Bug Description
Using the charm in PS7 with integrator mode, it is not able to establish routes to IPs created with a LoadBalancer service. The IP exists in the same subnet and can be reached from the ingress-configurator unit directly, but it does not create a working route. Access through the hostname results in a 502 error. See this jira ticket for more context.
Integrator mode works completely fine when pointed to an exposed port on another charm, such as port 80 on the kubernetes-worker.
Impact
High (major functionality broken, no workaround)
Impact Rationale
It is not possible to route ingress to non-charmed workloads.
To Reproduce
- Deploy the following bundle:
default-base: ubuntu@24.04/stable
saas:
ingress-ps7-support:
url: jaas-ps7:795798e4-922f-49c7-9169-004ffc17df90@serviceaccount/prod-cloud-ingress-ps7.ingress-ps7-support
applications:
cinder-csi:
charm: cinder-csi
channel: 1.33/stable
revision: 38
base: ubuntu@22.04/stable
options:
storage-class-default: true
web-proxy-enable: true
haproxy:
charm: haproxy
channel: latest/stable
revision: 147
num_units: 1
to:
- "50"
expose: true
constraints: arch=amd64
ingress-configurator:
charm: ingress-configurator
channel: latest/stable
revision: 78
num_units: 1
to:
- "43"
expose: true
constraints: arch=amd64
k8s:
charm: k8s
channel: 1.32/stable
revision: 1921
resources:
snap-installation: 2
num_units: 3
to:
- "43"
- "44"
- "45"
expose: true
options:
local-storage-enabled: false
constraints: arch=amd64 cpu-cores=4 mem=12
k8s-worker:
charm: k8s-worker
channel: 1.32/stable
revision: 1915
resources:
snap-installation: 6
num_units: 3
to:
- "47"
- "48"
- "46"
expose: true
constraints: arch=amd64 cpu-cores=6 mem=24
openstack-cloud-controller:
charm: openstack-cloud-controller
channel: 1.33/stable
revision: 40
base: ubuntu@22.04/stable
options:
web-proxy-enable: true
openstack-integrator:
charm: openstack-integrator
channel: 1.33/stable
revision: 115
base: ubuntu@22.04/stable
resources:
openstackclients: 1
num_units: 1
to:
- "49"
options:
internal-lb: true
web-proxy-enable: true
constraints: arch=amd64
trust: true
machines:
"43":
constraints: arch=amd64 cpu-cores=4 mem=12 root-disk-source=volume
"44":
constraints: arch=amd64 cpu-cores=4 mem=12 root-disk-source=volume
"45":
constraints: arch=amd64 cpu-cores=4 mem=12 root-disk-source=volume
"46":
constraints: cpu-cores=4 root-disk-source=volume
"47":
constraints: cpu-cores=4 root-disk-source=volume
"48":
constraints: cpu-cores=4 root-disk-source=volume
"49":
constraints: arch=amd64 root-disk-source=volume
base: ubuntu@22.04/stable
"50":
constraints: arch=amd64 root-disk-source=volume
relations:
- - k8s:k8s-cluster
- k8s-worker:cluster
- - k8s:containerd
- k8s-worker:containerd
- - k8s:cos-worker-tokens
- k8s-worker:cos-tokens
- - cinder-csi:kube-control
- k8s:kube-control
- - cinder-csi:openstack
- openstack-integrator:clients
- - openstack-cloud-controller:kube-control
- k8s:kube-control
- - openstack-cloud-controller:external-cloud-provider
- k8s:external-cloud-provider
- - openstack-cloud-controller:openstack
- openstack-integrator:clients
- - openstack-integrator:lb-consumers
- k8s:external-load-balancer
- - ingress-ps7-support:haproxy-route
- ingress-configurator:haproxy-route
- Log into a k8s unit, create a loadbalancer service pointing to a web server, and make note of the LB IP:
juju ssh k8s/leader
sudo k8s kubectl create deployment --image=nginx --replicas=1 nginx
sudo k8s kubectl create svc LoadBalancer nginx --tcp=80
sudo k8s kubectl get svc
- Configure the ingress-configurator charm:
juju config ingress-configurator backend-addresses=<IP> backend-protocol=http backend-ports=80 paths=/ hostname=<HOST>
- Try to visit the hostname. It will hang for a while then timeout with a 502.
Environment
Canonical K8s charm 1.32/stable
Juju 3.6
ingress-configurator charm latest/stable
Relevant log output
$ curl https://se-devops.canonical.com/ -v
* Host se-devops.canonical.com:443 was resolved.
* IPv6: (none)
* IPv4: 91.189.92.163
* Trying 91.189.92.163:443...
* Connected to se-devops.canonical.com (91.189.92.163) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: CN=se-devops.canonical.com
* start date: Apr 23 18:10:43 2026 GMT
* expire date: Jul 22 18:10:42 2026 GMT
* subjectAltName: host "se-devops.canonical.com" matched cert's "se-devops.canonical.com"
* issuer: C=US; O=Let's Encrypt; CN=R12
* SSL certificate verify ok.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://se-devops.canonical.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: se-devops.canonical.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: se-devops.canonical.com
> User-Agent: curl/8.5.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 502
< content-length: 107
< cache-control: no-cache
< content-type: text/html
<
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
* Connection #0 to host se-devops.canonical.com left intact
Additional context
No response
Bug Description
Using the charm in PS7 with integrator mode, it is not able to establish routes to IPs created with a LoadBalancer service. The IP exists in the same subnet and can be reached from the ingress-configurator unit directly, but it does not create a working route. Access through the hostname results in a 502 error. See this jira ticket for more context.
Integrator mode works completely fine when pointed to an exposed port on another charm, such as port 80 on the kubernetes-worker.
Impact
High (major functionality broken, no workaround)
Impact Rationale
It is not possible to route ingress to non-charmed workloads.
To Reproduce
Environment
Canonical K8s charm 1.32/stable
Juju 3.6
ingress-configurator charm latest/stable
Relevant log output
Additional context
No response