502 bad gateway with nginx ingress
Closed this issue · 1 comments
chuegel commented
We deployed EJBCA with this helm chart into our k8s 1.27 cluster. Since AJP is depracated in nginx 1.9 nginx.ingress.kubernetes.io/backend-protocol: AJP
didn't work
I ended up disabling the ingress in the chart and deployed the ingress separately
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
nginx.ingress.kubernetes.io/auth-tls-verify-client: optional_no_ca
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "false"
name: keyfactor-ejbca-community-helm
namespace: apps
spec:
ingressClassName: nginx
rules:
- host: "pki.example.tech"
http:
paths:
- backend:
service:
name: keyfactor-ejbca-community-helm
port:
number: 8082
path: /ejbca
pathType: Prefix
tls:
- hosts:
- "pki.example.tech"
secretName: pki-example-cert
Following values are configured in the chart:
services:
directHttp:
enabled: false
proxyAJP:
enabled: false
type: ClusterIP
bindIP: 0.0.0.0
port: 8009
proxyHttp:
enabled: true
type: ClusterIP
bindIP: 0.0.0.0
httpPort: 8081
httpsPort: 8082
ingress:
enabled: false
However, if the ingress path is configured like above, the ingress controller redirects to the 404 default backend. If I change the path to path: /
I get a 502 bad gateway error and this are the logs from the ingress controller:
2024/03/19 18:24:51 [error] 5480#5480: *163463 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstream, client: 10.83.240.4, server: pki.example.tech, request: "GET /ejbca/ HTTP/2.0", upstream: "https://172.25.215.174:8082/ejbca/", host: "pki.example.tech"
2024/03/19 18:24:51 [error] 5480#5480: *163463 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstream, client: 10.83.240.4, server: pki.example.tech, request: "GET /ejbca/ HTTP/2.0", upstream: "https://172.25.215.174:8082/ejbca/", host: "pki.example.tech"
2024/03/19 18:24:51 [error] 5480#5480: *163463 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstream, client: 10.83.240.4, server: pki.exmple.tech, request: "GET /ejbca/ HTTP/2.0", upstream: "https://172.25.215.174:8082/ejbca/", host: "pki.example.tech
Am I missing something?
chuegel commented
Turned out it was a misconfigured service on the cluster. Sorry for the fuzz