search

emissary-ingress / emissary

open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
https://www.getambassador.io
Apache License 2.0
4.35k stars 681 forks source link

Dev Portal - fetching process - error: server gave HTTP response to HTTPS client #5047

Open MalibuKoKo opened 1 year ago

MalibuKoKo commented 1 year ago

Describe the bug The docs cannot be fetched, errors can be seen in Pods : kubectl logs deployment.apps/edge-stack -c emissary-ingress --namespace=ambassador -

time="2023-05-15 01:44:09.9294" level=error msg="Get \"https://127.0.0.1:8443/api/v3/openapi.json\": http: server gave HTTP response to HTTPS client" func="github.com/datawire/apro/v3/cmd/amb-sidecar/devportal/server.(*DevPortalHTTPClient).Get" file="github.com/datawire/apro/v3/cmd/amb-sidecar/devportal/server/http.go:82" CMD=amb-sidecar PID=24 THREAD=/devportal_fetcher URL="https://127.0.0.1:8443/api/v3/openapi.json" clusterName=cluster_petstore3_swagger_swagger component=devportal mapping=petstore3.swagger mhost="*" subsystem=fetcher url="https://127.0.0.1:8443/api/v3/openapi.json"
time="2023-05-15 01:44:09.9294" level=error msg="GET failed https://127.0.0.1:8443/api/v3/openapi.json" func="github.com/datawire/apro/v3/cmd/amb-sidecar/devportal/server.(*Fetcher).retrieve.func2" file="github.com/datawire/apro/v3/cmd/amb-sidecar/devportal/server/fetcher.go:387" CMD=amb-sidecar PID=24 THREAD=/devportal_fetcher URL="https://127.0.0.1:8443/api/v3/openapi.json" clusterName=cluster_petstore3_swagger_swagger mapping=petstore3.swagger subsystem=fetcher

To Reproduce Steps to reproduce the behavior:

  1. download edge-stack.sh and run it
  2. respond yes to question Dev Portal - fetching process - error: server gave HTTP response to HTTPS client? 5047

Expected behavior Documentation should be fetched and showed on the /docs/ endpoint

Versions:

cindymullins-dw commented 1 year ago

Adding some context here. In Slack channel I suggested adding a wildcard host based on this previous issue. Attaching the users' config here… I added a "wildcard Host" just like you mentionned :

apiVersion: getambassador.io/v3alpha1
hostname: '*'
kind: Host
metadata:
  name: wildcard-host
requestPolicy:
  insecure:
    action: Route

The user said "The error is still there and another error generates a looping crash of POD edge-stack (see screenshot)" Capture d’écran du 2023-05-04 23-06-44

cindymullins-dw commented 1 year ago

In our testing the wildcard host with a self-signed cert works. There's a known issue with Edge Stack 2.x+ where Edge Stack does not have a Filter Chain setup with TLS and the domain as "localhost". Therefore, the DevPortal fetcher service is unable to fetch and index the OpenAPI document. Th wildcard host lets the DevPortal fetch communicate with envoy and ultimately with the backend service. The fetcher is able to talk to envoy since it can connect with the wildcard FilterChain which is configured with TLS. Second, the fetcher code base configures the http.Client to skip verifying the server certs and on each request the http.Request.Host is faked by setting it to the hostname from the mapping which allows Envoy to route it to the upstream service. This is the most straightforward workaround for now until we create a longer term fix.