AJP not supported by ingress-nginx

[grzleadams]

AJP is not supported by ingress-nginx as of 1.9. Most of the documentation (at least, for the Helm chart) uses proxyAJP.enabled: true so if that's the preferred backend protocol, it's not going to work for a lot of people.

[grzleadams]

Related to Keyfactor/signserver-community-helm#2.

[grzleadams]

Looks like this was raised in Keyfactor/ejbca-community-helm#5 but it doesn't look like that issue was brought over...

[AdityaKoranga]

Hi @grzleadams ,

You're correct - this is a known issue. Here's the quick fix that works with modern nginx-ingress:

Solution: Use Apache HTTPD as HTTP-to-AJP translator
The official Keyfactor documentation (Step 11 of MicroK8s tutorial) already provides this solution:

# Deploy Apache HTTPD with AJP proxy
apiVersion: v1
kind: ConfigMap
metadata:
  name: httpd-config
data:
  httpd.conf: |
    LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
    <VirtualHost *:80>
        ProxyPass /ejbca/ ajp://ejbca-service:8009/ejbca/
    </VirtualHost>
---
# Then use HTTP ingress instead of AJP
nginx.ingress.kubernetes.io/backend-protocol: HTTP  # Not AJP
backend:
  service:
    name: apache-httpd-service
    port:
      number: 80
Traffic Flow:
text
Browser → nginx-ingress (HTTP) → Apache HTTPD → EJBCA (AJP)
For Helm Chart users:
text
# Disable broken AJP ingress
proxyAJP:
  enabled: false

Deploy Apache HTTPD separately as shown above

This approach follows Keyfactor's own documentation. The Apache HTTPD solution also enables internal Kubernetes services (cert-manager, monitoring) to access EJBCA via standard HTTP.

Hope this helps!

@Keyfactor: Please update the Helm chart defaults(if not done) and main documentation to reflect that AJP ingress is no longer supported in modern nginx-ingress versions. I am happy to help if you want!

[grzleadams]

Thanks but the HTTP-to-AJP translation shouldn't be necessary if proxyAJP.enabled: false and proxyHTTP is enabled and configured as a load balancer since ingress passes traffic directly to the EJBCA service, right? It feels like the chart and docs should just say to do that. Then you don't need a separate (i.e., non-chart) deployment of Apache to accomplish the same thing.

[primetomas]

See this discussion about new helm charts and tutorial how to set up with LoadBalancer or Ingress.