Open murphymagic opened 10 months ago
@murphymagic It seems you're using HTTP proxy, and transport between workers and router is non-HTTP binary transport. If you're looking into this due to compliance reasons, you might want to consider the BYOC Cube Cloud option, as it has a transport encryption option.
I am deploying cubejs into a kubernetes cluster, as described here
In order to encrypt pod to pod traffic, I am deploying envoy proxy sidecars in each pod to enable TLS, as described here.
This approach works fine for cube-api to cubestore-router pod traffic and cube-refresh-worker to cubestore-router traffic. Additionally, this approach works for traffic from cube pods to non-cube pods, such as keycloak and ksqldb.
However, this approach fails for traffic between cubestore-router and cubestore-worker. The cubestore-router logs are full or the following errors:
The envoy logs show the following error:
HTTP/1.1 400 DPE 0 11 http1.codec_error HPE_INVALID_METHOD
(DPE = Downstream Protocol Error. Downstream = cubestore-router).Attached is a screenshot of a tcpdump of traffic, if it sheds any light on what is going on..