search

redpanda-data / helm-charts

Redpanda Helm Chart
http://redpanda.com
Apache License 2.0
75 stars 96 forks source link

When disabling TLS for the admin listener the url for the request has a trailing dot #1497

Open corang opened 1 month ago

corang commented 1 month ago

What happened?

When disabling TLS for the admin listener the url for the request has a trailing dot. While this may be fine in vanilla kubernetes, it causes a failure when using a service mesh like istio: job log:

unable to query config schema: request GET http://redpanda-0.redpanda.redpanda.svc.cluster.local.:9644/v1/cluster_config/schema failed: Service Unavailable, body: "upstream connect error or disconnect/reset before headers. reset reason: connection termination"

main redpanda istio sidecar log:

[2024-08-21T19:41:20.561Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 0 - "-" "-" "-" "-" "-" - - 10.42.0.109:9644 10.42.0.113:60346 - -

What did you expect to happen?

The URL should not have a trailing dot so that service meshes can resolve the endpoint correctly

How can we reproduce it (as minimally and precisely as possible)?. Please include values file.

```yaml listeners: admin: appProtocol: http tls: enabled: false monitoring: enabled: true enableHttp2: false ``` deploy redpanda with that config on top of istio with istio-injection enabled and mtls set to strict

Anything else we need to know?

This can be worked around with istio via a set of destination rules and service entries.

If there wasn't a trailing dot this would work:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
    name: redpanda-headless
    namespace: redpanda
spec:
  hosts:
  - redpanda-0.redpanda.redpanda.svc.cluster.local
  ports:
  - number: 9644
    name: admin
    protocol: HTTP
  resolution: NONE
  location: MESH_INTERNAL
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: redpanda-headless
  namespace: redpanda
spec:
  host: redpanda-0.redpanda.redpanda.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      sni: redpanda-0.redpanda.redpanda.svc.cluster.local

However since there is we have to add this set as well

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
    name: redpanda-headless-dot
    namespace: redpanda
spec:
  hosts:
  - redpanda-0.redpanda.redpanda.svc.cluster.local.
  ports:
  - number: 9644
    name: admin
    protocol: HTTP
  resolution: NONE
  location: MESH_INTERNAL
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: redpanda-headless-dot
  namespace: redpanda
spec:
  host: redpanda-0.redpanda.redpanda.svc.cluster.local.
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      sni: redpanda-0.redpanda.redpanda.svc.cluster.local.

Which are the affected charts?

Redpanda

Chart Version(s)

```console $ helm -n redpanda list NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION redpanda redpanda 1 2024-08-21 19:45:48.328080392 +0000 UTC deployed redpanda-5.9.1 v24.2.2 ```

Cloud provider

Local k3d cluster

JIRA Link: K8S-326