Connection failures following control plane upgrade to 1.6

[Stono]

Bug description
Another set of apps that doesn't work. We upgrade the control plane to 1.6, but don't touch the apps (so still running 1.5 sidecar) and we start getting the old upstream connect error or disconnect/reset before headers. reset reason: connection failure when making requests from within the mesh (from another app to this one).

Looking at the istio-proxy debug logs for the destination service we see:

[Envoy (Epoch 0)] [2020-10-16 07:46:36.184][31][debug][filter] [external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted
[Envoy (Epoch 0)] [2020-10-16 07:46:36.184][31][debug][conn_handler] [external/envoy/source/server/connection_handler_impl.cc:361] [C83] new connection
[Envoy (Epoch 0)] [2020-10-16 07:46:36.184][31][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:279] [C83] dispatch error: http/1.1 protocol error: HPE_INVALID_METHOD
[Envoy (Epoch 0)] [2020-10-16 07:46:36.184][31][debug][connection] [external/envoy/source/common/network/connection_impl.cc:101] [C83] closing data_to_write=66 type=2
[Envoy (Epoch 0)] [2020-10-16 07:46:36.184][31][debug][connection] [external/envoy/source/common/network/connection_impl_base.cc:30] [C83] setting delayed close timer with timeout 1000 ms
[Envoy (Epoch 0)] [2020-10-16 07:46:36.184][31][debug][connection] [external/envoy/source/common/network/connection_impl.cc:600] [C83] write flush complete

Here are config dumps from istio-proxy on the destination service from 1.5 and 1.6 control planes:
config-dumps.tar.gz

The pod exposes three ports:

      ports:
      - containerPort: 9080
        name: http-web-admin
        protocol: TCP
      - containerPort: 8317
        name: http-web
        protocol: TCP
      - containerPort: 8318
        name: tcp-tcp-sftp
        protocol: TCP

❯ k -n vds-acceptor get ep
NAME    ENDPOINTS           AGE
admin   10.198.10.11:9080   338d
app     10.198.10.11:8317   435d
sftp    10.198.10.11:8318   356d

The cluster is configured with strict mtls:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

The only difference I could draw was that this app (and the other broken services) also has a non-mesh service (stfp):

However that is excluded from istio with a Sidecar:

  ingress:
  - defaultEndpoint: 127.0.0.1:8317
    port:
      name: http-app
      number: 8317
      protocol: HTTP
  - defaultEndpoint: 127.0.0.1:9080
    port:
      name: http-admin
      number: 9080
      protocol: HTTP

and

traffic.sidecar.istio.io/includeInboundPorts: 8317,9080

We tried adding an explicit PeerAuthentication policy (even though it shouldn't actually make any difference):

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    8318:
      mode: DISABLE
  selector:
    matchLabels:
      app: vds-acceptor
      group: delivery-platform

And as expected it didn't change anything.

Restarting the app to pull in a 1.6 sidecar fixed the issue, therefore it seems to only be an issue with a 1.5 sidecar & 1.6 control plane.

[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[x] Test and Release
[x] User Experience
[ ] Developer Infrastructure

Expected behavior
Upgrades to not break services

Steps to reproduce the bug
🤷 happy to live debug my cluster with you

Version (include the output of istioctl version --remote and kubectl version --short and helm version if you used Helm)
1.6.11

How was Istio installed?
helm

Environment where bug was observed (cloud vendor, OS, etc)
gke

[Stono]

cc. @howardjohn @mandarjog @rshriram any help would be appreciated. Happy to give you access to the test cluster (or screen share if it helps).

[mandarjog]

A couple of things I can think of are h2upgrade differences or TLS mismatch.

@PiotrSikora hpe_invalid_method indicates that it chose the http1 codec.

[Stono]

@mandarjog : no http2 in our deployment, we still have it disabled following the last incident and remember this issue is incredibly nuanced to applications that are specifically:

• 1.5 proxy
• 1.6 control plane
• expose 3 ports, only two of which are included in the mesh

and restarting the app to a 1.6 proxy resolves it, which is why i've provided config dumps from both 1.5 and 1.6.

Another correlation of the broken workloads on a 1.5 proxy and 1.6 control plane have a traffic.sidecar.istio.io/includeInboundPorts annotation which is why I think this issue is inherently linked to #27995 and #27941 - I believe this annotation to be the cause.

[Stono]

@mandarjog @howardjohn sorry to keep tagging you but i'm really keen to get rid of this 1.6 migration (and then start 1.7 testing). This is the last remaining "blocking" issue for us as it causes a service outage until the pods are restarted.

I can recreate it easily, so will work with anyone (at any hour) to get to the bottom of it.

We've intentionally left a test cluster in this broken state for investigation purposes.

[Stono]

So we continued to try and narrow this down. We did the following:

1. Deploy a 1.5 cluster
2. Deploy a 1.5 workload with mTLS enabled, single port (8080) with traffic.sidecar.istio.io/includeInboundPorts: 8080
3. Upgrade control plane to 1.6
4. Make a request from a source app (1.5) to target app (1.5)

= Broken

5. Restart target app (so it goes to 1.6)
6. Make request from 1.5 -> 1.6 app:

= OK

The errors in the target app were slightly different on this one:

[Envoy (Epoch 0)] [2020-10-19 12:59:38.818][28][debug][filter] [external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted
[Envoy (Epoch 0)] [2020-10-19 12:59:38.818][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:232] [C1527] new tcp proxy session
[Envoy (Epoch 0)] [2020-10-19 12:59:38.818][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:381] [C1527] Creating connection to cluster BlackHoleCluster
[Envoy (Epoch 0)] [2020-10-19 12:59:38.818][28][debug][upstream] [external/envoy/source/common/upstream/cluster_manager_impl.cc:1283] no healthy host for TCP connection pool
[Envoy (Epoch 0)] [2020-10-19 12:59:38.818][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:101] [C1527] closing data_to_write=0 type=1
[Envoy (Epoch 0)] [2020-10-19 12:59:38.818][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:192] [C1527] closing socket: 1
[Envoy (Epoch 0)] [2020-10-19 12:59:38.821][28][debug][filter] [external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted
[Envoy (Epoch 0)] [2020-10-19 12:59:38.822][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:232] [C1528] new tcp proxy session
[Envoy (Epoch 0)] [2020-10-19 12:59:38.822][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:381] [C1528] Creating connection to cluster BlackHoleCluster
[Envoy (Epoch 0)] [2020-10-19 12:59:38.822][28][debug][upstream] [external/envoy/source/common/upstream/cluster_manager_impl.cc:1283] no healthy host for TCP connection pool
[Envoy (Epoch 0)] [2020-10-19 12:59:38.822][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:101] [C1528] closing data_to_write=0 type=1
[Envoy (Epoch 0)] [2020-10-19 12:59:38.822][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:192] [C1528] closing socket: 1
[Envoy (Epoch 0)] [2020-10-19 12:59:38.873][28][debug][filter] [external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted
[Envoy (Epoch 0)] [2020-10-19 12:59:38.873][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:232] [C1529] new tcp proxy session
[Envoy (Epoch 0)] [2020-10-19 12:59:38.873][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:381] [C1529] Creating connection to cluster BlackHoleCluster
[Envoy (Epoch 0)] [2020-10-19 12:59:38.873][28][debug][upstream] [external/envoy/source/common/upstream/cluster_manager_impl.cc:1283] no healthy host for TCP connection pool
[Envoy (Epoch 0)] [2020-10-19 12:59:38.873][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:101] [C1529] closing data_to_write=0 type=1
[Envoy (Epoch 0)] [2020-10-19 12:59:38.873][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:192] [C1529] closing socket: 1
[Envoy (Epoch 0)] [2020-10-19 12:59:38.907][28][debug][filter] [external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted
[Envoy (Epoch 0)] [2020-10-19 12:59:38.907][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:232] [C1530] new tcp proxy session
[Envoy (Epoch 0)] [2020-10-19 12:59:38.907][28][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:381] [C1530] Creating connection to cluster BlackHoleCluster
[Envoy (Epoch 0)] [2020-10-19 12:59:38.907][28][debug][upstream] [external/envoy/source/common/upstream/cluster_manager_impl.cc:1283] no healthy host for TCP connection pool
[Envoy (Epoch 0)] [2020-10-19 12:59:38.907][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:101] [C1530] closing data_to_write=0 type=1
[Envoy (Epoch 0)] [2020-10-19 12:59:38.907][28][debug][connection] [external/envoy/source/common/network/connection_impl.cc:192] [C1530] closing socket: 1
[Envoy (Epoch 0)] [2020-10-19 12:59:40.096][20][debug][main] [external/envoy/source/server/server.cc:177] flushing stats
[Envoy (Epoch 0)] [2020-10-19 12:59:42.677][20][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:263] [C0] new stream
[Envoy (Epoch 0)] [2020-10-19 12:59:42.677][20][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:732] [C0][S5899294795249759883] request headers complete (end_stream=true):

And here are source app logs:

2020-10-19T13:49:08.070810Z     debug   envoy router    [external/envoy/source/common/router/router.cc:634] [C332][S10621310020160347181] router decoding headers:
':authority', 'app.istio-test-app-2'
':path', '/instant'
':method', 'GET'
':scheme', 'https'
'user-agent', 'curl/7.61.1'
'accept', '*/*'
'x-forwarded-proto', 'http'
'x-request-id', 'bab4037c-48c5-455c-b1ba-ce7160b1e413'
'x-envoy-decorator-operation', 'app.istio-test-app-2.svc.cluster.local:80/*'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwoeCgxJTlNUQU5DRV9JUFMSDhoMMTAuMjA2LjQuMjQ5CqwCCgZMQUJFTFMSoQIqngIKGQoDYXBwEhIaEGlzdGlvLXRlc3QtYXBwLTMKHAoFZ3JvdXASExoRZGVsaXZlcnktcGxhdGZvcm0KGQoMaXN0aW8uaW8vcmV2EgkaB
2RlZmF1bHQKIAoRcG9kLXRlbXBsYXRlLWhhc2gSCxoJNTdjNzY5OWNiChgKCHJldmlzaW9uEgwaCmEwMmI2NTUyMmUKJAoZc2VjdXJpdHkuaXN0aW8uaW8vdGxzTW9kZRIHGgVpc3Rpbwo1Ch9zZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1uYW1lEhIaEGlzdGlvLXRlc3QtYXBwLTMKLwojc2VydmljZS5p
c3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SCBoGbGF0ZXN0ChoKB01FU0hfSUQSDxoNY2x1c3Rlci5sb2NhbAoqCgROQU1FEiIaIGlzdGlvLXRlc3QtYXBwLTMtNTdjNzY5OWNiLWNnbXF3Ch8KCU5BTUVTUEFDRRISGhBpc3Rpby10ZXN0LWFwcC0zCl0KBU9XTkVSElQaUmt1YmVybmV0ZXM6Ly9hcGlzL2F
wcHMvdjEvbmFtZXNwYWNlcy9pc3Rpby10ZXN0LWFwcC0zL2RlcGxveW1lbnRzL2lzdGlvLXRlc3QtYXBwLTMKgAQKEVBMQVRGT1JNX01FVEFEQVRBEuoDKucDCpQBChtnY3BfZ2NlX2luc3RhbmNlX2NyZWF0ZWRfYnkSdRpzcHJvamVjdHMvMTk4MTY0MTc1MzI5L3pvbmVzL2V1cm9wZS13ZXN0NC1hL2luc3
RhbmNlR3JvdXBNYW5hZ2Vycy9na2UtZGVsaXZlcnktcGxhdGZvcm0tbm9ybWFsLTIwMTkxMTE0LWI0NzNhNzdjLWdycAosChNnY3BfZ2NlX2luc3RhbmNlX2lkEhUaEzE1MjkyODQ0MDU2ODA2ODM1NjcKfAoZZ2NwX2djZV9pbnN0YW5jZV90ZW1wbGF0ZRJfGl1wcm9qZWN0cy8xOTgxNjQxNzUzMjkvZ2xvY
mFsL2luc3RhbmNlVGVtcGxhdGVzL2drZS1kZWxpdmVyeS1wbGF0Zm9ybS1ub3JtYWwtMjAxOTExMTQtM2QxNGNkODYKKwoUZ2NwX2drZV9jbHVzdGVyX25hbWUSExoRZGVsaXZlcnktcGxhdGZvcm0KIAoMZ2NwX2xvY2F0aW9uEhAaDmV1cm9wZS13ZXN0NC1hCi0KC2djcF9wcm9qZWN0Eh4aHGF0LWRlbGl2
ZXJ5LXBsYXRmb3JtLXRlc3RpbmcKJAoSZ2NwX3Byb2plY3RfbnVtYmVyEg4aDDE5ODE2NDE3NTMyOQocCg9TRVJWSUNFX0FDQ09VTlQSCRoHZGVmYXVsdAojCg1XT1JLTE9BRF9OQU1FEhIaEGlzdGlvLXRlc3QtYXBwLTM='
'x-envoy-peer-metadata-id', 'sidecar~10.206.4.249~istio-test-app-3-57c7699cb-cgmqw.istio-test-app-3~istio-test-app-3.svc.cluster.local'
'x-envoy-expected-rq-timeout-ms', '300000'
'x-envoy-attempt-count', '1'
'x-b3-traceid', '7dea5d1ab8426f26b59edd23fc739153'
'x-b3-spanid', 'b59edd23fc739153'
'x-b3-sampled', '0'

2020-10-19T13:49:08.070828Z     debug   envoy pool      [external/envoy/source/common/http/conn_pool_base.cc:337] queueing request due to no available connections
2020-10-19T13:49:08.070832Z     debug   envoy pool      [external/envoy/source/common/http/conn_pool_base.cc:47] creating a new connection
2020-10-19T13:49:08.070885Z     debug   envoy client    [external/envoy/source/common/http/codec_client.cc:34] [C333] connecting
2020-10-19T13:49:08.070895Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:727] [C333] connecting to 10.206.4.5:8080
2020-10-19T13:49:08.071036Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:736] [C333] connection in progress
2020-10-19T13:49:08.071097Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:592] [C333] connected
2020-10-19T13:49:08.071159Z     debug   envoy connection        [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:191] [C333] handshake expecting read
2020-10-19T13:49:08.071240Z     debug   envoy connection        [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:198] [C333] handshake error: 5
2020-10-19T13:49:08.071247Z     debug   envoy connection        [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C333]
2020-10-19T13:49:08.071251Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:200] [C333] closing socket: 0
2020-10-19T13:49:08.071267Z     debug   envoy client    [external/envoy/source/common/http/codec_client.cc:91] [C333] disconnect. resetting 0 pending requests
2020-10-19T13:49:08.071274Z     debug   envoy pool      [external/envoy/source/common/http/conn_pool_base.cc:265] [C333] client disconnected, failure reason:
2020-10-19T13:49:08.071286Z     debug   envoy router    [external/envoy/source/common/router/router.cc:1018] [C332][S10621310020160347181] upstream reset: reset reason connection failure
2020-10-19T13:49:08.071304Z     debug   envoy router    [external/envoy/source/common/router/router.cc:1390] [C332][S10621310020160347181] performing retry
2020-10-19T13:49:08.078453Z     debug   envoy pool      [external/envoy/source/common/http/conn_pool_base.cc:337] queueing request due to no available connections
2020-10-19T13:49:08.078477Z     debug   envoy pool      [external/envoy/source/common/http/conn_pool_base.cc:47] creating a new connection
2020-10-19T13:49:08.078524Z     debug   envoy client    [external/envoy/source/common/http/codec_client.cc:34] [C334] connecting
2020-10-19T13:49:08.078531Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:727] [C334] connecting to 10.206.4.5:8080
2020-10-19T13:49:08.078635Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:736] [C334] connection in progress
2020-10-19T13:49:08.078678Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:592] [C334] connected
2020-10-19T13:49:08.078726Z     debug   envoy connection        [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:191] [C334] handshake expecting read
2020-10-19T13:49:08.078821Z     debug   envoy connection        [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:198] [C334] handshake error: 5
2020-10-19T13:49:08.078837Z     debug   envoy connection        [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C334]
2020-10-19T13:49:08.078842Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:200] [C334] closing socket: 0
2020-10-19T13:49:08.078861Z     debug   envoy client    [external/envoy/source/common/http/codec_client.cc:91] [C334] disconnect. resetting 0 pending requests
2020-10-19T13:49:08.078869Z     debug   envoy pool      [external/envoy/source/common/http/conn_pool_base.cc:265] [C334] client disconnected, failure reason:
2020-10-19T13:49:08.078879Z     debug   envoy router    [external/envoy/source/common/router/router.cc:1018] [C332][S10621310020160347181] upstream reset: reset reason connection failure
2020-10-19T13:49:08.078898Z     debug   envoy router    [external/envoy/source/common/router/router.cc:1390] [C332][S10621310020160347181] performing retry
2020-10-19T13:49:08.108056Z     debug   envoy pool      [external/envoy/source/common/http/conn_pool_base.cc:337] queueing request due to no available connections
2020-10-19T13:49:08.108088Z     debug   envoy pool      [external/envoy/source/common/http/conn_pool_base.cc:47] creating a new connection
2020-10-19T13:49:08.108155Z     debug   envoy client    [external/envoy/source/common/http/codec_client.cc:34] [C335] connecting
2020-10-19T13:49:08.108164Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:727] [C335] connecting to 10.206.4.5:8080
2020-10-19T13:49:08.108284Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:736] [C335] connection in progress
2020-10-19T13:49:08.108360Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:592] [C335] connected
2020-10-19T13:49:08.108491Z     debug   envoy connection        [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:198] [C335] handshake error: 5
2020-10-19T13:49:08.108503Z     debug   envoy connection        [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C335]
2020-10-19T13:49:08.108508Z     debug   envoy connection        [external/envoy/source/common/network/connection_impl.cc:200] [C335] closing socket: 0

[Stono]

To update further, we tried again with two workloads:

• workload1: port 8080, traffic.sidecar.istio.io/includeInboundPorts: 8080
• workload2: port 8080, no annotation

Updated control plane to 1.6

• workload1: broken
• workload2: working

Restart workload 1 = fixed.

Therefore i'm 100% confident the annotation is the cause during the upgrade process. The reason this is so impacting for us it we have this annotation on almost every workload.

We've diff'd source and destination proxy configs and aren't able to identify and difference in config being pushed so just looks like the proxy is getting itself into a very funky state until its restarted.

[howardjohn]

Good pod:

-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006

      - istio-iptables
      - -p
      - "15001"
      - -z
      - "15006"
      - -u
      - "1337"
      - -m
      - REDIRECT
      - -i
      - ...
      - -x
      - ...
      - -b
      - -d
      - "15020"
      - -o
      - ...

Bad pod:

-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001

    - command:
      - istio-iptables
      - -p
      - "15001"
      - -z
      - "15006"
      - -u
      - "1337"
      - -m
      - REDIRECT
      - -i
      - ....
      - -x
      - foo,bar
      - -b
      - "8080"
      - -d
      - "15020"
      - -o
      - x,y,z,not-relevant

The interesting thing is the arguments actually show -z 15006 - but not used. I think this was some migration thing that is going wrong here

[howardjohn]

On 1.5:

$ istio-iptables -n -p 15001 -z 15006 -b 8080
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001

On 1.6:

$ istio-iptables -n -p 15001 -z 15006 -b 8080
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001

[howardjohn]

Missing #22686?

[howardjohn]

Works in 1.5 pilot because ab88b62 is not in 1.5

[howardjohn]

I am not sure I am seeing a workaround for this (aside from removing the annotation) other than cherrypicking #22686 or reverting ab88b62 unfortunately... There is just a mismatch between these two, the latter assumes the former was always present when its not during the upgrade case

[Stono]

I've tested @howardjohn fix in #28111 and can confirm it works as expected

[howardjohn]

Thanks @Stono ! For anyone else that runs into this, please use the latest 1.6 and PILOT_ENABLE_LEGACY_INBOUND_LISTENERS, or 1.7+ is fixed natively. Thanks!