search

kumahq / kuma

🐻 The multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project.
https://kuma.io/install
Apache License 2.0
3.61k stars 332 forks source link

Application not working after applying default mTLS #3394

Closed hiteshp39 closed 2 years ago

hiteshp39 commented 2 years ago

What happened?

Hello Team,

Environment Details: Kubernetes GKE Version- 1.21.3-gke.2003 Kuma Version - v1.4.0 Konfg Version - v2.4

I have installed kuma nd deployed demo application following below document : https://github.com/kumahq/kuma-demo/tree/master/kubernetes After the installation, default mesh got created and sidecar also created on kuma-demo namespace . Further applied sidecar-injection and gateway annotation on kong namespace i.e kong

Till this application was reachable but when applied default mTLS policy , my application is not coming up ,even the traffic permission is allowed to all the service . Below is the applied mTLS: apiVersion: kuma.io/v1alpha1 kind: Mesh metadata: name: default spec: mtls: enabledBackend: ca-1 backends:

NOTE: In my case the namespace is different like below: kuma installed on kuma-system namespace. kong installed on kong namesapce. demo application installed on kuma-demo namespace

lahabana commented 2 years ago

@hiteshp39 can you let us know if the sidecar starts on both the gateway pods and the demo app pods? If they don't can you let us know about the logs?

hiteshp39 commented 2 years ago

Hello @lahabana , Yes sidecar container started in both place and i have applied the annotation for gateway which was not enabled on kong pod. After that it is working fine but still facing some issue after applying mTLS policy only on specific pod:

I have applied kuma using kong gateway. My all apps are working fine like it is creating sidecar container and app was reachable.(after applying mTLS and traffic permission) But facing issue specifically on kyecloak pods ( which is connecting to Google cloud DB) after applying mTLS Policy.Below is the error getting on the kyecloak logs: [1/100] keycloak-http:80 is available. Status code received - 000 Though the keycloak url is accessible, APIs are not fully up(received non 200 status code). Trial number - 2 for fetch of access token

github-actions[bot] commented 2 years ago

This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.