Comments (13)
This issue is currently awaiting triage.
If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from ingress-nginx.
- The project does not test upgrade dualstack on AWS so e could use more data
- The message in error is about releasing and recreating
Service "ingress-nginx-controller" is invalid: spec.ipFamilyPolicy: Invalid value: "RequireDualStack": must be 'SingleStack' to release the secondary IP family
This hints that a very clear targeted test is needed to be done by a developer to triage this
from ingress-nginx.
/remove-kind bug
/triage needs-information
/kind feature
cc @Gacko
from ingress-nginx.
That's not AWS, that's Oracle Cloud. I cannot test this, but I rather feel like that's an error produced by the according load balancer / cloud controller, so nothing caused by the chart or us.
from ingress-nginx.
Yup, that error is coming from Kubernetes itself: https://github.com/kubernetes/kubernetes/blob/dc3f5ec6ccb9855dfa99f4c1078625df5fdfab6a/pkg/registry/core/service/storage/alloc.go#L184
from ingress-nginx.
To make things clear, I do not use oracle load balancers but metallb ^^
from ingress-nginx.
According to the code, this error message happens when you're handing in an ipFamilyPolicy
other than SingleStack
(that's the case) and the updated service has fewer clusterIPs
and/or ipFamilies
than the old service. Can you try omitting the ipFamilyPolicy
from your values? As the service already exists, I don't think the assigned IPs are getting dropped. Anyway, please do so in a testing environment.
from ingress-nginx.
What's the deal then if the error comes from Kubernetes? Shouldn't the helm template render exactly the same values for the yaml files that get send to the kubernetes api? In this case, kubernetes shouldn't do anything but rather reply with "ok", desired state already reached.
To verify, I dumped the current service as a yaml file and tried to push it straight as it is again with "kubectl apply -f":
kubectl -n ingress-nginx apply -f svc.yaml
Error from server (Conflict): error when applying patch:
{"metadata":{"resourceVersion":"10892"}}
to:
Resource: "/v1, Resource=services", GroupVersionKind: "/v1, Kind=Service"
Name: "ingress-nginx-controller", Namespace: "ingress-nginx"
for: "svc.yaml": error when patching "svc.yaml": Operation cannot be fulfilled on services "ingress-nginx-controller": the object has been modified; please apply your changes to the latest version and try again
Does the nginx helm-chart admission controller permanently update the resource? Because I needed maybe 5 seconds between getting the yaml output and sending it again.
Or is it a missing kubernetes feature/bug? If yes, I can close this issue and raise one on kubernetes side :)
from ingress-nginx.
The Service
resource is not checked or manipulated by the Ingress NGINX chart. We do not deploy any webhooks for Service
resources. Also you probably cannot kubectl apply
those resources if they have been created by doing so. Again, that's nothing specific to Ingress NGINX, that's a Kubernetes in general topic.
from ingress-nginx.
Thanks! I will try to ask why this behaviour is desired on the kubernetes side :)
from ingress-nginx.
@Gacko I will reopen this issue, as I am pretty sure, that the error message is misleading, because I ran helm with --dry-run=server
to see the actual patch templates:
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: ingress-nginx-4.10.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: "1.10.0"
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
ipFamilyPolicy: RequireDualStack
ipFamilies:
- IPv4
ports:
(...)
The problem might be, that the ipFamiles
does not contain IPv6, therefore kuberentes detechts a change and runs into an issue that it does not allow RequireDualStack
in combination with only one ipFamily
set.
I am not 100% sure, but I also mentioned this on the kubernetes ticket itself: kubernetes/kubernetes#123761
And I am unsure, who's behaviour here is not working as expected. Might even be helm itself 🤔
from ingress-nginx.
The check in the code compares the old ipFamilies
to the new ones and complains if you're reducing them, so from IPv4
& IPv6
to only IPv4
e.g., while still using RequireDualStack
.
The Ingress NGINX chart has a property controller.service.ipFamilies
which defaults to just IPv4. So if you change controller.service.ipFamilyPolicy
while not changing controller.service.ipFamilies
, you might run into that issue.
Unfortunately Kubernetes is maybe not complaining about that on creation and just adds IPv6
after creation to comply to your ipFamilyPolicy
, but without changing ipFamilies
to a matching value, it's quite clear why it is no longer working on updates.
Sorry that I didn't figure that earlier! I guess you're expecting to just set controller.service.ipFamilyPolicy
and not care about controller.service.ipFamilies
, right? I'm not sure if we can really have a good default behavior here as other users might eventually want to default to ipFamilyPolicy
SingleStack
with ipFamilies
IPv6
.
Of course setting ipFamilyPolicy
to RequireDualStack
might make one think "yeah, just set IPv4
and IPv6
in ipFamilies
then, I don't wanna care", but actually order matters here. Kubernetes is acting different depending on what's mentioned first in the ipFamilies
.
So in the end I don't think there is a one-fits-all default behavior we can implement and one always needs to configure both, ipFamilyPolicy
and ipFamilies
.
cc @strongjz @rikatz in case you are more into the whole "Kubernetes on Dual Stack" topic. 🙂
from ingress-nginx.
Just tested it. Indeed, setting the ipFamilies resolves my problem. I guess there is no need to catch this edge case, since it was a user error. But at least it is now documented here in an issue so others can find it 😄 Thanks a lot for your help!
from ingress-nginx.
Related Issues (20)
- ArgoCD installation results in "Failed to unmarshal "values.yaml": <nil>" HOT 8
- TLS certificate lookup fails for server aliases unless specified host is loaded at least once HOT 5
- Could not disable Opentelemetry. HOT 2
- location priority with rewrite-target HOT 8
- Updating GeoIP2 data outputs many logs of "File changed detected. Reloading NGINX" HOT 1
- All ingress controllers restart at the same time on configuration change HOT 7
- Any version upgrade sets allow-snippet-annotations to false even if upgrading from > 1.9.0 HOT 10
- canary doesn't work HOT 8
- Getting unknown directive "root" when trying to add configuration to serve content from specific directory HOT 5
- Load balancer IP cleared from all ingresses when upgrading nginx-ingress-controller HOT 7
- Error retrieving resource lock ingress-nginx/ingress-controller-leader HOT 5
- Currently, the server code snippet is used to determine the user agent to jump to. Strangely, it did not take effect. HOT 7
- Performance Issue: Ingress creation in a cluster with many existing ingresses get slow admission webhook response HOT 11
- Ingress nginx controller changed load balancer when updating managed nodegroups AWS EKS HOT 4
- GRPC GOAWAY HOT 7
- Adapt the nginx.org/rewrites from the official nginxinc helm chart HOT 10
- Nginx ingress(v1.1.0) crashed HOT 4
- port 443 endpoint intermittent timeout HOT 3
- Configured DH param for ingress nginx controller but not working HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ingress-nginx.