Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internal Encryption on/off requires activator restart #13754

Open
davidhadas opened this issue Feb 27, 2023 · 6 comments
Open

Internal Encryption on/off requires activator restart #13754

davidhadas opened this issue Feb 27, 2023 · 6 comments
Labels
area/networking kind/bug Categorizes issue or PR as related to a bug. triage/accepted Issues which should be fixed (post-triage)

Comments

@davidhadas
Copy link
Contributor

Switching internal-encryption to true results in a non-functioning service.
/area networking

What version of Knative?

1.9
Using Kourier

Expected Behavior

Service should continue to serve ingress traffic.

Actual Behavior

Service stopped serving ingress traffic.
Clients receive 503

Steps to Reproduce the Problem

---- Attempt 1:

kn quickstart kind  --install-serving
...

Use kubectl edit cm config-network -n knative-serving and set internal-encryption to "true"

kn service create hello --image gcr.io/knative-samples/helloworld-go --port 8080 --env TARGET=World
...
19.014s Ingress has not yet been reconciled.
19.101s Waiting for load balancer to be ready
 ...

----- Attempts 2:

kn quickstart kind  --install-serving
...

kn service create hello --image gcr.io/knative-samples/helloworld-go --port 8080 --env TARGET=World
...
Service 'hello' created to latest revision 'hello-00001' is available at URL:
http://hello.default.127.0.0.1.sslip.io

curl http://hello.default.127.0.0.1.sslip.io -v
*   Trying 127.0.0.1:80...
...
< HTTP/1.1 200 OK
...
Hello World!
...

Use kubectl edit cm config-network -n knative-serving and set internal-encryption to "true"

curl http://hello.default.127.0.0.1.sslip.io -v
...
< HTTP/1.1 503 Service Unavailable
< content-length: 145
< content-type: text/plain
< date: Mon, 27 Feb 2023 23:30:17 GMT
< server: envoy
<
* Connection #0 to host hello.default.127.0.0.1.sslip.io left intact
upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: delayed connect error: 111
@davidhadas davidhadas added the kind/bug Categorizes issue or PR as related to a bug. label Feb 27, 2023
@davidhadas
Copy link
Contributor Author

davidhadas commented Feb 27, 2023
edited
Loading

@ReToCode, @skonto fyi - not sure if this is kourier specific or not.

@davidhadas
Copy link
Contributor Author

Reproduced on a regular Kubernetes cluster outside of Kind (again with Kourier)

@ReToCode
Copy link
Member

@davidhadas, does it work if you restart activator first? We are still working on that: #13694. Also alpha is not quite there yet, see: #11906 (comment).

@davidhadas
Copy link
Contributor Author

It solved the issue on both systems tested.
I will keep this open and indicate in #13694 that it fixes this one.

@dprotaso
Copy link
Member

dprotaso commented Mar 1, 2023

Closing dupe of #13694

@dprotaso dprotaso closed this as completed Mar 1, 2023
@dprotaso dprotaso mentioned this issue Mar 1, 2023
Closed
@nak3
Copy link
Contributor

nak3 commented Apr 6, 2023

I realized that this issue was linked to #13694 but this issue is for switching internal-encryption to true/false, right?

I think they should be handled separately. And actually not only internal-encryption but also some flags like mesh-compatibility-mode , enable-mesh-pod-addressability are also required to restart.

@nak3 nak3 reopened this Apr 6, 2023
@ReToCode ReToCode added the triage/accepted Issues which should be fixed (post-triage) label Apr 17, 2023
@nak3 nak3 changed the title Internal Encryption result in 503 from ingress Internal Encryption on/off requires activator restart Sep 11, 2023
@nak3 nak3 mentioned this issue Sep 25, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking kind/bug Categorizes issue or PR as related to a bug. triage/accepted Issues which should be fixed (post-triage)
Projects
Serving Encryption
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dprotaso @nak3 @davidhadas @ReToCode