Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installing a teleport in k8s with a steering wheel and ingress, get 502 #32747

Closed
IlyaPvd opened this issue Sep 28, 2023 · 7 comments
Closed

Installing a teleport in k8s with a steering wheel and ingress, get 502 #32747

IlyaPvd opened this issue Sep 28, 2023 · 7 comments
Labels
bug

Comments

@IlyaPvd
Copy link

IlyaPvd commented Sep 28, 2023

Hello!
I get the same error when installing teleport from helm chart:

values.yml:

proxyListenerMode: multiplex
acme: false

proxy:
  service:
    type: ClusterIP

annotations:
  ingress:
    cert-manager.io/cluster-issuer: letsencrypt

proxy_service:
  enabled: true
  listen_addr: 0.0.0.0:3080
  public_addr: <public address>:443

ingress:
  enabled: true
  suppressAutomaticWildcards: true
  spec:
    ingressClassName: nginx

CHART VERSIONS - 14.0.0.

after installing the chart, it becomes necessary to manually set spec.tls.secretName. The certificate was issued, but nginx gives an error 502.

kubectl get all -n teleport-cluster
NAME                                          READY   STATUS    RESTARTS   AGE
pod/teleport-cluster-auth-8f8b87f5-gjkj8      1/1     Running   0          5m14s
pod/teleport-cluster-proxy-6978c84bb8-mwr6b   1/1     Running   0          5m14s

NAME                                TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)             AGE
service/teleport-cluster            ClusterIP   10.43.24.85   <none>        443/TCP             5m14s
service/teleport-cluster-auth       ClusterIP   10.43.55.7    <none>        3025/TCP,3026/TCP   5m14s
service/teleport-cluster-auth-v13   ClusterIP   None          <none>        <none>              5m14s
service/teleport-cluster-auth-v14   ClusterIP   None          <none>        <none>              5m14s

NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/teleport-cluster-auth    1/1     1            1           5m14s
deployment.apps/teleport-cluster-proxy   1/1     1            1           5m14s

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.apps/teleport-cluster-auth-8f8b87f5      1         1         1       5m14s
replicaset.apps/teleport-cluster-proxy-6978c84bb8   1         1         1       5m14s
@IlyaPvd IlyaPvd added the bug label Sep 28, 2023
@webvictim
Copy link
Contributor

webvictim commented Oct 3, 2023
edited
Loading

How are you getting the certificate? #30789 should have addressed this, but it looks like you're not setting highAvailability.certManager.enabled: true or tls.existingSecretName which would cause the secret to automatically be propagated through to the Ingress.

@devopswannabe712
Copy link

devopswannabe712 commented Nov 4, 2023
edited
Loading

How are you getting the certificate? #30789 should have addressed this, but it looks like you're not setting highAvailability.certManager.enabled: true or tls. existingSecretName which would cause the secret to automatically be propagated through to the Ingress.

acme: false
clusterName: <cname-pointing-to-public-ip>
proxyListenerMode: multiplex

tls:
  existingSecretName: <existing-secret-created-from-cert>

ingress:
  enabled: true
  suppressAutomaticWildcards: true
  spec:
    ingressClassName: nginx

proxy_service:
  enabled: true
  listen_addr: 0.0.0.0:3080
  public_addr: <cname-pointing-to-public-ip>:443

proxy:
  service:
    type: ClusterIP

The above is my configuration. The only difference between my config and the OP's is that I had manually created a certificate via certmanager. The cert is a wild card cert for my domain.

Rather than bad gateway, I get a 308 permanent redirect.

@zmb3
Copy link
Collaborator

zmb3 commented Feb 5, 2024

Closing due to inactivity

@zmb3 zmb3 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 5, 2024
@dustinrue
Copy link

@IlyaPvd try adding this annotation to the ingress: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

In the values file you add it as annotations.ingress

@lcotonea
Copy link
Contributor

@IlyaPvd try adding this annotation to the ingress: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

In the values file you add it as annotations.ingress

In my case (ingress nginx), this annotation was needed (Thanks!).
Unless I am mistaken, in the documentation (https://goteleport.com/docs/management/admin/troubleshooting/) it is indicated that ingress works badly with nginx. I think the doc should move on that to add the annotation in case of nginx usage.

@webvictim webvictim mentioned this issue Apr 16, 2024
Merged
@IlyaPvd
Copy link
Author

IlyaPvd commented May 3, 2024

@IlyaPvd try adding this annotation to the ingress: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

In the values file you add it as annotations.ingress

Thank you very much, it really helped

@cgarcia-l
Copy link

@IlyaPvd try adding this annotation to the ingress: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

In the values file you add it as annotations.ingress

You saved my life! thanks for the help!! 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lcotonea @dustinrue @webvictim @zmb3 @cgarcia-l @IlyaPvd @devopswannabe712