Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grpc: set localhost Authority to unix client calls #112597

Merged
merged 1 commit into from Oct 31, 2022
Merged

grpc: set localhost Authority to unix client calls #112597

merged 1 commit into from Oct 31, 2022

Conversation

mythi
Copy link
Contributor

@mythi mythi commented Sep 20, 2022

What type of PR is this?

/kind bug

What this PR does / why we need it:

Several reports exist (both with device plugins and CSI) that kubelet w/ grpc-go sends invalid Authority header and some non grpc-go servers reject these unix domain socket client connections.

grpc-go sets the Authority header correct when the dial address is in a format where the its address scheme can be determined.

Instead of making changes to get the all server addresses to unix:// prefixed format, set grpc.WithAuthority("localhost") client connection override to get the same result.

Which issue(s) this PR fixes:

Fixes #107093
Fixes #109081
Fixes #108254
Closes #109559

Special notes for your reviewer:

The alternative approach could be to ensure all addresses are sanitized and set to use unix:// scheme: TrimPrefix() + Snprintf() .

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@mythi
grpc: set localhost Authority to unix client calls
fbcdf48 
Several reports exist (both with device plugins and CSI) that
kubelet w/ grpc-go sends invalid Authority header and some non
grpc-go servers reject these unix domain socket client connections.

grpc-go sets the Authority header correct when the dial address
is in a format where the its address scheme can be determined.

Instead of making changes to get the all server addresses to unix://
prefixed format, set grpc.WithAuthority("localhost") client connection
override to get the same result.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 20, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @mythi. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Sep 20, 2022
@k8s-ci-robot k8s-ci-robot added area/kubelet sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 20, 2022
@pacoxu
Copy link
Member

pacoxu commented Sep 21, 2022

/ok-to-test
/cc xing-yang @jingxu97

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 21, 2022
@pohly
Copy link
Contributor

pohly commented Sep 23, 2022

/lgtm

I agree that this approach is more sensible than trying to adapt all paths.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 23, 2022
@klueska
Copy link
Contributor

klueska commented Sep 23, 2022

/approve for kubelet

@SergeyKanzhelev
Copy link
Member

I wonder if we need to do the same for CRI as well. We do not set authority there either.

@SergeyKanzhelev
Copy link
Member

/priority important-longterm
/triage accepted

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Sep 29, 2022
@k8s-ci-robot k8s-ci-robot removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 29, 2022
@SergeyKanzhelev SergeyKanzhelev moved this from Triage to Waiting on Author in SIG Node PR Triage Sep 29, 2022
@mythi
Copy link
Contributor Author

mythi commented Sep 30, 2022

I wonder if we need to do the same for CRI as well. We do not set authority there either.

AFAIK the CRI endoints are forced to use unix:// scheme so grpc-go sets localhost authority automatically.

@pohly
Copy link
Contributor

pohly commented Sep 30, 2022

/assign @xing-yang

For approval.

@pacoxu pacoxu moved this from Waiting on Author to Needs Approver in SIG Node PR Triage Oct 24, 2022
bart0sh
bart0sh reviewed Oct 24, 2022
View reviewed changes
Copy link
Contributor

@bart0sh bart0sh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@mythi
Copy link
Contributor Author

mythi commented Oct 31, 2022

@xing-yang does this look OK to you?

@jsafrane
Copy link
Member

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane, klueska, mythi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 31, 2022
@k8s-ci-robot k8s-ci-robot merged commit 9702161 into kubernetes:master Oct 31, 2022
SIG Node PR Triage automation moved this from Needs Approver to Done Oct 31, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.26 milestone Oct 31, 2022
@Forsworns Forsworns mentioned this pull request Nov 18, 2022
Open
@alexmc6 alexmc6 mentioned this pull request Nov 19, 2022
Closed
phoracek added a commit to phoracek/kubevirt that referenced this pull request Mar 31, 2023
@phoracek
grpc: Fix authority header sent to unix sockets
db83722 
Some non grpc-go servers fail with "protocol error" when contacted by
KubeVirt's gRPC client. The suspected cause is that grpc-go sends
invalid Authority headers when using unix domain sockets.

This issue prevents implementation of hook sidecars in other languages,
such as Go with its Tonic library.

A similar issue was encountered in Kubernetes [1], where it was solved
by explicitly setting the Authority header. This patch uses the same
approach.

[1] kubernetes/kubernetes#112597

Signed-off-by: Petr Horacek <hrck@protonmail.com>
@phoracek phoracek mentioned this pull request Mar 31, 2023
Merged
@LucaDev LucaDev mentioned this pull request Jun 16, 2023
Merged
victortoso pushed a commit to victortoso/kubevirt that referenced this pull request Jun 22, 2023
@phoracek @victortoso
grpc: Fix authority header sent to unix sockets
87a26b4 
Some non grpc-go servers fail with "protocol error" when contacted by
KubeVirt's gRPC client. The suspected cause is that grpc-go sends
invalid Authority headers when using unix domain sockets.

This issue prevents implementation of hook sidecars in other languages,
such as Go with its Tonic library.

A similar issue was encountered in Kubernetes [1], where it was solved
by explicitly setting the Authority header. This patch uses the same
approach.

[1] kubernetes/kubernetes#112597

Signed-off-by: Petr Horacek <hrck@protonmail.com>
victortoso pushed a commit to victortoso/kubevirt that referenced this pull request Jun 29, 2023
@phoracek @victortoso
grpc: Fix authority header sent to unix sockets
771d802 
Some non grpc-go servers fail with "protocol error" when contacted by
KubeVirt's gRPC client. The suspected cause is that grpc-go sends
invalid Authority headers when using unix domain sockets.

This issue prevents implementation of hook sidecars in other languages,
such as Go with its Tonic library.

A similar issue was encountered in Kubernetes [1], where it was solved
by explicitly setting the Authority header. This patch uses the same
approach.

[1] kubernetes/kubernetes#112597

Signed-off-by: Petr Horacek <hrck@protonmail.com>
@Billy99 Billy99 mentioned this pull request Nov 2, 2023
Closed
VirrageS pushed a commit to VirrageS/kubevirt that referenced this pull request Nov 17, 2023
@phoracek @VirrageS
grpc: Fix authority header sent to unix sockets
e81aa75 
Some non grpc-go servers fail with "protocol error" when contacted by
KubeVirt's gRPC client. The suspected cause is that grpc-go sends
invalid Authority headers when using unix domain sockets.

This issue prevents implementation of hook sidecars in other languages,
such as Go with its Tonic library.

A similar issue was encountered in Kubernetes [1], where it was solved
by explicitly setting the Authority header. This patch uses the same
approach.

[1] kubernetes/kubernetes#112597

Signed-off-by: Petr Horacek <hrck@protonmail.com>
@kriswuollett kriswuollett mentioned this pull request Jan 26, 2024
Closed
@k82cn k82cn mentioned this pull request Feb 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bart0sh bart0sh bart0sh left review comments

@humblec humblec Awaiting requested review from humblec

@klueska klueska Awaiting requested review from klueska

@jingxu97 jingxu97 Awaiting requested review from jingxu97

@xing-yang xing-yang Awaiting requested review from xing-yang

Assignees

@pohly pohly

@xing-yang xing-yang

@bart0sh bart0sh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note-none Denotes a PR that doesn't merit a release note. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Node PR Triage
Done
Milestone
v1.26
9 participants
@mythi @k8s-ci-robot @pacoxu @pohly @klueska @SergeyKanzhelev @jsafrane @bart0sh @xing-yang