Closed bellamariz closed 11 months ago
Turns out I had to give ACL permission to the entire Slack DNS domain on Tsuru. Simply using the subdomain rule *.slack.com
does not work:
Service: acl
Instance: gitlab-reminder-acl
Jobs: gitlab-reminder-job
Rules:
Rule ID: xxxxxxx - Destination: DNS: .slack.com, Ports: tcp:443
Rule ID: xxxxxxx - Destination: DNS: hooks.slack.com, Ports: tcp:443
Rule ID: xxxxxxx - Destination: DNS: api.slack.com, Ports: tcp:443
Once I did that, the app executed perfectly on the Tsuru framework:
4:13PM INF reminder/reminder.go:55 > reminder sent about merge requests!
4:13PM INF reminder/reminder.go:62 > reminder sent about recently failed jobs!
Also, while thinking about why it probably didn't work with Kubernetes, my pod had only pinged on two of MANY possible IP addresses the Slack API DNS could respond to. Therefore, I had only created the ACL permission for them:
- 18.230.171.141 443 tcp
- 54.94.183.148 443 tcp
But here's the full list of possible IPs the Slack API can respond to:
IPv4 Address for https://hooks.slack.com/
Domain Server IP: 34.225.62.185
Domain Server IP: 3.95.117.96
Domain Server IP: 54.225.153.205
Domain Server IP: 34.193.255.5
Domain Server IP: 34.204.109.226
Domain Server IP: 34.231.24.224
Domain Server IP: 54.163.235.119
Domain Server IP: 54.92.199.186
Domain Server IP: 34.203.97.10
Domain Server IP: 34.196.46.202
Domain Server IP: 3.210.88.6
Domain Server IP: 34.202.253.6
Domain Server IP: 54.147.59.169
Domain Server IP: 34.205.195.66
Domain Server IP: 52.73.140.59
Issue resolved!
What happened
Hello! I built a Golang app that sends messages to a Slack channel using a Slack Bot I also created. I'm using the
goslack.PostWebhook
method and it keeps returning aPost \"https://hooks.slack.com/services/private-webhook-url\": dial tcp 54.163.235.119:443: i/o timeout
error.Expected behaviour
Whenever I run my code locally using Docker, there are no issues:
Real behaviour
But when I try to run my app using the Tsuru Service or a Kubernetes Job, I keep getting the timeout error:
Steps
My code simple, as follows:
The Slack Bot - responsible for sending the message through the Webhook - is configured with the necessary authorizations:
Because my app runs in my company's internal network pool (for Tsuru) and cluster (for Kubernetes),
1) I added the Slack DNS
*.slack.com
on port443
to my app's ACL service on the Tsuru pool:2) And when I tried to use the Kubernetes Job service instead of Tsuru, I liberated the IPs used by the Slack API:
However, I still got the same timeout error for both cases.
What I find weird, is that I gave the same ACL permission to another external API service my app uses (Gitlab REST API - go-gitlab), and there was no timeout issue with them. The access was liberated as expected and no timeout issue occurred. This is just happening with the Slack API. Are the ACL permissions I gave not correct? Do I need to add another DNS or IP? Or is this timeout related to something else?
Thank you!
Versions