ingress configuration for dashboard

Jevgenij Alterman picture Jevgenij Alterman · Jan 18, 2018 · Viewed 28k times · Source

I did nginx ingress controller tutorial from github and exposed kubernetes dashboard

kubernetes-dashboard   NodePort    10.233.53.77    <none>        443:31925/TCP   20d

created ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.org/ssl-backends: "kubernetes-dashboard"
    kubernetes.io/ingress.allow-http: "false"
  name: dashboard-ingress
  namespace: kube-system
spec:
  tls:
  - hosts:
    - serverdnsname
    secretName: kubernetes-dashboard-certs
  rules:
  - host: serverdnsname
    http:
      paths:
      - path: /dashboard
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

ingress-nginx   ingress-nginx          NodePort    10.233.21.200   <none>        80:30827/TCP,443:32536/TCP   5h

https://serverdnsname:32536/dashboard but dashboard throws error

2018/01/18 14:42:51 http: TLS handshake error from ipWhichEndsWith.77:52686: tls: first record does not look like a TLS handshake

and ingress controller logs

2018/01/18 14:42:51 [error] 864#864: *37 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 10.233.82.1, server: serverdnsname, request: "GET /dashboard HTTP/2.0", upstream: "http://ipWhichEndsWith.249:8443/dashboard", host: "serverdnsname:32536"
10.233.82.1 - [10.233.82.1] - - [18/Jan/2018:14:42:51 +0000] "GET /dashboard HTTP/2.0" 009 7 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 OPR/49.0.2725.64" 25 0.001 [kube-system-kubernetes-dashboard-443] ipWhichEndsWith.249:8443 7 0.001 200

On my mind it is related with nginx redirection to upstream: "http://ipWhichEndsWith.249:8443/dashboard" . tried to update controller image version to 0.9.0-beta.19 - didnt help

Thank you for any help.

Answer

whites11 picture whites11 · Jan 18, 2018

As you pointed out, looks like nginx is proxying your https request to ipWhichEndsWith.249:8443, which is an HTTPS endpoint, using http as protocol.

You should add the following annotation to your PodSpec:

LATEST

This annotation was added to replace the deprecated annotation since 0.18.0

#2871 Add support for AJP protocol

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

DEPRECATED

This annotation was deprecated in 0.18.0 and removed after the release of 0.20.0

#3203 Remove annotations grpc-backend and secure-backend already deprecated

nginx.ingress.kubernetes.io/secure-backends: "true"

This should make nginx forward your request to the pods with https.

Source: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#backend-protocol

Docs: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol