Cannot connect to Admin UI (secure mode)

frankly.ducky · November 23, 2021, 8:54am

For some reason I cannot access the admin UI when I set EVENTSTORE_INSECURE to False, I get a 502 error. I’m currently running v21.2. When I set EVENTSTORE_INSECURE to true then the admin UI is available. Is this by design or I’m I’m doing something wrong?
This is my deployment.yml

> apiVersion: apps/v1
> 
> kind: StatefulSet
> 
> metadata:
>     
>   name: abq-estore
> 
> spec:
> 
>   selector:
> 
>     matchLabels:
> 
>       tier: eventstore
> 
>   replicas: 1
> 
>   serviceName: eventstore
> 
>   template:
> 
>     metadata:
> 
>       labels:
> 
>         tier: eventstore
> 
>     spec:
> 
>       volumes:
> 
>         - name: estore-cert-vol
> 
>           secret:
> 
>             secretName: abq-event-store-tls
> 
>       containers:
> 
>         - name: eventstore
> 
>           image: eventstore/eventstore:21.6.0-buster-slim
> 
>           imagePullPolicy: Always
> 
>           env:
> 
>             - name: TZ
> 
>               valueFrom:
> 
>                 configMapKeyRef:
> 
>                   name: abq-estore-config
> 
>                   key: tz
> 
>             - name: EVENTSTORE_INT_IP
> 
>               valueFrom:
> 
>                 fieldRef:
> 
>                   fieldPath: status.podIP
> 
>             - name: EVENTSTORE_EXT_IP
> 
>               valueFrom:
> 
>                 fieldRef:
> 
>                   fieldPath: status.podIP
> 
>             - name: EVENTSTORE_RUN_PROJECTIONS
> 
>               value: All
> 
>             - name: EVENTSTORE_START_STANDARD_PROJECTIONS
> 
>               value: "true"
> 
>             - name: EVENTSTORE_TRUSTED_ROOT_CERTIFICATES_PATH
> 
>               value: /etc/estore-cert-vol/
> 
>             - name: EVENTSTORE_CERTIFICATE_PRIVATE_KEY_FILE
> 
>               value: /etc/estore-cert-vol/tls.key
> 
>             - name: EVENTSTORE_CERTIFICATE_FILE
> 
>               value: /etc/estore-cert-vol/tls.crt
> 
>             - name: EVENTSTORE_CERTIFICATE_SUBJECT_NAME
> 
>               value: "eventstore-stage.mycomany.com"
> 
>             - name: EVENTSTORE_CLUSTER_DNS
> 
>               value: "abq-estore"
> 
>             - name: EVENTSTORE_CLUSTER_SIZE
> 
>               value: "1"
> 
>             - name: EVENTSTORE_RUN_PROJECTIONS
> 
>               value: "All"
> 
>             - name: EVENTSTORE_START_STANDARD_PROJECTIONS
> 
>               value: "true"
> 
>             - name: EVENTSTORE_LOG
> 
>               value: "/var/log/eventstore"
> 
>             - name: EVENTSTORE_DB
> 
>               value: "/var/lib/eventstore/db"
> 
>             - name: EVENTSTORE_INDEX
> 
>               value: "/var/lib/eventstore/index"
> 
>             - name: EVENTSTORE_DISABLE_ADMIN_UI
> 
>               value: "false"
> 
>             - name: EVENTSTORE_LOG_HTTP_REQUESTS
> 
>               value: "false"
> 
>             - name: EVENTSTORE_MAX_MEM_TABLE_SIZE
> 
>               value: "32000000"
> 
>             - name: EVENTSTORE_MAX_APPEND_SIZE
> 
>               value: "16000000"
> 
>             - name: EVENTSTORE_WRITE_TIMEOUT_MS
> 
>               value: "120000"
> 
>             - name: EVENTSTORE_COMMIT_TIMEOUT_MS
> 
>               value: "120000"
> 
>             - name: EVENTSTORE_PREPARE_TIMEOUT_MS
> 
>               value: "120000"
> 
>           volumeMounts:
> 
>             - mountPath: "/etc/estore-cert-vol"
> 
>               name: estore-cert-vol
> 
>           ports:
> 
>             - containerPort: 2113
> 
>               name: http-port
> 
>             - containerPort: 1113
> 
>               name: tcp-port
> 
>             - containerPort: 2112
> 
>               name: gossip-port
> 
>           livenessProbe:
> 
>             httpGet:
> 
>               path: /
> 
>               port: 2113
> 
>             initialDelaySeconds: 30
> 
>             periodSeconds: 15
> 
>           readinessProbe:
> 
>             httpGet:
> 
>               path: /
> 
>               port: 2113
> 
>             initialDelaySeconds: 5
> 
>             periodSeconds: 5
> 
>   volumeClaimTemplates:
> 
>     - metadata:
> 
>         name: eventstore-pv-storage
> 
>       spec:
> 
>         accessModes:
> 
>           - ReadWriteOnce
> 
>         resources:
> 
>           requests:
> 
>             storage: 10Gi

oskar.dudycz · November 24, 2021, 2:27pm

Could you send the exact URL that you’re using? Remember that for insecure you need to use http, and for secure https.

frankly.ducky · November 29, 2021, 6:04am

I’ve configured my service as a NodePort:

kind: Service
apiVersion: v1
metadata:
name: dbestore-svc
spec:
selector:
tier: eventstore
type: NodePort
ports:
- name: dbestore-port
port: 2113
targetPort: 2113

And I have a nginx ingress that is a proxy to the internal service and is exposed on a GKE loadbalancer with a static IP

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: abq-ingress
annotations:
kubernetes.io/ingress.class: “nginx”
cert-manager.io/issuer: abq-ca
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: “true”
nginx.ingress.kubernetes.io/force-ssl-redirect: “true”
nginx.ingress.kubernetes.io/ssl-passthrough: “true”
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-connect-timeout: “300”
nginx.ingress.kubernetes.io/proxy-read-timeout: “300”
nginx.ingress.kubernetes.io/proxy-send-timeout: “300”
spec:
tls:
- hosts:
- dbstore.mydomain.com
secretName: dbstore-tls
rules:

host: dbstore.mydomain.com
http:
paths:
- path: “/”
pathType: ImplementationSpecific
backend:
service:
name: dbestore-svc
port:
name: dbestore-port

So to answer your question I’m using this url https://dbstore.mydomain.com (it works when evenstore is running in insecure mode)

frankly.ducky · December 7, 2021, 6:55pm

After days of hitting my head on the wall, I was able to solve it by adding this ingress annotation

nginx.ingress.kubernetes.io/backend-protocol: “https”

oskar.dudycz · December 8, 2021, 7:56am

@frankly.ducky, thank you for sending the feedback, and how you solved it.

michael4 · March 23, 2022, 6:19pm

@frankly.ducky is there any chance I could ask for your final Ingress configuration? I’m facing the same issue, i.e. getting a 502. I’m scouring the logs but can’t see anything wrong. The issue definitely seems to occur somewhere between the Ingress controller and the service (or maybe container). I’ve tried various configurations but I always get a 502. The only difference I can see between my setup and yours is that my load balancer terminates with a AWS SSL and the ES container is using a self signed certificate using the ES cert gen CLI tool. I’d be really grateful if you have any advice.