kong: gke ingress: An invalid response was received from the upstream server

Question

I have kong ingress on GKE as follows, which has a default path "/" forwards to a web application written in nextjs that has keycloak integration.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myprojqlfingress
  namespace: qlf
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-qlf
    kubernetes.io/ingress.class: kong
    konghq.com/request-buffering: "true"
    konghq.com/response-buffering: "true"
spec:
  tls:
  - secretName: myproject-qlf
    hosts:
    - myproject-qlf.mydomain.net
  rules:
  - host: myproject-qlf.mydomain.net
    http:
      paths:
      - path: /rfm
        pathType: ImplementationSpecific
        backend:
          service:
            name: rfmapi
            port:
              number: 8091
      - path: /mb
        pathType: ImplementationSpecific
        backend:
          service:
            name: mbapi
            port:
              number: 8094
      - path: /custseg
        pathType: ImplementationSpecific
        backend:
          service:
            name: custapi
            port:
              number: 8093
      - path: /energy
        pathType: ImplementationSpecific
        backend:
          service:
            name: energyapi
            port:
              number: 8097
      - path: /airline
        pathType: ImplementationSpecific
        backend:
          service:
            name: airlineapi
            port:
              number: 8096
      - path: /hotel
        pathType: ImplementationSpecific
        backend:
          service:
            name: hotelapi
            port:
              number: 8095
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: datainsightfrontwebapp
            port:
              number: 3000

Here I have changed domain name for confidentiality reason.

So after authentication it is throwing error:

An invalid response was received from the upstream server

The same problem was there in dev environment also which I fixed it using the annotation: konghq.com/request-buffering: "true" but in this case it is not working.

certificate and all configurations are working fine.

Any idea?

Does the upstream server see a request incoming? Can you reach the upstream server from the kong host? Can you do a network capture to check what is answered by the upstream server ? — Ôrel, Mar 07 '22 at 17:05
Not really, it is blocked by kong-ingress deployment in kong namespace. Logs: 1098#0: *53809 upstream sent too big header while reading response header from upstream, client: 172.17.6.20, server: kong, request: "GET /api/auth/callback/keycloak?state=&session_state=&code=c76b51.78082a58-4aaa-4468-a9c0-6c7f6e63f4ba.e2e6660a-9567-49e9-8f1f-72091a3b78ee HTTP/2.0", upstream: "http://10.60.5.4:3000/api/auth/callback/keycloak?state=&session_state=78082a58-4aaa-4468-a9c0-6c7f6e63f4ba&code=", host: "myproject-qlf.mydomain.net" - from kong ingress. So it is not blocked by kong. — ARINDAM BANERJEE, Mar 07 '22 at 21:25
Error states there are problems with response header from keycloak. Could you take a look into keycloak response, and possibly add it to your question? — , Mar 08 '22 at 09:04

score 2 · Accepted Answer · answered Mar 09 '22 at 09:53

I fixed the issue using following manifest file:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: ingress-kong
  name: ingress-kong
  namespace: kong
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-kong
  template:
    metadata:
      annotations:
        kuma.io/gateway: enabled
        traffic.sidecar.istio.io/includeInboundPorts: ""
      labels:
        app: ingress-kong
    spec:
      containers:
      - env:
        - name: KONG_PROXY_LISTEN
          value: 0.0.0.0:8000, 0.0.0.0:8443 ssl http2
        - name: KONG_PORT_MAPS
          value: 80:8000, 443:8443
        - name: KONG_ADMIN_LISTEN
          value: 127.0.0.1:8444 ssl
        - name: KONG_STATUS_LISTEN
          value: 0.0.0.0:8100
        - name: KONG_DATABASE
          value: "off"
        - name: KONG_NGINX_WORKER_PROCESSES
          value: "2"
        - name: KONG_KIC
          value: "on"
        - name: KONG_ADMIN_ACCESS_LOG
          value: /dev/stdout
        - name: KONG_ADMIN_ERROR_LOG
          value: /dev/stderr
        - name: KONG_PROXY_ERROR_LOG
          value: /dev/stderr
        - name: KONG_CLIENT_BODY_BUFFER_SIZE
          value: 124m
        - name: KONG_CLIENT_MAX_BODY_SIZE
          value: "0"
        - name: KONG_NGINX_PROXY_PROXY_BUFFER_SIZE
          value: 160k
        - name: KONG_NGINX_PROXY_PROXY_BUFFERS
          value: 64 160k
        image: kong:2.7
        lifecycle:
          preStop:
            exec:
              command:
              - /bin/sh
              - -c
              - kong quit
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /status
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: proxy
        ports:
        - containerPort: 8000
          name: proxy
          protocol: TCP
        - containerPort: 8443
          name: proxy-ssl
          protocol: TCP
        - containerPort: 8100
          name: metrics
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /status
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
      - env:
        - name: CONTROLLER_KONG_ADMIN_URL
          value: https://127.0.0.1:8444
        - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
          value: "true"
        - name: CONTROLLER_PUBLISH_SERVICE
          value: kong/kong-proxy
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        image: kong/kubernetes-ingress-controller:2.2.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: ingress-controller
        ports:
        - containerPort: 8080
          name: webhook
          protocol: TCP
        - containerPort: 10255
          name: cmetrics
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /readyz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
      serviceAccountName: kong-serviceaccount

Which means below parameters were essentials:

- name: KONG_CLIENT_BODY_BUFFER_SIZE
  value: 124m
- name: KONG_CLIENT_MAX_BODY_SIZE
  value: "0"
- name: KONG_NGINX_PROXY_PROXY_BUFFER_SIZE
  value: 160k
- name: KONG_NGINX_PROXY_PROXY_BUFFERS
  value: 64 160k

kong: gke ingress: An invalid response was received from the upstream server

1 Answers1