goharbor/harbor-helm

400 Bad Request The plain HTTP request was sent to HTTPS port when deploying Harbor behind NLB

Sandy7894 opened this issue · 3 comments

Sandy7894 commented

We are planning to deploy NLB to access Harbor deployed on EKS.. We have deployed AWS load balancer controller on the cluster.
Below is my values file

harbor:
  expose:
    type: loadBalancer
    tls:
      enabled: true
      auto:
        commonName: "xxx"
    loadBalancer:
      name: harbor-dev
      annotations:
        "service.beta.kubernetes.io/aws-load-balancer-type": "nlb-ip"
        "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type": "instance"
        "service.beta.kubernetes.io/aws-load-balancer-subnets": "xxx"
        "service.beta.kubernetes.io/aws-load-balancer-healthcheck-port": "traffic-port"
        "service.beta.kubernetes.io/aws-load-balancer-healthcheck-success-codes": "200-399"
        "service.beta.kubernetes.io/aws-load-balancer-target-group-attributes": "preserve_client_ip.enabled=true"
        "service.beta.kubernetes.io/aws-load-balancer-internal": "true"
        "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "xxx"
        "external-dns.alpha.kubernetes.io/hostname": "https://harbor-dev.xxx"
        "external-dns.alpha.kubernetes.io/ttl": "300"
  externalURL: https://harbor-dev.xxx
  persistence:
    enabled: true
    resourcePolicy: keep
  nginx:
    tls:
      enabled: true

Deployment seems successful but when i am trying to access Harbor, i am getting the below error :

400 Bad Request
The plain HTTP request was sent to HTTPS port

Few mentioned it is because of the HTTPS targetPort configured to 443 and need to update to 8080 as the SSL termination is happening at NLB level, but do i need to update the helm chart such a way or do we have anyway to update the config ??

One thing is, if i keep TLS disabled, HTTPS port is not getting enabled for nginx and my nlb target groups health checks are failing

KarlJJonsson commented

The chart does not expect SSL termination on the loadbalancer as far as I can tell.
The template specifies that the LB will forward traffic from the LBs https-port to 8443.

In templates/nginx/service.yaml:

spec:
  type: LoadBalancer
  ...
  ports:
    - name: http
      port: {{ $loadBalancer.ports.httpPort }}
      targetPort: 8080
    {{- if .Values.expose.tls.enabled }}
    - name: https
      port: {{ $loadBalancer.ports.httpsPort }}
      targetPort: 8443
    {{- end }}
github-actions commented

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions commented

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.