Closed corey-aloia closed 1 month ago
@corey-aloia, Thanks for the PR, can you elaborate what was the issue before? I can also try to reproduce it on my end?
Hi @alperdedeoglu, My namespaces in kyma by default do not have a label of "name":
k get ns --show-labels | grep istio-system
istio-system .... kubernetes.io/metadata.name=istio-system,namespaces.warden.kyma-project.io/validate=enabled
And this resulted in a failure when trying to subscribe from a consumer account. Curling the endpoints directly resulted in a
upstream connect error or disconnect/reset before headers.
Text from screenshot:
Subscribe failed. Error: Subscribe failed. Parameters: rootSubscription: 12,046,473. Error description: CorrelationId: f542469f-1816-4177-606b-e9ed0b3bee76, Error build subscription tree : Error parse get dependencies of application with appName: susaas-susaas-b230f5c. Error: CorrelationId: f542469f-1816-4177-606b-e9ed0b3bee76, Error build subscription tree : Error invoke get dependencies callback of application with appName: susaas-susaas-b230f5c. Error: Please open a ticket for application/service with appName: susaas-susaas-b230f5c. Failed to call callback. URL: GET https://susaas-srv-susaas.b230f5c.kyma.ondemand.com/-/cds/saas-provisioning/dependencies?tenantId=51f4f02c-2d87-4475-8a9b-d1090ce7e252. Consumer tenant: 51f4f02c-2d87-4475-8a9b-d1090ce7e252. Callback response: upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection timeout. status code: 503 SERVICE_UNAVAILABLE
Looking at the networkpolicy, and it looks like it is not properly giving the ingress gateway access due to the namespace not having a name
label, but a kubernetes.io/metadata.name
label. AFAIK kubernetes.io/metadata.name
is the standard one, so maybe you guys added a name
label to your namespace in your test cluster? So potentially it does work for you if your namespace has a name
label :) But it should also work with the standard kubernetes.io/metadata.name
label
Making the change to the networkpolicy now allows me to get a step further. It still fails, but for a different reasons, and I can see the logs and the request now reaching the srv pod (potentially the different reason is due to something I did wrong... still looking) :)
Thanks for your support and enthusiasm! I will just try to also test this and merge the PR. Also for any other problems you face, keep going to create issues or PR's it is appreciated!
When going through this guide, I ran into an issue when subscribing. After debugging, it looks like it is due to the networkpolicy. This PR adjusts the chart to use the standard kubernetes namespace label in the network policy. For reference: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#automatic-labelling It looks like this feature is available since August 4, 2021