New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CAPI Failure When UAA Isn't Available on Internal Address Is Late and Obscure #43
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/138211943 The labels on this github issue will be updated when the story is started. |
Hey @anEXPer, Apologies for the delay in responding. I'm curious whether the CC property |
The Regardless, the particulars of how CC and UAA get mutually configured to talk to one another is secondary to the main issue. We'd like to see jobs that can't possibly work fail in post-start, so that the deploy won't proceed. If talking to UAA is impossible, CC should fail, to prevent that config change from rolling to other instances and taking down the API for the whole deployment. |
@anEXPer We made some commits to return a clearer error message when using the CC API (see the commits attached to the associated story). We'll close this issue based on the error message fix, and we'll ask @zrob to consider whether we want to or can make the bosh deploy fail if UAA is unavailable. If we end up tackling that, we'll make a separate tracker story or bug for it. Thanks, |
If UAA isn't set to have
uaa.service.cf.internal
inuaa.zones.internal.hostnames
, or is otherwise unavailable, CC emits 502s with no error message on all endpoints that attempt token validation.It should probably fail to start, instead. Failing that, it should emit a clear error message.
Steps to Reproduce
Override the
uaa.zones.internal.hostnames
to nil in your stub, deploy, then try to use CC. I've not tried this, so you could instead deploy with the minimal-aws example manifest prior to the fix here.Expected result
The CC should probably fail to come up if it can't talk to UAA after a deploy. This would allow the canary to prevent all of the CCs from becoming non-functional in a misconfigured upgrade scenario.
If not, the message should at least say "yo I can't get the key from UAA because 404s on this wack internal address" or something.
Current result
From the user's perspective:
From the logs:
And this is after the deploy is successful, so only post-deployment testing catches it.
The text was updated successfully, but these errors were encountered: