Unable to Proxy to Kubernetes Dashboard #35
Description
I am trying to use proxyinjector to protect the kubernetes-dashboard. But I can't figure how to fix the 502 error I'm getting.
My kubernetes dashboard deployment (relavent bits)
kind: Deployment
apiVersion: apps/v1
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
annotations:
authproxy.stakater.com/client-id: kubernetes
authproxy.stakater.com/client-secret: <redacted>
authproxy.stakater.com/discovery-url: 'https://keycloak.example.com/auth/realms/master'
authproxy.stakater.com/enabled: 'true'
authproxy.stakater.com/gatekeeper-image: 'keycloak/keycloak-gatekeeper:6.0.1'
authproxy.stakater.com/listen: '0.0.0.0:3000'
authproxy.stakater.com/redirection-url: 'https://k8s.example.com'
authproxy.stakater.com/resources: uri=/*|roles=Kubernetes Admin
authproxy.stakater.com/skip-upstream-tls-verify: 'true'
authproxy.stakater.com/source-service-name: kubernetes-dashboard
authproxy.stakater.com/target-port: '3000'
authproxy.stakater.com/upstream-url: 'https://127.0.0.1:443'
When I try to go to the homepage of the dashboard, instead of redirecting me to the auth proxy, I get a 502. The nginx controller logs shows the following:
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET / HTTP/1.1", upstream: "https://10.42.0.189:3000/", host: "k8s.example.com"
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET / HTTP/1.1", upstream: "https://10.42.0.189:3000/", host: "k8s.example.com"
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET / HTTP/1.1", upstream: "https://10.42.0.189:3000/", host: "k8s.example.com"
10.0.0.20 - - [06/Dec/2019:03:55:12 +0000] "GET / HTTP/1.1" 502 556 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 682 0.006 [kube-system-kubernetes-dashboard-443] [] 10.42.0.189:3000, 10.42.0.189:3000, 10.42.0.189:3000 0, 0, 0 0.000, 0.004, 0.000 502, 502, 502 0b7f6ff1b42200f35afc8066538a8043
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.42.0.189:3000/favicon.ico", host: "k8s.example.com", referrer: "https://k8s.example.com/"
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.42.0.189:3000/favicon.ico", host: "k8s.example.com", referrer: "https://k8s.example.com/"
2019/12/06 03:55:12 [error] 1941#1941: *125699 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.0.0.20, server: k8s.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.42.0.189:3000/favicon.ico", host: "k8s.example.com", referrer: "https://k8s.example.com/"
10.0.0.20 - - [06/Dec/2019:03:55:12 +0000] "GET /favicon.ico HTTP/1.1" 502 556 "https://k8s.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 632 0.006 [kube-system-kubernetes-dashboard-443] [] 10.42.0.189:3000, 10.42.0.189:3000, 10.42.0.189:3000 0, 0, 0 0.000, 0.004, 0.004 502, 502, 502 6dd815a57a5fca80c3f271e7e0f038b2
It seems like it's failing because one of them is using the wrong SSL version. Though I thought it shouldn't be bothing to verify SSL anyway, as I have that disabled in the config for the deployment. How can I change either of those settings, or otherwise get proxyinjector working with kubernetes-dashboard?