search

SAP-samples / btp-cap-multitenant-saas

Sample project that demonstrates how to setup a multitenant application for a Software-as-a-Service scenario, leveraging the Kyma and Cloud Foundry Runtimes of the SAP Business Technology Platform. Developers learn how to implement their own CAP (mtxs) based SaaS app including an SaaS API and integration with various essential SAP BTP service of...
Apache License 2.0
75 stars 38 forks source link

Network policy: Use standard label #45

Closed corey-aloia closed 1 month ago

corey-aloia commented 2 months ago

When going through this guide, I ran into an issue when subscribing. After debugging, it looks like it is due to the networkpolicy. This PR adjusts the chart to use the standard kubernetes namespace label in the network policy. For reference: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#automatic-labelling It looks like this feature is available since August 4, 2021

alperdedeoglu commented 2 months ago

@corey-aloia, Thanks for the PR, can you elaborate what was the issue before? I can also try to reproduce it on my end?

corey-aloia commented 2 months ago

Hi @alperdedeoglu, My namespaces in kyma by default do not have a label of "name": k get ns --show-labels | grep istio-system istio-system .... kubernetes.io/metadata.name=istio-system,namespaces.warden.kyma-project.io/validate=enabled

And this resulted in a failure when trying to subscribe from a consumer account. Curling the endpoints directly resulted in a upstream connect error or disconnect/reset before headers.

image

Text from screenshot: Subscribe failed. Error: Subscribe failed. Parameters: rootSubscription: 12,046,473. Error description: CorrelationId: f542469f-1816-4177-606b-e9ed0b3bee76, Error build subscription tree : Error parse get dependencies of application with appName: susaas-susaas-b230f5c. Error: CorrelationId: f542469f-1816-4177-606b-e9ed0b3bee76, Error build subscription tree : Error invoke get dependencies callback of application with appName: susaas-susaas-b230f5c. Error: Please open a ticket for application/service with appName: susaas-susaas-b230f5c. Failed to call callback. URL: GET https://susaas-srv-susaas.b230f5c.kyma.ondemand.com/-/cds/saas-provisioning/dependencies?tenantId=51f4f02c-2d87-4475-8a9b-d1090ce7e252. Consumer tenant: 51f4f02c-2d87-4475-8a9b-d1090ce7e252. Callback response: upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection timeout. status code: 503 SERVICE_UNAVAILABLE

Looking at the networkpolicy, and it looks like it is not properly giving the ingress gateway access due to the namespace not having a name label, but a kubernetes.io/metadata.name label. AFAIK kubernetes.io/metadata.name is the standard one, so maybe you guys added a name label to your namespace in your test cluster? So potentially it does work for you if your namespace has a name label :) But it should also work with the standard kubernetes.io/metadata.name label

Making the change to the networkpolicy now allows me to get a step further. It still fails, but for a different reasons, and I can see the logs and the request now reaching the srv pod (potentially the different reason is due to something I did wrong... still looking) :)

alperdedeoglu commented 2 months ago

Thanks for your support and enthusiasm! I will just try to also test this and merge the PR. Also for any other problems you face, keep going to create issues or PR's it is appreciated!