search

dapr / docs

Dapr user documentation, used to build docs.dapr.io
https://docs.dapr.io
Creative Commons Attribution 4.0 International
994 stars 726 forks source link

="Fatal error from runtime: failed to retrieve the initial identity certificate: error establishing connection to sentry: context canceled: connection error: desc = \"transport: authentication handshake failed: remote error: tls: no application protocol\"" #4137

Closed chawleejay closed 4 months ago

chawleejay commented 4 months ago

Hello

Im running into issues when trying to install dapr to a kubernetes cluster using argo cd. 

        source:
        repoURL: https://dapr.github.io/helm-charts/
        targetRevision: "1.13"
        chart: dapr
        helm:
          values: |-
            global:
              registry: ghcr.io/dapr
              tag: 'edge'
              dnsSuffix: "cluster.local"
              logAsJson: false
              imagePullPolicy: Always
            mtls:
              enabled: false
              #workloadCertTTL: 24h
              #allowedClockSkew: 15m
            sentry:
              replicaCount: 0

From your docs: https://docs.dapr.io/reference/arguments-annotations-overview/

Im using kubernetes annotations attached to the above values.yaml file. Im obtaining a TLS certificate error but have mtls disabled and replicaCount for the dapr-sentry config = 0.

Error received:

="Fatal error from runtime: failed to retrieve the initial identity certificate: error establishing connection to sentry: context canceled: connection error: desc = \"transport: authentication handshake failed: remote error: tls: no application protocol\""

Where is this initial certificate config read from on initial dapr installation?

yaron2 commented 4 months ago

Sentry must not be scaled to 0 replicas. You need to have at least 1 replica running.

chawleejay commented 4 months ago

isnt sentry only used for mtls? im not sure i quite understand its purpose from the docs @yaron2

yaron2 commented 4 months ago

isnt sentry only used for mtls? im not sure i quite understand its purpose from the docs @yaron2

Yes, but even if you disable mTLS it's only disabled for service to service calls between sidecars. All communication between the sidecar and the control plane still use mTLS and this cannot be disabled.

chawleejay commented 4 months ago

okay thank you for your quick response. I will work on getting it configured

any docs on the mtls configuration between the sidecar/control plane using helm?

chawleejay commented 4 months ago

from my understanding dapr will take care of mtls via the token bundle that gets installed on the k8 cluster @yaron2 . Does internal app code need to be set up properly for the daprd sidecar to spin up properly?

yaron2 commented 4 months ago

from my understanding dapr will take care of mtls via the token bundle that gets installed on the k8 cluster @yaron2 . Does internal app code need to be set up properly for the daprd sidecar to spin up properly?

no, your app's code shouldn't have anything special to run alongside Dapr.

chawleejay commented 4 months ago

@yaron2 are you able to help me understand the original error from my question "Fatal error from runtime: failed to retrieve the initial identity certificate:"

chawleejay commented 4 months ago

@yaron2 hey just wanted to check to see if you or your team had any update on this? If not can we close this case

chawleejay commented 4 months ago

@yaron2 Not quite sure where to go with this. Ive exhausted all efforts to get dapr running via Kubernetes and its not working. The sidecar-injector is showing it's mounting the certs. The daprd sidecar running along my app is showing a cert in the following env var...DAPR_TRUST_ANCHORS. Everything is out of the box following the K8 deployments guide and the daprd sidecar is still throwing the following error 

level=fatal msg="Fatal error from runtime: failed to retrieve the initial identity certificate: error establishing connection to sentry: context canceled: connection error: desc = \"transport: authentication handshake failed: remote error: tls: no application protocol\""

Ive tried opening support tickets on the website and not getting anywhere

yaron2 commented 4 months ago

@yaron2 Not quite sure where to go with this. Ive exhausted all efforts to get dapr running via Kubernetes and its not working. The sidecar-injector is showing it's mounting the certs. The daprd sidecar running along my app is showing a cert in the following env var...DAPR_TRUST_ANCHORS. Everything is out of the box following the K8 deployments guide and the daprd sidecar is still throwing the following error

level=fatal msg="Fatal error from runtime: failed to retrieve the initial identity certificate: error establishing connection to sentry: context canceled: connection error: desc = \"transport: authentication handshake failed: remote error: tls: no application protocol\""

Ive tried opening support tickets on the website and not getting anywhere

Can you join our Discord server and add me as a friend? My handle is yaron2

yaron2 commented 4 months ago

Try this invite: https://discord.com/invite/dapr-778680217417809931

chawleejay commented 4 months ago

just added you @yaron2 . thanks

chawleejay commented 4 months ago

this issue is occurring because of the istio injection failing to communicate with the sentry. you can close this ticket and we can chat internally, thanks