ingress-nginx: Ingress controller created AFTER basic auth enabled results in 503

Hi, I have a strange problem where if i scale the ingress controller:

kn scale --replicas=2 deployment/nginx-ingress-controller

I get:

❯ kn get pods
NAME                                        READY     STATUS    RESTARTS   AGE
default-http-backend-65d8d5bb9d-7glj9       1/1       Running   0          16h
nginx-ingress-controller-744c655575-6c2sv   1/1       Running   0          16h
nginx-ingress-controller-744c655575-hwz5z   1/1       Running   0          2m

but requests going to the scaled pod 503:

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:    0.9.0
  Build:      git-6816630
  Repository: https://github.com/kubernetes/ingress-nginx
-------------------------------------------------------------------------------

I0109 09:28:12.231605       8 main.go:227] Creating API client for https://10.168.0.1:443
I0109 09:28:12.243944       8 main.go:239] Running in Kubernetes Cluster version v1.8+ (v1.8.5-gke.0) - git (clean) commit 2c2a807131fa8708abc92f3513fe167126c8cce5 - platform linux/amd64
I0109 09:28:12.247979       8 main.go:83] validated ingress-nginx/default-http-backend as the default backend
I0109 09:28:12.251520       8 main.go:104] service ingress-nginx/ingress-nginx validated as source of Ingress status
I0109 09:28:12.576477       8 stat_collector.go:77] starting new nginx stats collector for Ingress controller running in namespace  (class nginx)
I0109 09:28:12.576549       8 stat_collector.go:78] collector extracting information from port 18080
I0109 09:28:12.595358       8 nginx.go:250] starting Ingress controller
E0109 09:28:12.607240       8 annotations.go:144] error reading BasicDigestAuth annotation in Ingress default/elasticsearch-ingress: unexpected error reading secret default/basic-auth: secret default/basic-auth was not found
I0109 09:28:12.608087       8 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"elasticsearch-ingress", UID:"62005b40-f482-11e7-8777-42010a9a00cd", APIVersion:"extensions", ResourceVersion:"68287", FieldPath:""}): type: 'Normal' reason: 'CREATE' Ingress default/elasticsearch-ingress
I0109 09:28:12.695866       8 nginx.go:255] running initial sync of secrets
I0109 09:28:12.697554       8 backend_ssl.go:64] adding secret default/ingress-tls to the local store
I0109 09:28:12.697656       8 nginx.go:288] starting NGINX process...
I0109 09:28:12.697790       8 leaderelection.go:174] attempting to acquire leader lease...
I0109 09:28:12.698967       8 controller.go:211] backend reload required
I0109 09:28:12.699146       8 stat_collector.go:34] changing prometheus collector from  to default
I0109 09:28:12.701563       8 status.go:196] new leader elected: nginx-ingress-controller-744c655575-nb2sj
I0109 09:28:12.814688       8 controller.go:220] ingress backend successfully reloaded...
I0109 09:28:13.348180       8 backend_ssl.go:160] updating local copy of ssl certificate default/ingress-tls with missing intermediate CA certs
I0109 09:28:15.910354       8 controller.go:211] backend reload required
I0109 09:28:16.124630       8 controller.go:220] ingress backend successfully reloaded...
I0109 09:28:46.531990       8 leaderelection.go:184] successfully acquired lease ingress-nginx/ingress-controller-leader-nginx
I0109 09:28:46.532006       8 status.go:196] new leader elected: nginx-ingress-controller-744c655575-hwz5z
193.243.130.243 - [193.243.130.243] - - [09/Jan/2018:09:29:09 +0000] "GET / HTTP/1.1" 503 213 "-" "curl/7.51.0" 92 0.000 [default-elasticsearch-client-9200] - - - -
193.243.130.243 - [193.243.130.243] - - [09/Jan/2018:09:29:10 +0000] "GET / HTTP/1.1" 503 213 "-" "curl/7.51.0" 92 0.000 [default-elasticsearch-client-9200] - - - -
193.243.130.243 - [193.243.130.243] - - [09/Jan/2018:09:29:10 +0000] "GET / HTTP/1.1" 503 213 "-" "curl/7.51.0" 92 0.000 [default-elasticsearch-client-9200] - - - -
193.243.130.243 - [193.243.130.243] - - [09/Jan/2018:09:29:11 +0000] "GET / HTTP/1.1" 503 213 "-" "curl/7.51.0" 92 0.000 [default-elasticsearch-client-9200] - - - -
193.243.130.243 - [193.243.130.243] - - [09/Jan/2018:09:29:12 +0000] "GET / HTTP/1.1" 503 213 "-" "curl/7.51.0" 92 0.000 [default-elasticsearch-client-9200] - - - -

requests that go to the other pod are fine:

193.243.130.243 - [193.243.130.243] - autotrader [09/Jan/2018:09:20:39 +0000] "GET /_cluster/state HTTP/2.0" 200 17766 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/63.0.3239.132 Safari/537.36" 27 0.028 [default-elasticsearch-client-9200] 10.167.4.7:9200 17766 0.028 200

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 16 (11 by maintainers)

Most upvoted comments

Also make sure that the htpasswd auth file is actually named auth.

It’s important the file generated is named auth (actually - that the secret has a key data.auth), otherwise the ingress-controller returns a 503.

+7
dvdblk on Mar 4, 2020

For me the issue was - I’ve created the basic-auth key in the ‘default’ namespace, and my service was in another namespace, so it couldn’t fetch the basic-auth key. I had to create a key in my new namespace, and then it worked like a charm

+3
unfor19 on Jan 27, 2020
Read more comments on GitHub
← ingress-nginx: ingress controller becomes stale after being unable to decode events from watch stream
ingress-nginx: Ingress controller fails to reach a single Nginx service exposing 2 ports →