-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
couldn't connect to milvus k8s ingress via tls #71
Comments
if you use tlsMode 1 for milvus, the annotation see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol for more information. |
Or you can also leave |
Now I try noTLS config:
Ingress:
I get 404 in browser and
But in VSC when running script
Only way when script works, I make port-forward from service and connection is well |
The annotation |
I added it to my notls config (previous message), then I get 502 in browser and curl
|
@hive74 looks like the frontend TLS is necessary for nginx ingress to proxy GRPC. Update your ingress like below:
Yet, keep the backend milvus Then connect with |
Thanks for reply, but i again get 502 in browser and via script What I did in local minikube:
I did it also in full k8s-cluster with existed valid certs and result is same (502 in browser, cert error via script) Where is my fault? Its ok to get 502 in browser? |
em, I'm gonna need more information to be sure what's going on. Could you try use command |
Oh, I know what's going on. You're using the private certificate signed by yourself. So you need to add the Try this: |
different tries
Want to note, that ingress tls certs are generated by gen.sh and i try connect with them *.pem. But in user.yaml using defaults certs generating by milvus before start and tlsMode: 0, can it affect? may be need any certs?
|
curl -v -k https://milvus.example.com:443 getting 502 |
You don't need to enable tls on milvus. tls terminates at nginx ingress, nginx communicate with backend milvus using plaintext GRPC . So no worries about this. |
alter a bit:
|
@XuanYang-cn These configurations are indeed very confusing.... For now |
run get i get these certs after
i keep server.pem and server.key as tls-secret and put it to ingress secret:
|
I GOT IT!! Problem was in missing of In minikube will research it, maybe trouble with CA, minikube config certs is upper Thank you so much @haorenfsa |
Oh, good catch! The server_name thing is indeed a bug to me. We'll fix it soon. Happy hacking with Milvus! |
So extra guide should be added using minikube. Most people don't have a real k8s-cluster to play with. |
Fixed in minikube by this task |
fixed in milvus-io/pymilvus#1962 |
I’m getting another error when trying to connect to Milvus when using nginx ingress on Minikube to handle the TLS. I’m trying to create a (http/grpc) proxy from nginx to the Milvus service. I have a valid TLS certificate to test as a secret: cert.
values.yml:
When I'm trying to connect via python:
E0325 11:26:37.585249639 133238 hpack_parser.cc:993] Error parsing 'content-type' metadata: invalid value |
Hi @indyvanmol , please check if |
returns: 404 page not found |
@indyvanmol that means the ingress is not created correctly. what's the output of |
|
No loadBalancer attached, which means your nginx-ingress-controller is not correctly setup. Please refer to this doc for the setup procedures https://milvus.io/docs/ingress.md |
The docs you’re showing are for an Azure setup. I have an on-premise setup and my Nginx ingress controller is working for other HTTP services where I’m proxying to. What kind of protocol is used for Milvus? Is it HTTP, and does an HTTP proxy to Milvus work? Are the examples showed with Nginx just TCP forwarding and not HTTP? So, with the Nginx ingress examples, TLS encryption is done on at the TCP level, but the proxy is using TCP and not HTTP. By proxy i mean the channel from nginx ingress to the service. |
@indyvanmol It's a mistake to put https://milvus.io/docs/ingress.md under Azure section, it can be used anywhere, we'll update the doc soon.
We would need the output of
Milvus uses gRPC, and gRPC is built on top of HTTP2. Any HTTP proxy supports HTTP2 would work for milvus.
Yes, in https://milvus.io/docs/azure.md.
No. If you use ingress, then the TLS encryption is done at nginx proxy (the HTTP layer). The channel from nginx ingress to the milvus service is in plaintext gRPC (i.e. HTTP2 over raw TCP not TLS). Usually HTTP2 is used together with TLS, but It's a special case. If you uses service, there's no tls (unless you add some specific annotations to the service and provide tls certificates & keys). The client communicate to milvus in plaintext gRPC, the same as the nginx proxy communciate to the backend in the ingress' case. Thank you very much for the feedbacks. I'm sry for all the toubles caused by the docs, they should be better organized. I'll see to this done. |
@haorenfsa thanks for helping me i hope this helps you to give you some more insight on how to help making the docs better.
|
@indyvanmol I'm quite sure your nginx ingress was not installed or configured correctly. Please try following this doc's instruction on installation https://milvus.io/docs/ingress.md |
@haorenfsa I installed Nginx as described in the documentation and it indeed works, for which I am thankful. However, I suggest that a section be added to the documentation detailing the specific configuration required for Nginx. This is because I installed Nginx using the manifest files, not via Helm, so it’s primarily about configuration. However, it’s not clear to me what specific configuration is needed. Regardless, I appreciate the help and am pleased that it works. I find it interesting to know what kind of settings are expected of a proxy globally. |
@indyvanmol We'll add a section about nginx later. Thank you very much for the suggestion! |
Hello,
I'm using milvus db in k8s as standalone, have tls.crt and tls.key for my ingress dns and put it in standalone-pod via secretName: milvus-tls. CA-cert is also added to standalone-pod in /etc/ssl/certs. Certs are valid. Config milvus tls:
Python 3.10.12
protobuf 3.20.0
milvus-4.1.17
grpcio-tools 1.53.0
Milvus cli version: 0.4.2
Pymilvus version: 2.3.4
extraConfigFiles:
Ingress by default:
I get 502 in browser and Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED. trying connect via python script like connections.connect("default", host="k8s-milvus.example.com", port="443", secure=True, server_pem_path="/home/testuser/milvus/ca.pem")
What I tried:
If disable TLS on milvus, drop ingress-line nginx.ingress.kubernetes.io/backend-protocol: GRPC and keep tls on ingress - I get 404 in browser (thats good) and CERTIFICATE_VERIFY_FAILED via script.
If connect via 80 port without milvus-tls I get Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
Tried to mix params like server_pem_path, ca_pem_path, client_pem_path and etc.
Without milvus-tls in minikube and port-forward standalone-pod - it's well connecting. Through ingress its also dont work even with simple\milvus-default ingress. Maybe its main problem.
All pods are running without errors in logs. How can I connect to milvus db via python script? How fix ssl error? I can't disable ingress tls, but can do it on milvus db, if same (Ingress TLS, Milvus noTLS) config is possible.
The text was updated successfully, but these errors were encountered: