Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use naive TCP instead of SSL for ELB health checks #1657

Closed
jayunit100 opened this issue Mar 24, 2020 · 10 comments · Fixed by #3124
Closed

Use naive TCP instead of SSL for ELB health checks #1657

jayunit100 opened this issue Mar 24, 2020 · 10 comments · Fixed by #3124
Assignees
@Ankitasw
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Comments

@jayunit100
Copy link
Contributor

jayunit100 commented Mar 24, 2020
edited

/kind bug

What steps did you take and what happened:

I ran ELB's with apiserver arguments which include a small set of cipher's not in the AWS 2016 defaults

What happened --- the ELBs never send traffic to apiservers, which means kubelets never register their static pods, and scheduler/kcm never get to start doing anything - so you just have an orphan API Server talking to ETCD, and cluster is effectively dead.

What did you expect to happen:

ELBs to happily handshake with my apiserver and forward traffic along.

Environment:

  • Cluster-api-provider-aws version: v1alpha3 (.4)
  • Kubernetes version: (use kubectl version): 1.17
  • OS (e.g. from /etc/os-release): any
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Mar 24, 2020
@jayunit100 jayunit100 mentioned this issue Mar 24, 2020
Closed
@jayunit100 jayunit100 changed the title Use SSL instead of TCP for ELB health checks Use naive TCP instead of SSL for ELB health checks Mar 24, 2020
@detiber
Copy link
Member

detiber commented Mar 24, 2020

/close
Closing, since this would cause log spamming related to the health checks. Longer term we want to explore migrating over to using an NLB for the load balancer, but there are other challenges that we need to solve related to handling in hairpinning before we can make that switch.

@k8s-ci-robot
Copy link
Contributor

@detiber: Closing this issue.

In response to this:

/close
Closing, since this would cause log spamming related to the health checks. Longer term we want to explore migrating over to using an NLB for the load balancer, but there are other challenges that we need to solve related to handling in hairpinning before we can make that switch.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@seh
Copy link

seh commented May 24, 2020

Longer term we want to explore migrating over to using an NLB for the load balancer, but there are other challenges that we need to solve related to handling in hairpinning before we can make that switch.

@detiber, is there an issue tracking this potential move to using an NLB?

@detiber
Copy link
Member

detiber commented May 26, 2020

@seh #1484 is probably the closest issue we have for supporting NLBs

@sedefsavas
Copy link
Contributor

sedefsavas commented Jan 31, 2022
edited

/reopen

Following this slack thread.

@k8s-ci-robot k8s-ci-robot reopened this Jan 31, 2022
@k8s-ci-robot
Copy link
Contributor

@sedefsavas: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 31, 2022
@k8s-ci-robot
Copy link
Contributor

@jayunit100: This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sedefsavas sedefsavas added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Jan 31, 2022
@sedefsavas sedefsavas added this to the v1.3.0 milestone Jan 31, 2022
@Ankitasw
Copy link
Member

/assign

@Ankitasw
Copy link
Member

Ankitasw commented Feb 1, 2022
edited

@sedefsavas just to clarify, we have not changed the scope of this issue right, we want classic ELB health check to use TCP instead of SSL, that's all, right?

@Ankitasw Ankitasw mentioned this issue Feb 1, 2022
Merged
4 tasks
@Ankitasw
Copy link
Member

/lifecycle active

@k8s-ci-robot k8s-ci-robot added the lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. label Feb 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ankitasw Ankitasw

Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for custom protocol for ELB health checks Ankitasw/cluster-api-provider-aws
6 participants
@seh @jayunit100 @detiber @k8s-ci-robot @sedefsavas @Ankitasw