Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When disabling TLS for the admin listener the url for the request has a trailing dot #1497

Open
corang opened this issue Aug 21, 2024 · 0 comments

Comments

@corang
Copy link

corang commented Aug 21, 2024

What happened?

When disabling TLS for the admin listener the url for the request has a trailing dot. While this may be fine in vanilla kubernetes, it causes a failure when using a service mesh like istio:
job log:

unable to query config schema: request GET http://redpanda-0.redpanda.redpanda.svc.cluster.local.:9644/v1/cluster_config/schema failed: Service Unavailable, body: "upstream connect error or disconnect/reset before headers. reset reason: connection termination"

main redpanda istio sidecar log:

[2024-08-21T19:41:20.561Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 0 - "-" "-" "-" "-" "-" - - 10.42.0.109:9644 10.42.0.113:60346 - -

What did you expect to happen?

The URL should not have a trailing dot so that service meshes can resolve the endpoint correctly

How can we reproduce it (as minimally and precisely as possible)?. Please include values file.

listeners:
  admin:
    appProtocol: http
    tls:
      enabled: false

monitoring:
  enabled: true
  enableHttp2: false

deploy redpanda with that config on top of istio with istio-injection enabled and mtls set to strict

Anything else we need to know?

This can be worked around with istio via a set of destination rules and service entries.

If there wasn't a trailing dot this would work:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
    name: redpanda-headless
    namespace: redpanda
spec:
  hosts:
  - redpanda-0.redpanda.redpanda.svc.cluster.local
  ports:
  - number: 9644
    name: admin
    protocol: HTTP
  resolution: NONE
  location: MESH_INTERNAL
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: redpanda-headless
  namespace: redpanda
spec:
  host: redpanda-0.redpanda.redpanda.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      sni: redpanda-0.redpanda.redpanda.svc.cluster.local

However since there is we have to add this set as well

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
    name: redpanda-headless-dot
    namespace: redpanda
spec:
  hosts:
  - redpanda-0.redpanda.redpanda.svc.cluster.local.
  ports:
  - number: 9644
    name: admin
    protocol: HTTP
  resolution: NONE
  location: MESH_INTERNAL
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: redpanda-headless-dot
  namespace: redpanda
spec:
  host: redpanda-0.redpanda.redpanda.svc.cluster.local.
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      sni: redpanda-0.redpanda.redpanda.svc.cluster.local.

Which are the affected charts?

Redpanda

Chart Version(s)

$ helm -n redpanda list 
NAME                    NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                           APP VERSION
redpanda                redpanda        1               2024-08-21 19:45:48.328080392 +0000 UTC deployed        redpanda-5.9.1                  v24.2.2

Cloud provider

Local k3d cluster

JIRA Link: K8S-326

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant