Please use this template for troubleshooting questions.
My issue:
We have been using the default RKE2 ingress controller. We recently uninstalled it and deployed the F5 NGINX Ingress Controller.
Since making this change:
-
HTTP and HTTPS requests to applications exposed through TransportServer resources as we are doing ssl passthrough.
-
Requests to the node IPs on port 443 return “connection refused”.
-
Another application is reporting “host not found” errors for one of the ingress URLs it depends on.
We are using ClusterIP services because we do not have a LoadBalancer available.
Could anyone advise whether there are additional configuration steps required when deploying the F5 NGINX Ingress Controller in RKE2? Are there any common misconfigurations that could cause these symptoms?
Any guidance on what to verify would be appreciated.
Kubernetes version:
Client Version: v1.28.10+rke2r1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.10+rke2r1
rke2 vesion:
rke2 version v1.28.10+rke2r1
go version go1.21.9 X
How I encountered the problem:
When deploying f5 nginx inress controller
Solutions I’ve tried:
I have deleted default rke2 ingress controller and just deployed on,y f5 nginx ingress controller.
Version of NIC and/or NGINX:
nginx-ingress:5.4.1-alpine
Deployment environment:
Helm Values:
f5-nginx-ingress:
controller:
hostPort:
enable: true
http: 80
https: 443
enableCertManager: false
enableSSLPassthrough: true
enableCustomResources: true
enableTLSPassthrough: true
enableCRDs: true
disableIPV6: true
imagePullSecrets:
- name: docker-registry-secret
volumeMounts:
- name: tls-ca-019b-bcdr
readOnly: true
mountPath: /etc/ssl/certs/ca.crt
subPath: ca.crt
volumes:
- name: tls-ca-019b-bcdr
configMap:
name: localstack-certs
items:
- key: ca.crt
path: ca.crt
defaultMode: 420
enableSnippets: true
extraArgs:
enable-ssl-passthrough: "true"
ingressClassResource:
enabled: true
default: false
image:
## The image repository of the Ingress Controller.
repository: docker.digital.homeoffice.gov.uk/nginx/nginx-ingress
imagePullSecrets: docker-registry-secret
tag: 5.4.1-alpine
service:
# allocateLoadBalancerNodePorts: false
type: ClusterIP
enabled: true
serviceAccount:
imagePullSecretName: docker-registry-secret
defaultTLS:
secret: kube-system/f5-nginx-ingress-certificate
Errors:
Error:1
curl -v https://keycloak.<readacted>.uk
Could not resolve host: keycloak.<readacted>.uk
shutting down connection #0
curl: (6) Could not resolve host: keycloak.<readacted>.uk
Error 2:
- using HTTP/1.x
GET / HTTP/1.1
Host: keycloak..uk
User-Agent: curl/8.14.1
Accept: /
- Request completely sent off
< HTTP/1.1 404 Not Found
< Server: nginx/1.29.7
< Date: Tue, 09 Jun 2026 09:52:55 GMT
< Content-Type: text/html
< Content-Length: 153
< Connection: keep-alive
<
404 Not Found
nginx/1.29.7
Error 3:
IPv6: (none)
IPv4: <ip1>, <ip2> <ip3>, <ip4>, <ip5>
Trying <ip1>:443…
connect to <ip1> port 443 from <pod ip> port 33536 failed: Connection refused
- IPv6: (none)
- IPv4: , , ,
-
- Trying :80…
- connect to port 80 from port 33536 failed: Connection refused
Tranport server config:
apiVersion: k8s.nginx.org/v1
kind: TransportServer
metadata:
labels:
app.kubernetes.io/managed-by: Helm
name: app-manager-env-test-0
namespace: test-localstack-env
status:
reason: AddedOrUpdated
state: Valid
spec:
action:
pass: test-manager-env-bcdr
host: app.
ingressClassName: f5-nginx
listener:
name: tls-passthrough
protocol: TLS_PASSTHROUGH
upstreams:
- name:
port: 3000
service: