0

Jenkins is deployed on aws eks using this helm chart. Also, used below values.yaml to customize Jenkins deployment based on our needs.

controller:
  jenkinsUrlProtocol: https
  jenkinsUrl: https://jenkins.mydomain.com
  ingress:
    enabled: true
    apiVersion: networking.k8s.io/v1
    ingressClassName: jenkins-nginx --> ingressClass 
    hostName: jenkins.mydomain.com

After deploying this, its created below ingress object:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: jenkins
  namespace: jenkins
spec:
  ingressClassName: jenkins-nginx
  rules:
  - host: jenkins.mydomain.com
    http:
      paths:
      - backend:
          service:
            name: jenkins
            port:
              number: 8080
        pathType: ImplementationSpecific

Apart from this, there is ingress-nginx controller is running behind aws nlb with aws-load-balancer-backend-protocol: http (in other words, tls termination in aws nlb load balancer). If we open the ingress-nginx configuration, we can easily notice, it uses below config to handle (http/https) request.

  http-snippet: |
    server {
      listen 2443;
      return 308 https://$host$request_uri;
    }

Problem statement:

While accessing Jenkins UI using (https://jenkins.mydomain.com), first login page is opening smoothly. But clicking submit button after filling the username/password, it redirects to Jenkins url following with nginx port (i.e; https://jenkins.mydomain.com:2443/loginError) which is not expected.

Note:

  1. If same jenkins service port-forwarded locally, not experiencing even a single issue.
  2. Facing no issue with more than hundreds of services running behind same ingress-nginx.

This is kind of becoming blocker for us, kindly help. Let me know if further information is required.

Ashish Kumar
  • 524
  • 6
  • 18
  • Could you provide some logs from `Jenkins` master instance when you execute those requests? – Michał Lewndowski Aug 24 '23 at 21:37
  • There is no logs in Jenkins as such. Its been observed, Jenkins do not honor rule configured in nginx. Sharing logs of nginx ingress pod - 10.91.124.123 - - [25/Aug/2023:09:58:34 +0000] "POST /j_spring_security_check HTTP/1.1" 302 0 "https://jenkins.mydomain.com/login?from=%2F" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36" 1396 0.084 [jenkins-jenkins-8080] [] 10.91.76.151:8080 0 0.085 302 11741c4ece437ea023bbe9420fb01aa5 – Ashish Kumar Aug 25 '23 at 10:02
  • seems its breaking because of path https://jenkins.mydomain.com/j_spring_security_check (with https). Its response header has malformed info "Location: http://jenkins.mydomain.com:2443/loginError" (with http). After that every further request header is having same Location as a HOST header. Is there a way to disable /j_spring_security_check ? (Note: check the hyperlinks of both the urls as in comments protocol becomes hidden) – Ashish Kumar Aug 25 '23 at 13:54
  • It looks like there is some issue with passing `X-Forwarded-Proto` header. After checking for possible solutions I found that you can create additional `ConfigMap` in `ingress-nginx` namespace that will pass this header. Please refer to [this](https://marcolenzo.eu/enable-x-forwarded-headers-in-kubernetes-nginx-ingress-controller/) article and [this](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers) doc page. – Michał Lewndowski Aug 25 '23 at 21:09
  • Applied the recommended configMap but not luck. Is this applicable for L7 load balancers? I am using L4 aws network load balancers. – Ashish Kumar Sep 02 '23 at 18:46

0 Answers0