-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
otel-collector requires HTTP/2 TLS passthrough from Envoy / Contour: should it? #1916
Comments
Thanks, by the way, to @pjanotti and @flands who helped me in the Gitter channel, and to this Contour ticket that pointed me at yages! |
My spidey sense tells me this cmux issue may be related... 🤷♀️ |
Hi folks. Just a quick check to see if there is a timeline with this fix since we are running into this as well. |
Hey @kevincantu As I'm not a Countour expert, I tested against 'vanilla' Envoy and I got it working:
I'm wondering if there's something Contour specific or I'm missing something. Let me know ;) |
Oh that's encouraging: perhaps something in Envoy 1.16 fixes this? (The version of Contour I last tested with was using an earlier Envoy.) |
Hey @kevincantu Any update on this? ;) |
Any update on this, How can i disable the tls ? |
I'm no longer actively working on the same system which used this, so I haven't spun up a cluster to try any of this out again lately. What I'd try, though, is setting up something like my example above, with a newer version of Contour (and its corresponding newer version of Envoy), and see whether the workaround I showed is still necessary! Specifically:
|
…etry#1916) Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.39.0 to 1.40.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](golangci/golangci-lint@v1.39.0...v1.40.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anthony Mirabella <a9@aneurysm9.com>
How to enable the mTLS for receiver? |
…y#1916) Bumps [boto3](https://github.com/boto/boto3) from 1.24.61 to 1.24.62. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](boto/boto3@1.24.61...1.24.62) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Closing as inactive, please reopen if this is still being worked on. |
I manage to run into this, seems like despite following https://projectcontour.io/docs/main/guides/grpc/ the envoy instance is sending HTTP/1 request to the otel collector instance. |
I got it working when I switched from using the ingress object to using the contour specific httpproxy object, I'll try to figure out if there's a difference between the configuration they generate. |
I've just gotten started setting up otel-collector for some Kubernetes clusters where we use Envoy (configured via Contour) for routing, and discovered a detail that gave me fits, so I think it's worth laying it all out here. I suspect it may be a gRPC server issue in the collector: some gnarly interaction with Envoy, perhaps?
Expected
What I hoped was that otel-collector could be set up much like this demo with YAGES (a gRPC echo server), where:
I set this up using a Contour HTTPProxy in TCP proxying mode, which relies on SNI to route traffic by domain name:
You can exercise that yages app (to send a ping and receive a pong) with the following grpcurl command:
I expected routing just like that to work for otel-collector:
opentelemetry-exporter-otlp
sends gRPC TLS traffic,Actual
But that didn't work.
Instead, when configuring Envoy (via Contour) like that, I saw TCP events in the Envoy access logs like so, but no success:
My sample app (sending traffic to
otel-grpc.staging.test:443
) only receivedStatusCode.UNAVAILABLE
error responses! (I extended this part of the opentelemetry-exporter-otlp Python library to log those codes.)Workaround
To make things work, I had to configure Envoy to pass HTTP/2 TLS traffic to the upstream.
Like so:
opentelemetry-exporter-otlp
sends gRPC TLS traffic,That is, in addition to the TLS cert setup for otel-collector, this Contour HTTPProxy config change:
Bug?
Specifically, I found that when routing OTLP (gRPC) traffic wrapped in HTTP/2 TLS:
I think that means that there's something we could do here to make otel-collector's gRPC server play nicely with Envoy!
The text was updated successfully, but these errors were encountered: