Skip to content
This repository has been archived by the owner on Apr 10, 2024. It is now read-only.

Commit

Permalink
Use HTTP/1.1 to perform readiness check (#156)
Browse files Browse the repository at this point in the history
This change re-enables the readiness check, using HTTP/1.1 instead of
HTTP/2 to invoke it. The readiness checks are unauthenticated and are
throttled when the feature gate UnauthenticatedHTTP2DOSMitigation is set
to true, which is the default starting in Kubernetes 1.29 (see
https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates).
This was the cause of the "GOAWAY received" errors that have been
observed on Kubernetes 1.29.

This change also decouples starting of the servers from waiting until
they become ready, so that if the readiness check fails due to some
error that propagates out of the polling loop (e.g. IOException), the
caller is free to catch it and continue waiting.
  • Loading branch information
adriansuarez authored Jan 18, 2024
1 parent 9518531 commit 8137188
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -89,9 +89,7 @@ public void waitUntilReady() {
var readinessChecker = new ProcessReadinessChecker();
var timeout = config.getStartupTimeout();
var startTime = System.currentTimeMillis();
// the 1.29.0 binary has issue with this. Will temporarily comment out and further investigate.
// But with this now all the executions are failing
// readinessChecker.waitUntilReady(apiServerPort, "readyz", KUBE_API_SERVER, true, timeout);
readinessChecker.waitUntilReady(apiServerPort, "readyz", KUBE_API_SERVER, true, timeout);
int newTimout = (int) (timeout - (System.currentTimeMillis() - startTime));
readinessChecker.waitUntilDefaultNamespaceAvailable(apiServerPort, binaryManager, certManager,
config, newTimout);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -177,8 +177,13 @@ public void checkServerTrusted(
}
},
null);
// Set protocol to HTTP/1.1 for unauthenticated invocations of "GET /readyz". Sending
// unauthenticated requests using HTTP/2 is problematic on Kubernetes >=1.29, which enables
// denial-of-service mitigation for authenticated HTTP/2 by default with the
// UnauthenticatedHTTP2DOSMitigation feature gate.
return HttpClient.newBuilder()
.sslContext(sslContext)
.version(HttpClient.Version.HTTP_1_1)
.build();
} catch (NoSuchAlgorithmException | KeyManagementException e) {
throw new JenvtestException(e);
Expand Down

0 comments on commit 8137188

Please sign in to comment.