Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation: Health Checks failing after tls.mode=STRICT #664

Open
egkelly opened this issue Dec 9, 2022 · 0 comments
Open

Documentation: Health Checks failing after tls.mode=STRICT #664

egkelly opened this issue Dec 9, 2022 · 0 comments
Labels
enhancement New feature or request

Comments

@egkelly
Copy link

egkelly commented Dec 9, 2022

Is your feature request related to a problem?

Yes

The documentation in the troubleshooting guide mentions that in order to allow pod health checks to succeed when in strict TLS mode, exposing the liveness/readiness port on a separate port from the actual application port is necessary. However, it does not provide an example, and my attempt at making this work is not getting me anywhere.

I've set up my deployment as below:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-webapp
  namespace: my-app
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: my-webapp
  template:
    metadata:
      annotations:
        appmesh.k8s.aws/egressIgnoredPorts: '22,6379'
        appmesh.k8s.aws/mesh: my-service-mesh
        appmesh.k8s.aws/ports: '3000'
        appmesh.k8s.aws/virtualNode: my-webapp
      labels:
        app.kubernetes.io/name: my-webapp
    spec:
      containers:
          livenessProbe:
            httpGet:
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
              path: /healthcheck
              port: 3001
          name: cmd-webapp
          ports:
            - containerPort: 3000
               hostPort: 3000
           - containerPort: 3000
              hostPort: 3001
          readinessProbe:
            httpGet:
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
              path: /healthcheck
              port: 3001

With this approach, however, I only get a crashloop deployment as the healthcheck says Readiness probe failed: Get "http://xx.xx.xx.xx:3001/healthcheck": dial tcp xx.xx.xx.xx:3001: connect: connection refused

Describe the solution you'd like
Adding documentation to the troubleshooting guide and/or the mTLS walkthrough for this workaround would be much appreciated. I'm not sure if I'm on the right path with this solution but I would like to continue having my deployment healthchecks as opposed to removing them as seemingly demonstrated in the mTLS walkthrough.

Describe alternatives you've considered
Moving to Istio -- Istio provides a more in depth guide for this issue, though their solutions don't seem applicable to app mesh functionality. https://istio.io/latest/docs/ops/configuration/mesh/app-health-check/
@egkelly egkelly added the enhancement New feature or request label Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@egkelly