Skip to content

Pomerium Ingress Controller with pomerium-cli in proxy mode for TCP connections produces "route_not_found" error #1122

New issue
New issue
Open
Open
Pomerium Ingress Controller with pomerium-cli in proxy mode for TCP connections produces "route_not_found" error#1122
@mizoGurtam

Description

@mizoGurtam
mizoGurtam
opened on Mar 18, 2025

What happened?

I have pomerium ingress controller in my kubernetes cluster and it works flawlessly as http authentication proxy and for TCP tunneling using pomerium-cli. However, when I'm trying to use pomerium-cli in proxy mode I get "route not found" error whatever I do.

What did you expect to happen?

Expected to be able to login to my identity provider and access service.

How'd it happen?

  1. Ran pomerium-cli proxy --proxy-domain 127.0.0.1 --pomerium-url https://<my pomerium domain>
  2. Ran HTTPS_PROXY='http://127.0.0.1:3128' curl -L <domain of service behind pomerium>
  3. Saw error {"page":"Error","requestId":"1f2ee8b0-f6b3-4f15-8e9c-9d47edb77e7f","responseFlags":"NR","status":"404","statusText":"route_not_found"};

What's your environment like?

  • Pomerium version (v0.28.0):
  • Operating in kubernetes cluster on baremetal servers:

What's your config.yaml?

apiVersion: ingress.pomerium.io/v1
kind: Pomerium
metadata:
  name: global
spec:
  secrets: pomerium/bootstrap
  authenticate:
    url: https://<my pomerium domain>
  certificates:
  - security-pomerium/tls
  identityProvider:
    provider: oidc
    url: <my keycloak realm URL>
    secret: security-pomerium/oidc
  secrets: security-pomerium/bootstrap
  cookie:
    sameSite: none

What did you see in the logs?

`{"level":"info","server_name":"all","service":"envoy","upstream-cluster":"","method":"GET","authority":"<my service domain>","path":"/","user-agent":"curl/8.7.1","referer":"","forwarded-for":"10.233.69.86","request-id":"b9f2b6ef-3362-45ab-9a65-fc38cf6db1ae","duration":0.610049,"size":1116,"response-code":404,"response-code-details":"route_not_found","time":"2025-03-18T18:23:59Z","message":"http-request"}`

Additional context:

Pomerium and my service are both in the same domain zone and resolve to the same IP address.
My ingress looks like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.pomerium.io/tcp_upstream: 'true'
    ingress.pomerium.io/allow_any_authenticated_user: 'true'
  name: <ingress name>
  namespace: <namespace>
spec:
  ingressClassName: pomerium
  rules:
  - host: <service domain>
    http:
      paths:
      - backend:
          service:
            name: <service name>
            port:
              number: 80
        pathType: ImplementationSpecific

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions