-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(kuma-cp) Support probes with mTLS enabled #1036
Conversation
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
…l refactoring of Annotations Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
really nice job here 👍 can we have this tested in E2E test somehow? Can we add HTTP probe to some existing app?
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
} | ||
vport, err := strconv.ParseInt(segments[1], 10, 32) | ||
if err != nil { | ||
return KumaProbe{}, false | ||
return KumaProbe{}, errors.New("can't parse Pod's probe") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could be more descriptive why it cannot be parsed
Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
Summary
Current PR fixes the known issue of Kuma - the ability to add Kubernetes probes with mTLS enabled.
Given HttpGet probe
:8080/health
will be automatically converted to virtual probe:9000/8080/health
, where 9000 is an insecure port regardless of the state of mTLS. Traffic from this port is always forwarded by Envoy tolocalhos:8080/health
.Changes in kuma-cp config
injector
section has new fields:They allows us to set another value for insecure port or disable virtual probes at all.
New Pod annotations
Both values from previous section could be override by Pod's annotations:
Annotation refactoring
We used to check annotation values only against "good" values, some "junk" was allowed, like:
was considered as not "enabled". Current PR makes annotation more strict
Issues resolved
Fix #795
Documentation