search

projectcalico / calico

Cloud native networking and network security
https://docs.tigera.io/calico/latest/about/
Apache License 2.0
5.89k stars 1.31k forks source link

Running calico-apiserver in insecure mode #9210

Open lohrbini opened 1 week ago

lohrbini commented 1 week ago

If you deploy the calico apiserver as manifest and with the option --secure-port=0 the pod is stucking in CrashLoopBackOff panic: runtime error: invalid memory address or nil pointer dereference

Expected Behavior

Running the calico-apiserver on plain http instead of https

Current Behavior

As described above the pod is stuck in crash loop

NAME                                READY   STATUS             RESTARTS         AGE
calico-apiserver-7b85499949-x5f8b   0/1     CrashLoopBackOff   14 (3m36s ago)   50m

Steps to Reproduce (for bugs)

  1. Download the manifests
  2. Update the deployment
...
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    apiserver: "true"
    k8s-app: calico-apiserver
  name: calico-apiserver
  namespace: calico-apiserver
spec:
  replicas: 1
  selector:
    matchLabels:
      apiserver: "true"
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        apiserver: "true"
        k8s-app: calico-apiserver
      name: calico-apiserver
      namespace: calico-apiserver
    spec:
      containers:
      - args:
        - -v=5
        - --secure-port=0
        env:
        - name: DATASTORE_TYPE
          value: kubernetes
        image: calico/apiserver:v3.28.1
        name: calico-apiserver
        readinessProbe:
          httpGet:
            path: /readyz
            port: 80
            scheme: HTTP
          timeoutSeconds: 5
          periodSeconds: 60
        securityContext:
          privileged: false
          runAsUser: 0
        # volumeMounts:
        # - mountPath: /code/apiserver.local.config/certificates
        #   name: calico-apiserver-certs
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: Always
      serviceAccount: calico-apiserver
      serviceAccountName: calico-apiserver
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
      # volumes:
      # - name: calico-apiserver-certs
      #   secret:
      #     secretName: calico-apiserver-certs
...
  1. Apply the manifest with the updated values
  2. Receive Pod in CrashLoopBackOff
Version:      v3.28.1
Build date:   2024-07-30T22:50:38+0000
Git tag ref:  v3.28.1
Git commit:   601856343
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x2135eb4]

goroutine 1 [running]:
github.com/projectcalico/calico/apiserver/cmd/apiserver/server.(*CalicoServerOptions).Config(0xc00052bef0)
    /go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/server/options.go:131 +0x5f4
github.com/projectcalico/calico/apiserver/cmd/apiserver/server.PrepareServer(0xc000720be8?)
    /go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/server/run_server.go:42 +0x65
github.com/projectcalico/calico/apiserver/cmd/apiserver/server.NewCommandStartCalicoServer.func1.2()
    /go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/server/server.go:87 +0x1c
k8s.io/kubernetes/pkg/util/interrupt.(*Handler).Run(0xc0003735f0, 0xc000677b30)
    /go/pkg/mod/k8s.io/kubernetes@v1.28.12/pkg/util/interrupt/interrupt.go:92 +0x122
github.com/projectcalico/calico/apiserver/cmd/apiserver/server.NewCommandStartCalicoServer.func1(0xc0001c3b00?, {0x27eed83?, 0x4?, 0x27eed3f?})
    /go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/server/server.go:86 +0x10b
github.com/spf13/cobra.(*Command).execute(0xc000340308, {0xc0001161c0, 0x2, 0x2})
    /go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:987 +0xab1
github.com/spf13/cobra.(*Command).ExecuteC(0xc000340308)
    /go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
    /go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039
k8s.io/component-base/cli.run(0xc000340308)
    /go/pkg/mod/k8s.io/component-base@v0.28.12/cli/run.go:146 +0x290
k8s.io/component-base/cli.Run(0x4?)
    /go/pkg/mod/k8s.io/component-base@v0.28.12/cli/run.go:46 +0x17
main.main()
    /go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/apiserver.go:66 +0x30f

Your Environment

caseydavenport commented 1 week ago

Running the calico-apiserver on plain http instead of https

Could you share why you want to do this?