Skip to content

integrator mode doesn't work with LoadBalancer IPs (PS7) #159

Description

@slapcat

Bug Description

Using the charm in PS7 with integrator mode, it is not able to establish routes to IPs created with a LoadBalancer service. The IP exists in the same subnet and can be reached from the ingress-configurator unit directly, but it does not create a working route. Access through the hostname results in a 502 error. See this jira ticket for more context.

Integrator mode works completely fine when pointed to an exposed port on another charm, such as port 80 on the kubernetes-worker.

Impact

High (major functionality broken, no workaround)

Impact Rationale

It is not possible to route ingress to non-charmed workloads.

To Reproduce

  1. Deploy the following bundle:
default-base: ubuntu@24.04/stable
saas:
  ingress-ps7-support:
    url: jaas-ps7:795798e4-922f-49c7-9169-004ffc17df90@serviceaccount/prod-cloud-ingress-ps7.ingress-ps7-support
applications:
  cinder-csi:
    charm: cinder-csi
    channel: 1.33/stable
    revision: 38
    base: ubuntu@22.04/stable
    options:
      storage-class-default: true
      web-proxy-enable: true
  haproxy:
    charm: haproxy
    channel: latest/stable
    revision: 147
    num_units: 1
    to:
    - "50"
    expose: true
    constraints: arch=amd64
  ingress-configurator:
    charm: ingress-configurator
    channel: latest/stable
    revision: 78
    num_units: 1
    to:
    - "43"
    expose: true
    constraints: arch=amd64
  k8s:
    charm: k8s
    channel: 1.32/stable
    revision: 1921
    resources:
      snap-installation: 2
    num_units: 3
    to:
    - "43"
    - "44"
    - "45"
    expose: true
    options:
      local-storage-enabled: false
    constraints: arch=amd64 cpu-cores=4 mem=12
  k8s-worker:
    charm: k8s-worker
    channel: 1.32/stable
    revision: 1915
    resources:
      snap-installation: 6
    num_units: 3
    to:
    - "47"
    - "48"
    - "46"
    expose: true
    constraints: arch=amd64 cpu-cores=6 mem=24
  openstack-cloud-controller:
    charm: openstack-cloud-controller
    channel: 1.33/stable
    revision: 40
    base: ubuntu@22.04/stable
    options:
      web-proxy-enable: true
  openstack-integrator:
    charm: openstack-integrator
    channel: 1.33/stable
    revision: 115
    base: ubuntu@22.04/stable
    resources:
      openstackclients: 1
    num_units: 1
    to:
    - "49"
    options:
      internal-lb: true
      web-proxy-enable: true
    constraints: arch=amd64
    trust: true
machines:
  "43":
    constraints: arch=amd64 cpu-cores=4 mem=12 root-disk-source=volume
  "44":
    constraints: arch=amd64 cpu-cores=4 mem=12 root-disk-source=volume
  "45":
    constraints: arch=amd64 cpu-cores=4 mem=12 root-disk-source=volume
  "46":
    constraints: cpu-cores=4 root-disk-source=volume
  "47":
    constraints: cpu-cores=4 root-disk-source=volume
  "48":
    constraints: cpu-cores=4 root-disk-source=volume
  "49":
    constraints: arch=amd64 root-disk-source=volume
    base: ubuntu@22.04/stable
  "50":
    constraints: arch=amd64 root-disk-source=volume
relations:
- - k8s:k8s-cluster
  - k8s-worker:cluster
- - k8s:containerd
  - k8s-worker:containerd
- - k8s:cos-worker-tokens
  - k8s-worker:cos-tokens
- - cinder-csi:kube-control
  - k8s:kube-control
- - cinder-csi:openstack
  - openstack-integrator:clients
- - openstack-cloud-controller:kube-control
  - k8s:kube-control
- - openstack-cloud-controller:external-cloud-provider
  - k8s:external-cloud-provider
- - openstack-cloud-controller:openstack
  - openstack-integrator:clients
- - openstack-integrator:lb-consumers
  - k8s:external-load-balancer
- - ingress-ps7-support:haproxy-route
  - ingress-configurator:haproxy-route

  1. Log into a k8s unit, create a loadbalancer service pointing to a web server, and make note of the LB IP:
juju ssh k8s/leader
sudo k8s kubectl create deployment --image=nginx --replicas=1 nginx
sudo k8s kubectl create svc LoadBalancer nginx --tcp=80
sudo k8s kubectl get svc
  1. Configure the ingress-configurator charm:
juju config ingress-configurator backend-addresses=<IP> backend-protocol=http backend-ports=80 paths=/ hostname=<HOST>
  1. Try to visit the hostname. It will hang for a while then timeout with a 502.

Environment

Canonical K8s charm 1.32/stable
Juju 3.6
ingress-configurator charm latest/stable

Relevant log output

$ curl https://se-devops.canonical.com/  -v
* Host se-devops.canonical.com:443 was resolved.
* IPv6: (none)
* IPv4: 91.189.92.163
*   Trying 91.189.92.163:443...
* Connected to se-devops.canonical.com (91.189.92.163) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=se-devops.canonical.com
*  start date: Apr 23 18:10:43 2026 GMT
*  expire date: Jul 22 18:10:42 2026 GMT
*  subjectAltName: host "se-devops.canonical.com" matched cert's "se-devops.canonical.com"
*  issuer: C=US; O=Let's Encrypt; CN=R12
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://se-devops.canonical.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: se-devops.canonical.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: se-devops.canonical.com
> User-Agent: curl/8.5.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 502 
< content-length: 107
< cache-control: no-cache
< content-type: text/html
< 
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
* Connection #0 to host se-devops.canonical.com left intact

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions