On browser not able to access cluster application

Help!
1

I’m using HA-Proxy LB (Independent server - Outside of my cluster) and Kubernetes v1.24.9 cluster (One master and three workers) bare metal based.

HAProxy Environment:

OS: Ubuntu 18.04.6 LTS
HAProxy version 2.4.20-1ppa1~bionic 2022/12/09

My Application access workflow:-

UsersHAproxy(Front End → Back End) → Kubernetes Cluster(Nginx Ingress → Service → Jenkins POD)

I have deployed Jenkins application as a pod inside my cluster. When i access my Jenkins URL - http://jenkins.company.com/jenkins on browser i should see my Jenkins page. But on browser it shows below errors.

This site can’t be reached

jenkins.company.com refused to connect.

Try:
Checking the connection Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

However curl command onMaster, Worker and HAProxy(LB) terminal it is working. Could see the log in kubernetes nginx-ingress controller as well.

$ curl -L -D- http://jenkins.company.com/jenkins
HTTP/1.1 302 Found
server: nginx/1.23.3
date: Fri, 27 Jan 2023 03:09:16 GMT
transfer-encoding: chunked
location: http://jenkins.company.com/jenkins/

HTTP/1.1 403 Forbidden
server: nginx/1.23.3
date: Fri, 27 Jan 2023 03:09:16 GMT
content-type: text/html;charset=utf-8
content-length: 577
x-content-type-options: nosniff
set-cookie: JSESSIONID.4c905946=node01rf6pgi17m6zrmfr1lt0e2sjf11.node0; Path=/jenkins; HttpOnly
expires: Thu, 01 Jan 1970 00:00:00 GMT
x-hudson: 1.395
x-jenkins: 2.361.2
x-jenkins-session: 3e8dd8d9

<html><head><meta http-equiv='refresh' content='1;url=/jenkins/login?from=%2Fjenkins%2F'/><script>window.location.replace('/jenkins/login?from=%2Fjenkins%2F');</script></head><body style='background-color:white; color:white;'>

Authentication required

Whereas when i tried to access URL from browser couldn’t see the log information in nginx-ingress controller pod. Have tried with Firebox, Chrome and Edge browsers.

My HAproxy /etc/haproxy/haproxy.cfg configurations as follows,

$ sudo cat /etc/haproxy/haproxy.cfg

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http_front
  bind *:80
  mode http
  default_backend http_back

backend http_back
  balance roundrobin
  mode http
  server Kmaster 163.12.13.21:80 check
  server Kworker-1 163.12.13.22:80 check
  server Kworker-2 163.12.13.23:80 check
  server Kworker-3 163.12.13.24:80 check

$ ps -ef | grep haproxy
root     16205     1  0 09:51 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
haproxy  16207 16205  0 09:51 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock

On my HAProxy(LB) server port 80 is listening

$ sudo netstat -pnltu | grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      7529/haproxy

$ sudo ss -4 -tlnp | grep 80
LISTEN   0         2005                0.0.0.0:80               0.0.0.0:*        users:(("haproxy",pid=13517,fd=8))

My ingress-resource.yaml file content as follows

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: jenkins-ingress
  namespace: jenkins
spec:
  ingressClassName: nginx
  rules:
  - host: jenkins.company.com
    http:
      paths:
      - path: /jenkins
        pathType: Prefix
        backend:
          service:
            name: jenkins-svc
            port: 
              number: 80

$ kubectl get all -n nginx-ingress
NAME                      READY   STATUS    RESTARTS      AGE
pod/nginx-ingress-kv88r   1/1     Running   1 (45h ago)   2d20h
pod/nginx-ingress-ns5ff   1/1     Running   1 (45h ago)   2d20h
pod/nginx-ingress-pzkt4   1/1     Running   1 (45h ago)   2d20h
pod/nginx-ingress-v7cgx   1/1     Running   1 (45h ago)   2d20h

NAME                           DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
daemonset.apps/nginx-ingress   4         4         4       4            4           <none>          2d20h

$ kubectl get svc  --all-namespaces
NAMESPACE     NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                  AGE
default       kubernetes        ClusterIP   10.96.0.1       <none>        443/TCP                  17d
jenkins       jenkins-svc       ClusterIP   10.99.106.220   <none>        80/TCP                   3d15h
kube-system   kube-dns          ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP,9153/TCP   17d

Please let me know why i can’t access the url in browser?

My request not processed and forwarded to Kubernetes nginx-contoller,
Whats wrong with my configuration side?

Any guidance to solve this issue would be helpful.

Thank you!

2

When HAProxy checks a backend server, it expects a 200’s or 300’s response. Do the HAProxy logs show Jenkins as up? The logs probably say it’s down because 403 is a bad status. I run a Jenkins in a docker, and I had to add this to my backend:

    http check expect !status 404-500

This tells HAProxy that any status outside of this range is okay on a health check. This is useful when Jenkins is restarting and it returns a 503 to the browser as a normal response during the reboot.

Edit: specifying this only applies on health checks.

3

@stormrover , Curl HTTP/1.1 403 Forbidden expected, because i have not passed the credentials.

Also my jenkins pod inside my cluster is running fine, it is not rebooting automatically. The log as follows,

$ kubectl logs pod/jenkins-75cbc954b6-z2fll -n jenkins

2023-01-26 05:54:47.925+0000 [id=42]    INFO    hudson.util.Retrier#start: Attempt #1 to do the action check updates server
2023-01-26 05:54:47.994+0000 [id=29]    INFO    jenkins.install.SetupWizard#init:

*************************************************************
*************************************************************
*************************************************************

Jenkins initial setup is required. An admin user has been created and a password generated.
Please use the following password to proceed to installation:

8edaf904088743d3843e112c3fee1c90

This may also be found at: /var/jenkins_home/secrets/initialAdminPassword

*************************************************************
*************************************************************
*************************************************************

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/var/jenkins_home/war/WEB-INF/lib/groovy-all-2.4.21.jar)                                                 to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
2023-01-26 05:55:02.185+0000 [id=29]    INFO    jenkins.InitReactorRunner$1#onAttained: Completed initialization
2023-01-26 05:55:02.258+0000 [id=22]    INFO    hudson.lifecycle.Lifecycle#onReady: Jenkins is fully up and running

Currently, when i try to access the jenkins URL from browser, i can’t see any request in my nginx-ingress pod but when i try with curl i could see the log information.

4 
  server Kmaster 163.12.13.21:80 check
  server Kworker-1 163.12.13.22:80 check
  server Kworker-2 163.12.13.23:80 check
  server Kworker-3 163.12.13.24:80 check

You’ve instructed HAProxy to check each endpoint. HAProxy is polling each server for an HTTP response, and it’s expecting a response either in the 200’s or 300’s. If it’s getting a 403, it thinks that is bad and will not route traffic to any servers that return this status. Check the logs from HAProxy, not from Jenkins.

5

I’m using NFS based president volume and the volume has been mounted in master and worker servers.

Currently jenkins service running on Kworker-1 node.

$ kubectl get all -n jenkins
NAME                           READY   STATUS    RESTARTS       AGE
pod/jenkins-75cbc954b6-z2fll   1/1     Running   1 (4d2h ago)   5d20h

NAME                      TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/jenkins-service   ClusterIP   10.99.106.220   <none>        80/TCP    5d20h

NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/jenkins   1/1     1            1           5d20h

NAME                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/jenkins-75cbc954b6   1         1         1       5d20h

So HAProxy file /etc/haproxy/haproxy.cfg for backend i have only below line.

server Kworker-1 163.12.13.22:80 check

But still i can’t access my access my jenkins through HAProxy.

6

Please provide logs from HAProxy.

7

Here it is.

tail -100 /var/log/haproxy.log
Jan 30 13:34:08 HAProxy-LB haproxy[15548]: [WARNING]  (15548) : Exiting Master process...
Jan 30 13:34:08 HAProxy-LB haproxy[15548]: [NOTICE]   (15548) : haproxy version is 2.4.21-1ppa1~bionic
Jan 30 13:34:08 HAProxy-LB haproxy[15548]: [NOTICE]   (15548) : path to executable is /usr/sbin/haproxy
Jan 30 13:34:08 HAProxy-LB haproxy[15548]: [ALERT]    (15548) : Current worker #1 (15550) exited with code 143 (Terminated)
Jan 30 13:34:08 HAProxy-LB haproxy[15548]: [WARNING]  (15548) : All workers exited. Exiting... (0)
Jan 30 13:34:08 HAProxy-LB haproxy[18157]: [NOTICE]   (18157) : New worker #1 (18159) forked
Jan 30 13:40:23 HAProxy-LB haproxy[18157]: [WARNING]  (18157) : Exiting Master process...
Jan 30 13:40:23 HAProxy-LB haproxy[18157]: [NOTICE]   (18157) : haproxy version is 2.4.21-1ppa1~bionic
Jan 30 13:40:23 HAProxy-LB haproxy[18157]: [NOTICE]   (18157) : path to executable is /usr/sbin/haproxy
Jan 30 13:40:23 HAProxy-LB haproxy[18157]: [ALERT]    (18157) : Current worker #1 (18159) exited with code 143 (Terminated)
Jan 30 13:40:23 HAProxy-LB haproxy[18157]: [WARNING]  (18157) : All workers exited. Exiting... (0)
Jan 30 13:40:23 HAProxy-LB haproxy[19476]: [NOTICE]   (19476) : New worker #1 (19478) forked
Jan 30 13:41:20 HAProxy-LB haproxy[19476]: [WARNING]  (19476) : Exiting Master process...
Jan 30 13:41:20 HAProxy-LB haproxy[19476]: [NOTICE]   (19476) : haproxy version is 2.4.21-1ppa1~bionic
Jan 30 13:41:20 HAProxy-LB haproxy[19476]: [NOTICE]   (19476) : path to executable is /usr/sbin/haproxy
Jan 30 13:41:20 HAProxy-LB haproxy[19476]: [ALERT]    (19476) : Current worker #1 (19478) exited with code 143 (Terminated)
Jan 30 13:41:20 HAProxy-LB haproxy[19476]: [WARNING]  (19476) : All workers exited. Exiting... (0)
Jan 30 13:41:20 HAProxy-LB haproxy[19690]: [NOTICE]   (19690) : New worker #1 (19692) forked
8

HAProxy doesn’t show any traffic in the logs. Are you putting HAProxy’s address in your browser?

9

No. In browser I’m trying my Jenkins URL - http://jenkins.company.com/jenkins

But in master, workers and HAproxy VMs /etc/hosts file i have already added below entries.

163.12.13.18 jenkins.company.com
10

When i access the url with haproxy ip - http://163.12.13.18/jenkins, i could see below log entries in my Haproxy log file.

Jan 30 13:58:58 HAProxy-LB haproxy[21552]: 160.12.13.77:59192 [30/Jan/2023:13:58:58.651] http_front http_back/jenkins.company.com 0/0/1/0/1 404 685 - - ---- 2/2/0/0/0 0/0 "GET /jenkins HTTP/1.1"
Jan 30 13:58:58 HAProxy-LB haproxy[21552]: 160.12.13.77:59192 [30/Jan/2023:13:58:58.960] http_front http_back/jenkins.company.com 0/0/0/1/1 404 685 - - ---- 2/2/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

But it shows errors.

# 404 Not Found

---
nginx/1.23.3
11

Those logs show HAProxy is working. My guess is Nginx is expecting visitors for jenkins.company.com instead of an IP, but I can only guess. I would suggest fixing your DNS problem if that’s the case. If not, Nginx logs can probably give you more info.

12

@stormrover - In all host machine(Master, worker & Haproxy) VMs ping jenkins.company.com able to resolve my HA-Proxy IP.

Also i have validated this link Kubernets DNS resolution this didn’t show any problem.

$ kubectl exec -i -t dnsutils -- nslookup kubernetes.default
Server:         10.96.0.10
Address:        10.96.0.10#53

Name:   kubernetes.default.svc.cluster.local
Address: 10.96.0.1

$ kubectl exec -ti dnsutils -- cat /etc/resolv.conf
nameserver 10.96.0.10
search default.svc.cluster.local svc.cluster.local cluster.local
options ndots:5

$ kubectl get pods --namespace=kube-system -l k8s-app=kube-dns
NAME                      READY   STATUS    RESTARTS   AGE
coredns-bd6b6df9f-4gc8m   1/1     Running   0          44m
coredns-bd6b6df9f-9kh94   1/1     Running   0          44m


$ kubectl logs --namespace=kube-system -l k8s-app=kube-dns
.:53
[INFO] plugin/reload: Running configuration MD5 = db32ca3650231d74073ff4cf814959a7
CoreDNS-1.8.6
linux/amd64, go1.17.1, 13a9191
.:53
[INFO] plugin/reload: Running configuration MD5 = db32ca3650231d74073ff4cf814959a7
CoreDNS-1.8.6
linux/amd64, go1.17.1, 13a9191

$ kubectl get svc --namespace=kube-system
NAME       TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE
kube-dns   ClusterIP   10.96.0.10   <none>        53/UDP,53/TCP,9153/TCP   45m

$ kubectl get endpoints kube-dns --namespace=kube-system
NAME       ENDPOINTS                                               AGE
kube-dns   10.244.0.2:53,10.244.0.3:53,10.244.0.2:53 + 3 more...   45m

Please let me know further what i can check?

13

Since curl -L -D- http://jenkins.company.com/jenkins works.

But on browser url it is not working, Any specific settings needs to be enabled for HAProry side?

14

Your logs show that HAProxy is working. Your problem is outside of HAProxy and could be any number of things. I suspect it’s the client’s DNS.

15

Yes in deed it was a local client side Dns issue. I had changed the dns name to new name then everything started working fine.

Sorry for making noise here.

1 Like