NGINX ingress as Reverse Proxy for a Teiid Wildfly Server on a Rancher provisioned Kubernetes cluster

Rancher
1

Hello together,
I have a Rancher provisioned Kubernetes cluster running and I am now trying to write a helm chart to get my Teiid-Wildfly Server running. Currently I am a little bit lost with the Ingress configuration. I am not able to reach the administration console of the Wildfly server via the ingress. I can get to the login page, however after providing credentials on the console login, I always get the following error message:

Access Denied - Insufficient priviledges to acess this interface

When I use a kubectl port-forward 9990:9990 and try to login via http everything is working as expected. Hence, my problem has to do with the use of the nginx ingress as reverse proxy in front of the Wildfly server.
It does ssl termination by the way. My configuration in the helm chart looks as given below. I think I am missing some annotations for the ingress to get the reverse proxing to work. I tried now a lot of different configuration options like

nginx.ingress.kubernetes.io/location-snippet: |
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

but those seem to have no effect. Would be great if someone could provide directions. Thanks a lot for your help!

Best regards,

Christoph

the ingress definition:

{{- $fullName := include "chart.fullname" . -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}
  labels:
  annotations:
    kubernetes.io/ingress.class: nginx  
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/server-snippet: |
        proxy_set_header "Host $host";

spec:
  tls:
    - hosts:
        - staging.example.de
        - www.staging.example.de
      secretName: staging-example-crt
  rules:
    - host: staging.example.de 
      http:
        paths:
          - path: /console
            backend:
              serviceName: staging-teiid
              servicePort: mgmt-interface
    - host: www.staging.example.de
      http:
        paths:
          - path: /console
            backend:
              serviceName: staging-teiid
              servicePort: mgmt-interface
    - host: staging.example.de
      http:
        paths:
          - path: /management
            backend:
              serviceName: staging-teiid
              servicePort: mgmt-interface
    - host: www.staging.example.de
      http:
        paths:
          - path: /management
            backend:
              serviceName: staging-teiid
              servicePort: mgmt-interface
    - host: staging.example.de
      http:
        paths:
          - path: /odata4/svc
            backend:
              serviceName: staging-teiid
              servicePort: svc-endpoint
    - host: www.staging.example.de
      http:
        paths:
          - path: /odata4/svc
            backend:
              serviceName: staging-teiid
              servicePort: svc-endpoint
2

Hello,
has nobody an idea what might go wrong here? I am still trying to solve the issue.

Best regards,
Christoph

3

“Access Denied - Insufficient privileges to access this interface” is a message coming from Wildfly, not Rancher. So it sounds like your problem has to do with RBAC permissions going through there and not really anything to do with actually getting to Rancher.

4

Hello Vincent, wilfly provides a rest interface on a differnt port which I can access without issues. Therefore I think it is not related to RBAC but rather the ingress annotations I am using.
I suspect that there is some header in the http request missing.