search

kiali / kiali

Kiali project, observability for the Istio service mesh
https://www.kiali.io
Apache License 2.0
3.4k stars 490 forks source link

Kiali fails to watch Gateway due to `spec.servers[*].tls.mode: OPTIONAL_MUTUAL` setting #7315

Closed ngearhart closed 6 months ago

ngearhart commented 6 months ago

Describe the bug

When an Istio gateway has spec.servers[*].tls.mode: OPTIONAL_MUTUAL, Kiali will output the following then crash:

W0426 19:43:42.905227       1 reflector.go:535] pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: failed to list *v1beta1.Gateway: unknown value "\"OPTIONAL_MUTUAL\"" for enum istio.networking.v1beta1.ServerTLSSettings.TLSmode
E0426 19:43:42.905254       1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.28.3/tools/cache/reflector.go:229: Failed to watch *v1beta1.Gateway: failed to list *v1beta1.Gateway: unknown value "\"OPTIONAL_MUTUAL\"" for enum istio.networking.v1beta1.ServerTLSSettings.TLSmode

Expected Behavior

What are the steps to reproduce this bug?

  1. Create an Istio Gateway with spec.servers[*].tls.mode: OPTIONAL_MUTUAL enabled. For example: 
    apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: public
namespace: istio-system
spec:
selector:
app: public-ingressgateway
servers:
- hosts:
- example.com
port:
  name: https
  number: 8443
  protocol: HTTPS
tls:
  caCertificates: /etc/certs/ca.crt
  mode: OPTIONAL_MUTUAL
  privateKey: /etc/certs/tls.key
  serverCertificate: /etc/certs/tls.crt
  2. Run Kiali.

Environment

Learn about how to determine versions here.

ngearhart commented 6 months ago

This error also exists in Kiali version 1.78.0 and Istio version 1.19.6. I encountered the issue in these older versions and upgraded as far as I possibly can in my environment and saw no change.

ngearhart commented 6 months ago

This feature was added in Istio 1.19.0: https://istio.io/latest/news/releases/1.19.x/announcing-1.19/

We also added enhancements to security configurations. For example, you can configure OPTIONAL_MUTUAL for your Istio ingress gateway’s TLS settings, which allows optional use and validation of a client certificate.

So this should be supported by Kiali.

nrfox commented 6 months ago

I'm fairly sure this is caused by Kiali not bumping the istio client libraries appropriately. When new fields get added to the istio APIs and Kiali doesn't bump the client version, it can lead to unmarshaling issues when you use those new fields. The versions were updated recently and the next release (1.84) should work with the new fields although we should confirm that and possibly backport the client bump to whatever version(s) of Kiali need to support 1.19.

hhovsepy commented 6 months ago

@ngearhart thank you for logging the issue. As Nick confirmed the issue is gone with upcoming Kiali release v1.84. In a case of errors or issues feel free to open a discussion or log an issue here, I see you were facing this issue for a longer time.

However I have added the missing tls option into our wizards: https://github.com/kiali/kiali/pull/7318

ngearhart commented 6 months ago

Thank you @hhovsepy @nrfox for your help here! I will test Kiali 1.84 in my environment when it's released.