Readiness and liveness fails after enabling TLS termination on ld-proxy.

[ansilh]

Describe the bug Readiness and liveness fails when enabling TLS termination on ld-proxy. Pods restarts because of Liveness failure

To reproduce

• Create a tls secret named "tls" with a certificate and key.
• Create values.yaml with below to enable TLS.

  relay:
  environment:
    TLS_ENABLED: "true"
    TLS_CERT: "/mnt/secrets/tls.crt"
    TLS_KEY: "/mnt/secrets/tls.key"
  secrets:
  - volumePath: tls.key
    volumeName: tlskey
    secretName: tls
    secretKey: tls.key
  - volumePath: tls.crt
    volumeName: tlscrt
    secretName: tls
    secretKey: tls.crt

• Use below helm command to install the chart

helm install relay --set relay.environment.LD_ENV_YourEnvironment=your-sdk-key -f values.yaml launchdarkly-ld-relay/ld-relay

Expected behavior The Liveness and Readiness check should be using scheme HTTPS instead of default HTTP when TLS termination is enabled on the ld-proxy side.

        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /status
            port: api
            scheme: HTTP <<---- in chart, there is no scheme set, so it sets to default HTTP instead of HTTPS
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /status
            port: api
            scheme: HTTP <<---- in chart, there is no scheme set, so it sets to default HTTP instead of HTTPS
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1

Logs

ld-proxy kubectl pod describe output

  Warning  Unhealthy  9s (x10 over 47s)  kubelet            Readiness probe failed: HTTP probe failed with statuscode: 400
  Warning  Unhealthy  9s (x4 over 39s)   kubelet            Liveness probe failed: HTTP probe failed with statuscode: 400

Helm chart version

NAME                            CHART VERSION   APP VERSION DESCRIPTION
launchdarkly-ld-relay/ld-relay  2.2.1           7.2.1       LaunchDarkly Relay Proxy

Relay proxy configuration, developer tools Helm : v3.11.2 LD Version : launchdarkly/ld-relay:7.2.1

Additional context This issue surfaced after fixing the issue https://github.com/launchdarkly/ld-relay-helm/issues/36

[ansilh]

When I edit the Deployment and sets the scheme to HTTPS, Pod starts fine.

[keelerm84]

Hi again 👋🏼 . Sorry to hear you are still running into some issues with the chart. I will take a look and try to get a fix out for you soon.

Internal: sc-202337

[ansilh]

Hi @keelerm84 :) Thanks for the quick response. Could you please test the SSL termination on ld-proxy in-house if possible ?

[keelerm84]

Could you please test the SSL termination on ld-proxy in-house if possible ?

I did generate a cert using acme.sh, installed the chart as you directed, and verified HTTPS routing worked as anticipated. So I think we should be good once I release the next fix.

[keelerm84]

I have released 2.2.2 which should allow you to update your values file to enable an HTTPS scheme.

relay.livenessProbe.httpGet.scheme = HTTPS relay.readinessProbe.httpGet.scheme = HTTPS