proxy_url value of https://localhost:<port> throws Unable to connect to the server: proxyconnect tcp: tls: first record does not look like a TLS handshake

[romoy]

The following configuration throws a connect error.

provider "kubernetes" { host = "value" token = "value" cluster_ca_certificate = base64decode(value) client_certificate = base64decode(value) client_key = base64decode(value) proxy_url = "https://127.0.0.1:8888" }

Unable to connect to the server: proxyconnect tcp: tls: first record does not look like a TLS handshake

I can reproduce the same connect error with command HTTPS_PROXY=https://127.0.0.1:8888 kubectl

I can access kubernetes using HTTPS_PROXY=127.0.0.1:8888 kubectl

Terraform Version, Provider Version and Kubernetes Version

Terraform version: v1
Kubernetes provider version: v2.8.0
Kubernetes version: v1.22.5

Affected Resource(s)

Unable to connect to Kubernetes api through https proxy

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

Debug Output

Panic Output

Steps to Reproduce

1. terraform apply

Expected Behavior

What should have happened?

1. Successful connection to kubernetes api to resolve kubernetes_manifest

Actual Behavior

What actually happened?

1. Failure to connect with the following message "Unable to connect to the server: proxyconnect tcp: tls: first record does not look like a TLS handshake"

Important Factoids

References

• This change added the functionality https://github.com/hashicorp/terraform-provider-kubernetes/pull/1441/files

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[alexsomesan]

The value of this attribute simply gets passed to the official Kubernetes client library, which decides how to use it to establish the proxy connection. The provider does not alter the value. The environment variables you are referencing are also handled directly by the client library.

I would advise to first make sure that the proxy endpoint does indeed support TLS and try to set the value without a protocol prefix, like you did for the HTTPS_PROXY variable.

[matteocodogno]

@romoy did you find a workaround?

[matteocodogno]

@alexsomesan we had the same issue, with HTTPS_PROXY=127.0.0.1:8888 kubectl we can access Kubernetes rather with Kubernetes provider and proxy_url parameter we cannot. We tried to remove the protocol prefix from proxy_url parameter and we obtained the following error:

...
invalid configuration: invalid 'proxy-url' "localhost:8888" for cluster "":
unsupported scheme "localhost", must be http, https, or socks5
...

[romoy]

@romoy did you find a workaround?

• No workaround for local execution
• For ci execution, running within the same VPC removed the proxy from the flow :)

[github-actions[bot]]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!