search

serverless / event-gateway

React to any event with serverless functions across clouds
https://www.serverless.com/event-gateway
Apache License 2.0
1.65k stars 97 forks source link

Event-gateway with minikube. "cannot validate certificate" #513

Closed lexxito closed 6 years ago

lexxito commented 6 years ago

Good day!

I am running event-gateway with minikube. Following this tutorial but without helm. etcd and event gateway started manually: etcd.yaml:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: etcd-event-gateway
  labels:
    app: etcd-event-gateway
spec:
  serviceName: etcd-event-gateway
  selector:
    matchLabels:
      app: etcd-event-gateway
  replicas: 1
  template:
    metadata:
      labels:
        app: etcd-event-gateway
    spec:
      containers:
        - name: etcd-event-gateway
          image: gcr.io/etcd-development/etcd:v3.3.9
          command:
            - "/usr/local/bin/etcd"
          args:
            - "--advertise-client-urls=http://0.0.0.0:2379"
            - "--data-dir=/var/lib/etcd"
            - "--name=etcd0"
            - "--listen-client-urls=http://0.0.0.0:2379"
            - "--listen-peer-urls=http://0.0.0.0:2380"
            - "--initial-cluster-state=new"
            - "--initial-advertise-peer-urls=http://0.0.0.0:2380"
            - "--initial-cluster"
            - "etcd0=http://0.0.0.0:2380"
            - "--initial-cluster-token=events"
          volumeMounts:
            - name: etcd-data
              mountPath: /var/lib/etcd
  volumeClaimTemplates:
    - metadata:
        name: etcd-data
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
  name: etcd-event-gateway
spec:
  ports:
    - name: etcd
      port: 2379
  selector:
    app: etcd-event-gateway

event-gateway.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: serverless-event-gateway
  labels:
    app: serverless-event-gateway
spec:
  selector:
    matchLabels:
      app: serverless-event-gateway
  replicas: 1
  template:
    metadata:
      labels:
        app: serverless-event-gateway
    spec:
      containers:
        - name: serverless-event-gateway
          image: serverless/event-gateway:0.9.1
          args:
            - "-db-hosts=etcd-event-gateway:2379"
            - "-log-format=text"
            - "-log-level=debug"
          livenessProbe:
            httpGet:
              path: "/v1/status"
              port: 4001
          readinessProbe:
            httpGet:
              path: "/v1/status"
              port: 4001
---
apiVersion: v1
kind: Service
metadata:
  name: serverless-event-gateway
spec:
  type: ClusterIP
  ports:
    - name: events
      protocol: TCP
      port: 4000
    - name: config
      protocol: TCP
      port: 4001
  selector:
    app: serverless-event-gateway
---
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    name: serverless-event-gateway-ingress
    annotations:
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/rewrite-target: /
  spec:
    rules:
    - 
      http:
        paths:
        - backend: 
            serviceName: serverless-event-gateway
            servicePort: 4000
          path: /serverless-event-gateway/events
        - backend:

function together with subscription are registered correctly and successfully.

but after trying to invoke the function having the following error: 

curl -k --request POST \
  --url https://192.168.99.100/serverless-event-gateway/events/hello-serverless-kubeless \
  --data '{"message": "Hello world!"}'\
  --header 'host: eventgateway.minikube'
INFO    Function invocation failed. 
{
  "space": "default",
  "functionId": "hello-serverless-kubeless",
  "event": {
    "eventType": "http.request",
    "cloudEventsVersion": "0.1",
    "source": "https://serverless.com/event-gateway/#transformationVersion=0.1",
    "eventID": "b88cc5fd-a150-4bfa-bace-8aea5054e90c",
    "eventTime": "2018-09-03 09:40:50.928715338 +0000 UTC m=+1207.760115437",
    "contentType": "application/json",
    "extensions": {
      "eventgateway": "{\"transformation-version\":\"0.1\",\"transformed\":\"true\"}"
    },
    "data": "{\"headers\":{\"Accept\":\"*/*\",\"Connection\":\"close\",\"Content-Length\":\"27\",\"Content-Type\":\"application/x-www-form-urlencoded\",\"User-Agent\":\"curl/7.58.0\",\"X-Forwarded-For\":\"192.168.99.1\",\"X-Forwarded-Host\":\"eventgateway.minikube\",\"X-Forwarded-Port\":\"443\",\"X-Forwarded-Proto\":\"https\",\"X-Original-Uri\":\"/serverless-event-gateway/events/hello-serverless-kubeless\",\"X-Real-Ip\":\"192.168.99.1\",\"X-Request-Id\":\"be5334e694176826d60ae8344f18b0ab\",\"X-Scheme\":\"https\"},\"query\":{},\"body\":\"{\\\"message\\\": \\\"Hello world!\\\"}\",\"host\":\"eventgateway.minikube\",\"path\":\"/hello-serverless-kubeless\",\"method\":\"POST\",\"params\":{}}"
  },
  "error": "Function call failed. Error: Post https://192.168.99.100/hello-serverless-kubeless: x509: cannot validate certificate for 192.168.99.100 because it doesn't contain any IP SANs"
}

I would be super thanksfull if you have any idea why event-gateway has a problem with certificate validation.

best,

mthenw commented 6 years ago

Hey @lexxito,

the issue is not about minikube but with the function that you configured. Your function runs on HTTPS but it's only IP address (not FQDN). Event Gateway supports https function only with valid SSL certificate.

Is your endpoint 192.168.99.100/hello-serverless-kubeless also exposed on http://?

lexxito commented 6 years ago

Yes, you are right. 192.168.99.100/hello-serverless-kubeless was also exposed over http://

I am using kubeless and function is deployed on minikube itself. to expose the function over https port I have added this lines to nginx:

...
        - backend:
            serviceName: hello-serverless-kubeless
            servicePort: 8080
          path: /func
...

the command: 

curl -k --request POST \
      --data "magic example data" \
      --header "Content-Type: application/json" \
      https://192.168.99.100/func

returns magic example data successfully.

Function and Subscription are following:

{
  "space": "default",
  "functionId": "hello-serverless-kubeless",
  "type": "http",
  "provider": {
    "url": "https://192.168.99.100/hello-serverless-kubeless"
  }
}
{
  "space": "default",
  "functionId": "hello-serverless-kubeless",
  "type": "http",
  "provider": {
    "url": "https://192.168.99.100/func"
  }
}

Nevertheless the error is the same: "error": "Function call failed. Error: Post https://192.168.99.100/func: x509: cannot validate certificate for 192.168.99.100 because it doesn't contain any IP SANs"

I am having troubles only with kubeless use case. Other providers work fine for me.

sebito91 commented 6 years ago

Your curl command will absolutely return your function because you're specifying the -k command to curl (aka the --insecure flag). If you remove the -k does your function reply as you'd expect?

sebito91 commented 6 years ago

Another note about your minikube ingress is that you didn't specify a host name for the Ingress as we do here. You won't need to provide the --header 'eventgateway.minikube' value because it's not being used at all.

I would also try to query your endpoint using curl and the following...

curl -v --request POST \
      --data "magic example data" \
      --header "Content-Type: application/json" \
      --key /path/to/your/pubkey.key \
      --cert /path/to/your/signed.pem \
      --cacert /path/to/your/public_ca.pem \
      https://192.168.99.100/func

That should give you verbose, signed access to the endpoint and print out any errors in case they don't work for any reason.

sebito91 commented 6 years ago

@lexxito just checking in to see how this issue was going for you. Were you able to figure out the fix?