502 bad gateway with nginx ingress

Question

502 bad gateway with nginx ingress

Closed this issue 6 months ago · 1 comments

We deployed EJBCA with this helm chart into our k8s 1.27 cluster. Since AJP is depracated in nginx 1.9 nginx.ingress.kubernetes.io/backend-protocol: AJP didn't work

I ended up disabling the ingress in the chart and deployed the ingress separately

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: optional_no_ca
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  name: keyfactor-ejbca-community-helm
  namespace: apps
spec:
  ingressClassName: nginx
  rules:
  - host: "pki.example.tech"
    http:
      paths:
      - backend:
          service:
            name: keyfactor-ejbca-community-helm
            port:
              number: 8082
        path: /ejbca
        pathType: Prefix
  tls:
    - hosts:
      - "pki.example.tech"
      secretName: pki-example-cert

Following values are configured in the chart:

    services:
       directHttp:
         enabled: false
       proxyAJP:
         enabled: false
         type: ClusterIP
         bindIP: 0.0.0.0
         port: 8009
       proxyHttp:
         enabled: true
         type: ClusterIP
         bindIP: 0.0.0.0
         httpPort: 8081
         httpsPort: 8082
    ingress:
       enabled: false

However, if the ingress path is configured like above, the ingress controller redirects to the 404 default backend. If I change the path to path: / I get a 502 bad gateway error and this are the logs from the ingress controller:

2024/03/19 18:24:51 [error] 5480#5480: *163463 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstream, client: 10.83.240.4, server: pki.example.tech, request: "GET /ejbca/ HTTP/2.0", upstream: "https://172.25.215.174:8082/ejbca/", host: "pki.example.tech"
2024/03/19 18:24:51 [error] 5480#5480: *163463 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstream, client: 10.83.240.4, server: pki.example.tech, request: "GET /ejbca/ HTTP/2.0", upstream: "https://172.25.215.174:8082/ejbca/", host: "pki.example.tech"
2024/03/19 18:24:51 [error] 5480#5480: *163463 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstream, client: 10.83.240.4, server: pki.exmple.tech, request: "GET /ejbca/ HTTP/2.0", upstream: "https://172.25.215.174:8082/ejbca/", host: "pki.example.tech

Am I missing something?

Answer 1 · 2024-03-21T07:04:25.000Z

Turned out it was a misconfigured service on the cluster. Sorry for the fuzz