1

Setup: DigitalOcean K8S Cluster w/ 2 nodes and 1 Ingress-NGINX LoadBalancer (no special configuration)

I was wondering why certificate requests fail and found in the logs of the Challenge, that the self check GET request runs into timeout:

 Waiting for http-01 challenge propagation: failed to perform self check GET request 'http...'
 ... dial tcp PUBLIC_LOADBALANCE_IP:80 connect: connection timed out

After looking closer the issue seems that when I try to make curl requests to my LoadBalancer public IP from inside of running pods, only the pods running on the node that the LoadBalancer currently not points to can make successful requests. All other requests from pods running on the other node are getting timeout.

Any advice?

Edit:

After digging further I found that setting 'externalTrafficPolicy' in the ingress-nginx Service from

externalTrafficPolicy: Local

to

externalTrafficPolicy: Cluster

seems to resolve the issue. Now requests from all pods - no matter on which node they are running - can successfully make requests. Which leads me to another question:

Did I miss something settting this up? I think so, otherwise I don't understand why neither the documentation or any tutorials gives a hint on this potential issue.

1 Answers1

0

You haven't missed anything during your setup.

There is an issue reporting this behavior and it seams very similar to what you described. Unfortunately, the issue is still open so, there is no solution to this problem yet.

The only possibility is to use you workaround changing externalTrafficPolicy from Local to Cluster.

Mark Watney
  • 361
  • 1
  • 10
  • I had the same issue, and (for other reason) I had to recreate the cluster in europe (frankfurt), using the exact same yaml configuration, it worked. go figure.. –  Dec 12 '19 at 15:00