Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ambassador isn't loading a secret in a separate namespace #2202

Closed
djsly opened this issue Jan 15, 2020 · 0 comments
Closed

Ambassador isn't loading a secret in a separate namespace #2202

djsly opened this issue Jan 15, 2020 · 0 comments
Assignees
@kflynn
Labels
t:bug Something isn't working
Milestone
2020 Cycle 1

Comments

@djsly
Copy link

djsly commented Jan 15, 2020

Describe the bug

We are running multiple Ambassador in different namespaces with the Single namespace flag set to true. We created a shared certificate (secret) namespace to host all the secrets that our ambassador can use.

To Reproduce
Steps to reproduce the behavior:

  1. Install Ambassador 0.86.1 with a secret in a different namespace
  2. use TLSContext
apiVersion: ambassador/v1
      kind:  TLSContext
      name:  tls
      secret: my-secret.shared-certs
      secret_namespacing: true
      hosts: ["*"]
      alpn_protocols: h2[, http/1.1]
      min_tls_version: v1.2
      redirect_cleartext_from: 8080
  1. Watch the error in the logs and UI, the resolve_secret does it three time
2020/01/15 05:12:32 aggregator: watch hook stderr: 2020-01-15 05:12:32 watch-hook INFO: Found Ambassador service: ambassador-mix-stage
2020/01/15 05:12:32 aggregator: watch hook stderr: 2020-01-15 05:12:32 watch-hook INFO: YAML: using C parser
2020/01/15 05:12:32 aggregator: watch hook stderr: 2020-01-15 05:12:32 watch-hook INFO: YAML: using C dumper
2020/01/15 05:12:32 aggregator: watch hook stderr: 2020-01-15 05:12:32 watch-hook INFO: resolve_secret cd4-crt-nuance-com-cert.shared-certs, namespace mix-stage: namespacing is True
2020/01/15 05:12:32 aggregator: watch hook stderr: 2020-01-15 05:12:32 watch-hook INFO: resolve_secret cd4-crt-nuance-com-cert.shared-certs: asking handler to load
2020/01/15 05:12:32 aggregator: watch hook stderr: 2020-01-15 05:12:32 watch-hook INFO: SecretRecorder: Trying to load secret cd4-crt-nuance-com-cert in namespace shared-certs from TLSContext <IRTLSContext ambassador-mix-stage.mix-stage.2>
2020/01/15 05:12:32 aggregator: watch hook stderr: 2020-01-15 05:12:32 watch-hook INFO: resolve_secret cd4-crt-nuance-com-cert.shared-certs: asking handler to cache
2020/01/15 05:12:32 aggregator: watch hook stderr: 

2020/01/15 05:12:33 aggregator: watch hook stderr: 2020-01-15 05:12:33 watch-hook INFO: Found Ambassador service: ambassador-mix-stage
2020/01/15 05:12:33 aggregator: watch hook stderr: 2020-01-15 05:12:33 watch-hook INFO: YAML: using C parser
2020/01/15 05:12:33 aggregator: watch hook stderr: 2020-01-15 05:12:33 watch-hook INFO: YAML: using C dumper
2020/01/15 05:12:33 aggregator: watch hook stderr: 2020-01-15 05:12:33 watch-hook INFO: resolve_secret cd4-crt-nuance-com-cert.shared-certs, namespace mix-stage: namespacing is True
2020/01/15 05:12:33 aggregator: watch hook stderr: 2020-01-15 05:12:33 watch-hook INFO: resolve_secret cd4-crt-nuance-com-cert.shared-certs: asking handler to load
2020/01/15 05:12:33 aggregator: watch hook stderr: 2020-01-15 05:12:33 watch-hook INFO: SecretRecorder: Trying to load secret cd4-crt-nuance-com-cert in namespace shared-certs from TLSContext <IRTLSContext ambassador-mix-stage.mix-stage.2>
2020/01/15 05:12:33 aggregator: watch hook stderr: 2020-01-15 05:12:33 watch-hook INFO: resolve_secret cd4-crt-nuance-com-cert.shared-certs: asking handler to cache
2020/01/15 05:12:33 aggregator: watch hook stderr:

The third time its the AmbassadorEventWatcher who is performing the check

2020/01/15 05:12:33 notify: python /ambassador/post_update.py --watt  http://localhost:8002/snapshots/1
2020-01-15 05:12:33 diagd 0.86.1 [P492TThreadPoolExecutor-0_0] INFO: Update requested: watt, http://localhost:8002/snapshots/1
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] INFO: copying configuration: watt, http://localhost:8002/snapshots/1 to /ambassador/snapshots/snapshot-tmp.yaml
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] INFO: Found pod labels: ['app.kubernetes.io/instance="ambassador"\n', 'app.kubernetes.io/name="ambassador"\n', 'app.kubernetes.io/part-of="ambassador"\n', 'harness.io/release-name="ambassador"\n', 'pod-template-hash="69977998bc"']
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] INFO: Found Ambassador service: ambassador-mix-stage
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] INFO: YAML: using C parser
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] INFO: YAML: using C dumper
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] INFO: resolve_secret cd4-crt-nuance-com-cert.shared-certs, namespace mix-stage: namespacing is True
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] INFO: resolve_secret cd4-crt-nuance-com-cert.shared-certs: asking handler to load
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] ERROR: Secret cd4-crt-nuance-com-cert.shared-certs unknown
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] ERROR: ambassador-mix-stage.mix-stage.2: <RichStatus BAD error=TLSContext tls found no certificate in secret cd4-crt-nuance-com-cert in namespace shared-certs, ignoring... hostname=ambassador-mix-stage-69977998bc-w5vzn version=0.86.1>
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] INFO: re_type safe
2020-01-15 05:12:33 diagd 0.86.1 [P492TAmbassadorEventWatcher] INFO: V2Listener: Using log_format 'ACCESS [%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"

Expected behavior
CERT / Secret should be loaded

Versions (please complete the following information):

  • Ambassador: 0.86.1]
  • Kubernetes environment: AKS
  • Version 1.14.8
@khussey khussey added the t:bug Something isn't working label Jan 15, 2020
titilambert added a commit to titilambert/ambassador that referenced this issue Jan 15, 2020
@titilambert
Fix emissary-ingress#2202
fc2beec
@titilambert titilambert mentioned this issue Jan 15, 2020
Closed
2 tasks
@khussey khussey added this to the 1.0 Cool-down milestone Jan 15, 2020
@kflynn kflynn self-assigned this Jan 18, 2020
@khussey khussey modified the milestones: 1.0 Cool-down, 1.y Cycle 1 Jan 24, 2020
alexgervais pushed a commit that referenced this issue Jan 27, 2020
Merge pull request #2239 from datawire/from-titilambert-2204
2450741 
From @titilambert's 2204: Fix #2202
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kflynn kflynn

Labels
t:bug Something isn't working
Projects
None yet
Milestone
2020 Cycle 1
Development

No branches or pull requests
4 participants
@bnfb @khussey @kflynn @djsly