IP pinning causes web ui kubernetes connectivity test to fail

[programmerq]

Expected behavior:

After successfully adding a kube cluster via the Web UI guided steps, the "Verify that the Kubernetes is accessible" should succeed, even if IP pinning is enabled.

Current behavior:

After clicking the button to run the test, it fails with the message "pinned IP doesn't match observed client IP"

Running tsh kube login and then using kubetl normally works. This appears to be specific to the guided "enroll resources" flow that tests connectivity.

I think the test is being performed from the Proxy pod rather than originating in my web browser, which leads to the mismatch in origin IP.

Bug details:

• Teleport version 16.4.12
• Recreation steps
  • set pin_source_ip: true on the default access role.
  • enroll a Kubernetes cluster via the "enroll resources" workflow.
• Debug logs

teleport-auth-6bdd64d556-wd9js teleport {"caller":"keygen/keygen.go:153","component":null,"level":"debug","message":"generated user key for [ubuntu jefferya jeff -teleport-internal-join] with expiry on (1736262255) 2025-01-07 15:04:15.020905906 +0000 UTC","timestamp":"2025-01-07T15:03:15Z"}
teleport-auth-6bdd64d556-wd9js teleport {"caller":"tlsca/ca.go:1246","common_name":"jeff","component":"ca","dns_names":null,"key_usage":5,"level":"debug","message":"Generating TLS certificate","not_after":"2025-01-07T15:04:15.02135771Z","timestamp":"2025-01-07T15:03:15Z"}
teleport-auth-6bdd64d556-wd9js teleport {"caller":"events/emitter.go:288","cert_type":"user","cluster_name":"teleport.example.com","code":"TC000I","component":"audit","ei":0,"event":"cert.create","identity":{"client_ip":"203.0.113.183","database_users":["jeff","testdbuser"],"expires":"2025-01-07T15:04:15.02135771Z","kubernetes_cluster":"cloudguru-lab00","kubernetes_groups":["op","system:masters"],"kubernetes_users":["jeff"],"logins":["ubuntu","jefferya","jeff","-teleport-internal-join"],"prev_identity_expires":"0001-01-01T00:00:00Z","private_key_policy":"none","roles":["occ","access","editor","auditor-custom","kube-prod-no-masters"],"route_to_cluster":"teleport.example.com","teleport_cluster":"teleport.example.com","traits":{"aws_role_arns":null,"awsaccount":["000000000000"],"azure_identities":null,"db_names":null,"db_users":["testdbuser","jeff"],"email":["[email protected]"],"gcp_service_accounts":null,"github_usernames":["programmerq"],"kubernetes_groups":["system:masters","op"],"kubernetes_users":["jeff"],"logins":["root","ubuntu","jefferya","jeff"],"product":["foo","AWSReservedSSO_AWSAdministratorAccess"],"windows_logins":["Administrator","jefferya","jeff"]},"user":"jeff"},"level":"info","message":"cert.create","time":"2025-01-07T15:03:15.038Z","timestamp":"2025-01-07T15:03:15Z","uid":"780c6477-5f79-b9c6-ba87-a2fa726c97c2","user_agent":"grpc-go/1.64.1"}
teleport-proxy-7fc86d4ff8-54dxv teleport {"caller":"authclient/tls.go:108","component":"proxy:proxy:kube","level":"debug","message":"Ignoring unsupported cluster name name \"kube-teleport-proxy-alpn.teleport.cluster.local\".","pid":"7.1","timestamp":"2025-01-07T15:03:15Z"}
teleport-proxy-7fc86d4ff8-54dxv teleport {"caller":"authz/permissions.go:663","client_ip":"::1","component":"proxy:server:1","level":"debug","message":"Pinned IP and client IP mismatch","pid":"7.1","pinned_ip":"203.0.113.183","timestamp":"2025-01-07T15:03:15Z"}
teleport-proxy-7fc86d4ff8-54dxv teleport {"caller":"authz/permissions.go:613","component":"proxy:server:1","level":"warning","message":"pinned IP doesn't match observed client IP","pid":"7.1","timestamp":"2025-01-07T15:03:15Z"}

[zmb3]

Duplicate of #41658