.com".
# oc create -f test-ingress.json 
# cat test-ingress.json
    "apiVersion": "extensions/v1beta1",
    "kind": "Ingress",
    "metadata": {
        "name": "test-ingress"
    "spec": {
        "rules": [
                "host": "foo.bar.com",
                "http": {
                    "paths": [
                            "backend": {
                                "serviceName": "service-unsecure",
                                "servicePort": 27017
5. edit the ingress and change the backend.servicePort to use 8080, then curl the host.

Actual results:
In step 4, Ingress doesn't work, execute "curl --resolve foo.bar.com:80:$router_ip http://foo.bar.com" will get "503 Service Unavailable".
In step 5, Ingress works and can curl the host successfully. 

Expected results:
Ingress backend should use service port instead of targetPort.

Additional info:
1. in OCP 3.10, Ingress works well if backend use service port and cannot work if use targetPort.
2. this issue exists in 3.9 and previous release.

Comment 2 Ben Bennett 2018-04-30 19:20:18 UTC
This works in 3.10, and ingress support was in tech preview in 3.9.  There is a  work-around (use the same target port for the service and endpoints) for 3.9.

Note You need to log in before you can comment on or make changes to this bug.