-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Requesting "additional-ca" and then requesting "network.harvesterhci.io.clusternetworks" will return a 503 error #2205
Comments
Just did a simple research. If we provide a valid CA certificate, it succeeds without any error. Otherwise it behaves as what WuJun2016 described. I use the following commands to create a valid certificate. openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem The current backend code (harvester-webhook) only adds addition-ca to root CA for its HTTPS transport. Nothing seems weird to me so far. However, I observed some fun facts
I wonder we can avoid the downtime if we leverage |
After a deeper investigation, I found that the root cause is that harvester deployment is forced to restart when additional CA cert changes 1. The reason to restart is that podmutator in harvester-webhook would eject and mount a volume of the certain CA certificate onto The CA cert injection code path is used for three workloads: harvester, rancher, and longhorn's
As a side note, if a harvester cluster has 3 or more nodes, I guess it wouldn't have a downtime as such. This downtime issue might only occur in a non-HA cluster. Will verify my assumption later on. Footnotes
|
Verified that in a 3-node cluster, the high availability can prevent request from failure with 503 error.
Just FYI, Consul and Nomad also use similar trick, which reloads/updates the Footnotes |
Close as this behavior is expected. |
Describe the bug
To Reproduce
Steps to reproduce the behavior:
Setting
pagebackup-target
https://URL/v1/harvester/network.harvesterhci.io.clusternetworks
(At this point the api is able to request successfully)additional-ca
edit page and enter any value, click save button (Immediately go to refresh thehttps://URL/v1/harvester/network.harvesterhci.io.clusternetworks
page, the page does not respond for a long time)Expected behavior
Support bundle
Environment:
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: