Skip to content

Web UI displays incorrect instructions for connecting to Kubernetes clusters when using ALPN websocket upgrades #27044

New issue
New issue
Open
Open
Web UI displays incorrect instructions for connecting to Kubernetes clusters when using ALPN websocket upgrades#27044

Description

@webvictim

webvictim
openedon May 26, 2023

Expected behavior: Clicking the "Connect" button next to a Kubernetes cluster in the Teleport 13 web UI should generate instructions telling the user to run tsh login, tsh kube login, then tsh proxy kube with the generated temporary kubeconfig file that hits the authenticated tunnel.

image

Current behavior: Instructions telling the user to run kubectl directly only work for Teleport clusters that aren't behind layer 7 LBs and using ALPN websocket upgrades.

image

$ kubectl version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.27.2
Kustomize Version: v5.0.1
Unable to connect to the server: tls: failed to verify certificate: x509: certificate is valid for ingress.local, not kube-teleport-proxy-alpn.example.com

$ kubectl get pod
E0526 18:58:29.360400   42484 memcache.go:265] couldn't get current server API group list: Get "[https://example.com:443/api?timeout=32s](https://example.com/api?timeout=32s)": tls: failed to verify certificate: x509: certificate is valid for ingress.local, not kube-teleport-proxy-alpn.example.com
E0526 18:58:29.644509   42484 memcache.go:265] couldn't get current server API group list: Get "[https://example.com:443/api?timeout=32s](https://example.com/api?timeout=32s)": tls: failed to verify certificate: x509: certificate is valid for ingress.local, not kube-teleport-proxy-alpn.example.com
E0526 18:58:29.933242   42484 memcache.go:265] couldn't get current server API group list: Get "[https://example.com:443/api?timeout=32s](https://example.com/api?timeout=32s)": tls: failed to verify certificate: x509: certificate is valid for ingress.local, not kube-teleport-proxy-alpn.example.com
E0526 18:58:30.216416   42484 memcache.go:265] couldn't get current server API group list: Get "[https://example.com:443/api?timeout=32s](https://example.com/api?timeout=32s)": tls: failed to verify certificate: x509: certificate is valid for ingress.local, not kube-teleport-proxy-alpn.example.com
E0526 18:58:30.503049   42484 memcache.go:265] couldn't get current server API group list: Get "[https://example.com:443/api?timeout=32s](https://example.com/api?timeout=32s)": tls: failed to verify certificate: x509: certificate is valid for ingress.local, not kube-teleport-proxy-alpn.example.com
Unable to connect to the server: tls: failed to verify certificate: x509: certificate is valid for ingress.local, not kube-teleport-proxy-alpn.example.com

Bug details:

  • Teleport version: 13.0.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

bugkubernetes-accesstls-routingIssues related to TLS routinguiux

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions