Invalid Neuvector link in Rancher when installed with manager.env.ssl=false

[megabreit]

Not sure if this is an installation issue or a "general" Neuvector issue (or maybe even a Rancher issue). Trying here. If not, I'll create a new issue...

I'm installing Neuvector from Rancher's app menu (2.6.11).
It is using the Helm-Chart neuvector:100.0.3+up2.2.4. The cluster is running K3S 1.24.11 with Traefik Ingress (2.9.4).
I'm trying to access Neuvector via the generated Ingress and via the Rancher integration (with credential forwarding).

Because Traefik does not correctly forward to a TLS service with a self-signed certificate in the generated Ingress (it returns always "Bad Gateway"), I'm trying to disable SSL on the manager service. I'm doing this with the helm value manager.env.ssl=false. I'm also using manager.svc.type=ClusterIP. This is working fine, I'm getting a working Ingress with that, but after the change, the Neuvector link in Rancher is not working anymore.

The link seems to point always to the https service, even if this service is not created (or better: it's created as http):
https://rancher-link/api/v1/namespaces/cattle-neuvector-system/services/https:neuvector-service-webui:8443/proxy/index.html?v=7618fefeba#/app/dashboard

It's failing with

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "error trying to reach service: tls: first record does not look like a TLS handshake",
  "reason": "ServiceUnavailable",
  "code": 503
}

which is perfectly fine since there is not TLS anymore for the manager service.

When I change the link in the browser manually to
https://rancher-link/api/v1/namespaces/cattle-neuvector-system/services/http:neuvector-service-webui:8443/proxy/index.html?v=7618fefeba#/app/dashboard
things work again and I can access Neuvector with my Rancher admin credentials forwarded to Neuvector.

I couldn't find the location where the link in Rancher is generated.
I suspect that it is generated with the helm chart. If not, please suggest where to place this issue instead?

[lindhe]

I'm also having this issue. NeuVector has become unreachable because of this.

I too have a hard time figuring out exactly how the link in Rancher UI is registered. Rancher SSO seems to be set using environment variables, perhaps the link is created via an API call from the container, rather than via some native Kubernetes resource…

[lindhe]

Inspired by #409 I found that a change was recently introduce to set the appProtocol field in services. But as of 6aa2a55 the condition for setting it has changed. Notably, it now requires .Capabilities.KubeVersion.GitVersion to contain -eks or -gke, which I suspect will not work for RKE2 clusters and/or Rancher. I have not yet figured out the exact issue, but these feels like clues.

[lindhe]

Oh, I didn't realize this issue was a year and a half. Clearly those changes I mentioned have no relevance for the original issue here (but perhaps for the issues I'm having).

[lindhe]

In my case, turns out it was an issue with Network Policies. I hadn't assigned the cattle-neuvector-system namespace to the System project in Rancher. So with Project Network Isolation enabled, traffic from other system components to NeuVector was blocked.