Dapr sidecar refuses connection to invoke method on the echoapp from middleware quickstart

[TenSt]

In what area(s)?

/area runtime

What version of Dapr?

1.4.x

Expected Behavior

Dapr sidecar allows connection to invoke a method on the echoapp.
Maybe I've missed something, but as I understand 1.4.x should work like 1.3.x in this scenario.

Actual Behavior

I was following the quickstart for middleware to verify that all works well before upgrade Dapr to 1.4.2 and noticed that Dapr sidecar refuses connection to the invoke of the echoapp. Verified on previous version - 1.3.1 - the issue is not reproducible there and all works well.

Steps to Reproduce the Problem

1. Install Dapr 1.4.x (all is working fine in 1.3.x)
2. Install Nginx as ingress controller:
   helm install my-release ingress-nginx/ingress-nginx
3. Apply echoapp from middleware quickstart, but without middleware (to make sure that it is not because of middleware):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: echoapp
  namespace: default
  labels:
    app: echo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: echo
  template:
    metadata:
      labels:
        app: echo
      annotations:
        dapr.io/enabled: "true"
        dapr.io/app-id: echoapp
        dapr.io/app-port: "3000"
        dapr.io/log-level: debug
    spec:
      containers:
        - name: echo
          image: dapriosamples/middleware-echoapp:edge
          ports:
            - containerPort: 3000
          imagePullPolicy: Always

4. Apply ingress rule - same as in quickstart:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: echo-ingress
spec:
  rules:
    - http:
        paths:
          - backend:
              serviceName: echoapp-dapr
              servicePort: 80
            path: /

5. Curl the echo method via the ingress external IP:
   curl http://EXTERNAL_IP_ADDRESS/v1.0/invoke/echoapp/method/echo?text=hello
   Response from Nginx:

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx</center>
</body>
</html>

6. Review the logs from the ingress controller:

2021/09/27 19:33:34 [error] 1077#1077: *191178 connect() failed (111: Connection refused) while connecting to upstream, client: 10.100.1.1, server: _, request: "GET /v1.0/invoke/echoapp/method/echo?text=hello HTTP/1.1", upstream: "http://10.100.1.49:3500/v1.0/invoke/echoapp/method/echo?text=hello", host: "185.226.43.76"
2021/09/27 19:33:34 [error] 1077#1077: *191178 connect() failed (111: Connection refused) while connecting to upstream, client: 10.100.1.1, server: _, request: "GET /v1.0/invoke/echoapp/method/echo?text=hello HTTP/1.1", upstream: "http://10.100.1.49:3500/v1.0/invoke/echoapp/method/echo?text=hello", host: "185.226.43.76"
2021/09/27 19:33:34 [error] 1077#1077: *191178 connect() failed (111: Connection refused) while connecting to upstream, client: 10.100.1.1, server: _, request: "GET /v1.0/invoke/echoapp/method/echo?text=hello HTTP/1.1", upstream: "http://10.100.1.49:3500/v1.0/invoke/echoapp/method/echo?text=hello", host: "185.226.43.76"
10.100.1.1 - - [27/Sep/2021:19:33:34 +0000] "GET /v1.0/invoke/echoapp/method/echo?text=hello HTTP/1.1" 502 150 "-" "curl/7.68.0" 119 0.000 [default-echoapp-dapr-80] [] 10.100.1.49:3500, 10.100.1.49:3500, 10.100.1.49:3500 0, 0, 0 0.000, 0.000, 0.000 502, 502, 502 d4f3218884f9087d3cb4e7dceeabf8a0

Note: verified on k8s v1.19 and v1.20.

Release Note

RELEASE NOTE:

[yaron2]

In 1.4 the daprd process was locked down to only accept connections from the pod boundary for a good security measure.

If you want to enable calling Dapr externally, please add the following annotation:

dapr.io/sidecar-listen-addresses: "0.0.0.0"

[TenSt]

Thanks, @yaron2. All worked well after adding the annotation. I will do a small PR to quickstarts repo to fix this too.