Kubernetes issues with ingress

Question

So I am trying to configure postgresql with pgadmin access, I have managed to get postgresql and pgadmin deployed but issues appears when I try to login into pgadmin UI.

My k8s cluster is on google cloud platform.

Cluster info.

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.4", GitCommit:"c96aede7b5205121079932896c4ad89bb93260af", GitTreeState:"clean", BuildDate:"2020-06-18T17:02:08Z", GoVersion:"go1.13.12", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.10-gke.36", GitCommit:"34a615f32e9a0c9e97cdb9f749adb392758349a6", GitTreeState:"clean", BuildDate:"2020-04-06T16:33:17Z", GoVersion:"go1.12.12b4", Compiler:"gc", Platform:"linux/amd64"}

This is pgadmin-deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pgadmin
spec:
  selector:
    matchLabels:
      frontend: pgadmin
  replicas: 1
  template:
    metadata:
      labels:
        frontend: pgadmin
    spec:
     containers:
     - name: pgadmin
       image: dpage/pgadmin4
       imagePullPolicy: "IfNotPresent"
       env:
       - name: PGADMIN_DEFAULT_EMAIL
         value: "[email protected]"
       - name: PGADMIN_DEFAULT_PASSWORD
         value: "test!"
       - name: PGADMIN_LISTEN_PORT
         value: "443"
       ports:
       - containerPort: 443

Here is mine pgadmin-service.yaml

apiVersion: v1
kind: Service
metadata:
  name: pgadmin-service
spec:
  type: ClusterIP
  selector:
    frontend: pgadmin
  ports:
    - port: 9210
      targetPort: 443
      protocol: TCP

Also I have certmanager and nginx ingress installed on the cluster.

Nginx installation steps:

helm repo add stable https://kubernetes-charts.storage.googleapis.com/
helm install my-ingress stable/nginx-ingress --set rbac.create=true

Cert-Manager install steps:

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager-legacy.crds.yaml
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v0.15.1 \
  # --set installCRDs=true

My issuer.yaml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: "[email protected]"
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx

My certificate.yaml

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: mydomain.com
spec:
  secretName: cert
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: mydomain.com
  dnsNames:
    - pgadmin.mydomain.com
  acme:
    config:
      - http01:
          ingressClass: nginx
        domains:
          - pgadmin.mydomain.com

And finally ingress-service.yaml

 apiVersion: networking.k8s.io/v1beta1 #networking.k8s.io/v1beta1 # for versions before 1.14 use extensions/v1beta1
 kind: Ingress
 metadata:
   name: example-ingress
   namespace: default
   annotations:
     kubernetes.io/ingress.class: nginx
     nginx.ingress.kubernetes.io/rewrite-target: /
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     nginx.ingress.kubernetes.io/ssl-redirect: 'true'
     nginx.ingress.kubernetes.io/use-regex: 'true'
 spec:
   tls:
    - hosts:
        - pgadmin.mydomain.com
      secretName: cert
   rules:
     - host: pgadmin.mydomain.com
       http:
         paths:
         - path: /
           backend:
             serviceName: pgadmin-service
             servicePort: 9210

Currently my issue is when I try to login into my pgadmin UI, I get the following error: error

Container logs: logs

My domain is located behind CloudFlare. tls settings

If anything else is needed please let me know.

Answer 1

Don't use port 443 .. use 80 and don't use ssl in pod.Terminate pls on ingress

Answer 2

It's is because you aren't passing the TLS certificate to pgadmin pods.

As mentioned in documentation, you need to provide the certificate and key:

PGADMIN_ENABLE_TLS

Default:

If left un-set, the container will listen on port 80 for connections in plain text. If set to any value, the container will listen on port 443 for TLS connections.

When TLS is enabled, a certificate and key must be provided. Typically these should be stored on the host file system and mounted from the container. The expected paths are /certs/server.crt and /certs/server.key

You have 2 options:

1. Provide the key using the volumes on your deployment as mentioned here
2. Use port 80 on deployment and configure the SSL in the Ingress.

From the specs you have provided, you should change the deployment file to:

..
      env:
       - name: PGADMIN_DEFAULT_EMAIL
         value: "[email protected]"
       - name: PGADMIN_DEFAULT_PASSWORD
         value: "test!"
       ports:
       - containerPort: 80

Change the service spec to point to the correct port:

apiVersion: v1
kind: Service
metadata:
  name: pgadmin-service
spec:
  selector:
    frontend: pgadmin
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP

And then, change the ingress to the correct port:

 spec:
   tls:
    - hosts:
        - pgadmin.mydomain.com
      secretName: cert
   rules:
     - host: pgadmin.mydomain.com
       http:
         paths:
         - path: /
           backend:
             serviceName: pgadmin-service
             servicePort: 80

The ingress will redirect all request from port 80 to 443 since you are using the nginx.ingress.kubernetes.io/ssl-redirect annotation