Kubernetes nginx ingress returning 400
What I did:
- Install Docker Desktop for Windows
- Enabled Kubernetes (throught "Settings" -> "Kubernetes" -> "Enable Kubernetes")
- Installed Nginx Ingress via YAML manifest: https://kubernetes.github.io/ingress-nginx/deploy/
- Installed kubernetes-dashboard via YAML manifest: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#deploying-the-dashboard-ui
- Checked that dashboard services and pods working fine:
- Took a minimal Ingress example (https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource) and created ingress manifest on it:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: root-ingress
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- http:
paths:
- path: /dashboard
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
Ingress was succefuly started.
I am keep getting 400 response from that path.
curl -k -v https://localhost response on localhost:
PS C:\Windows\system32> curl.exe -k -v https://localhost
* Trying [::1]:443...
* Connected to localhost (::1) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/8.4.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 404 Not Found
< Date: Mon, 22 Jan 2024 20:20:40 GMT
< Content-Type: text/html
< Content-Length: 146
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host localhost left intact
- curl -k -v https://localhost response on localhost/dashboard:
PS C:\Windows\system32> curl.exe -k -v https://localhost/dashboard
* Trying [::1]:443...
* Connected to localhost (::1) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET /dashboard HTTP/1.1
> Host: localhost
> User-Agent: curl/8.4.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 400 Bad Request
< Date: Mon, 22 Jan 2024 20:23:04 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
Client sent an HTTP request to an HTTPS server.
* Connection #0 to host localhost left intact
Quick fix
Just use NodePort
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard-service
namespace: kubernetes-dashboard
spec:
selector:
k8s-app: kubernetes-dashboard
type: NodePort
ports:
- protocol: TCP
port: 8443
targetPort: 8443
nodePort: 31000
Dashboard will be available at https://localhost:31000
Root cause
What you are sending looks like this
Browser ==HTTPS==> ingress ==HTTP==> k8s-dashboard
But expected is
Browser ==HTTPS==> ingress ==HTTPS==> k8s-dashboard
The issues it that k8s-dashboard service expects HTTPS request, this is the reason why you get Client sent an HTTP request to an HTTPS server.
It was decrypted by ingress and later on forward by using plain HTTP
Solution
1 Export TCP port without using ingress
Instead of using ingress you can use NodePort (I gave it in Quick fix) or LoadBalancer. Idea is to work on ISO Layer 4(IP) instead of routing it using Layer 7(HTTP)
2 Use ssl-passthrough from nginx-ingress
To make it work it needs two changes
- Modify nginx ingress controller using
kubectl edit
kubectl -n ingress-nginx edit deployment ingress-nginx-controller
You have to add - --enable-ssl-passthrough(just one line) to the args
After change it should look like
...
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-ssl-passthrough
...
- Add proper ingress route
When route is created you can't specify path like /dashboard because k8s dashboard doesn't know it's working in some subpath, so using rewrite will not resolve it as links generated by dashboard will be wrong(I wrote more about it here)
So we need ingress route like this (with ssl-passthrough and backend-protocol)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: root-ingress
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
ingressClassName: nginx
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
3 Disable https in kubernetes dashboard (I didn't try)
When you disable HTTPS in kubernetes dashboard your flow will look like this
Browser ==HTTPS==> ingress ==HTTP==> k8s-dashboard
It will perfectly match what you have right now and should work without issues
As I didn't try it I will leave this article how to do it.
There is also raw manifest but maybe a little old
- Ansible playbook wait until all pods running
- How to move a pod from one node to another in kubernetes
- How to get FQDN DNS name of a kubernetes service?
- How do I get logs from all pods of a Kubernetes replication controller?
- Watch CustomResourceDefinitions (CRD) with client-go
- Rancher - controlplane node got into worker pool
- GPU-enabled Kubernetes container is not scheduled
- HELM chart for Apache degraded in argocd
- Ingress vs Load Balancer
- Install two traefik ingress controller on same kubernetes Cluster
- Passing separate env variables to statefulset pods
- How to get a PDF/print version of kubernetes' docs?
- Kubernetes CronJob with a sidecar container
- Add application users to DataGrid 8.4 via Secrets automagically deployed
- My worker node status is Ready,SchedulingDisabled
- Elasticsearch 7.2.0: master not discovered or elected yet, an election requires at least X nodes
- Kubernetes Unable to mount volumes for pod
- Is there any way to save the current state of kubernetes pod?
- Change in Grafana helm chart to install as kind Statefulset instead of Deployment
- How to stop & exit jenkins from Kubernetes cluster
- Readiness fails in the Eclipse Hono pods of the Cloud2Edge package
- Helm Chart - Process File result with multiple lines
- Helm ignore alias property in dependencies
- Environment variables concatenation issue with Vault agent-jnject in Kubernetes deployment
- How to generate YAML template with kubectl command?
- Issuing certificate as Secret does not exist
- Flatten Dictionary with Helm
- How to delete completed kubernetes pod?
- What are "Current Replicas" in the Kubernetes HPA Calculation?
- Kubernetes pod gets recreated when deleted