-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ysql] [k8s] Transactional writes in a cluster with DNS addressing and TLS certs fail #6845
Labels
Comments
d-uspenskiy
added a commit
that referenced
this issue
Apr 12, 2021
…g to use DNS name instead of IP for local tserver connection Summary: In case of using DNS names for cluster staring (`--server_broadcast_addresses` and `--rpc_bind_addresses`) SSL certificates must be configured with using DNS names as well. In this case connections to local `tserver` must use DNS names instead of IP to establish secure connections. Having SSL encryption for local connections is excess. And a long term solution is to disable SSL for local connection by using Unix sockets. As a result ability to use DNS names for local tserver is kind of workaround and it is guarded by the gflag which is `false` by default. Test Plan: Jenkins Reviewers: sanketh, sergei Reviewed By: sergei Subscribers: yql, bogdan Differential Revision: https://phabricator.dev.yugabyte.com/D10389
New |
YintongMa
pushed a commit
to YintongMa/yugabyte-db
that referenced
this issue
May 26, 2021
…er' gflag to use DNS name instead of IP for local tserver connection Summary: In case of using DNS names for cluster staring (`--server_broadcast_addresses` and `--rpc_bind_addresses`) SSL certificates must be configured with using DNS names as well. In this case connections to local `tserver` must use DNS names instead of IP to establish secure connections. Having SSL encryption for local connections is excess. And a long term solution is to disable SSL for local connection by using Unix sockets. As a result ability to use DNS names for local tserver is kind of workaround and it is guarded by the gflag which is `false` by default. Test Plan: Jenkins Reviewers: sanketh, sergei Reviewed By: sergei Subscribers: yql, bogdan Differential Revision: https://phabricator.dev.yugabyte.com/D10389
jvigil-yugabyte
added a commit
to yugabyte/charts
that referenced
this issue
Aug 5, 2021
Summary: This flag should be set by default for k8s universes in order to allow TLS-enabled universes to successfully perform transactional writes. See: yugabyte/yugabyte-db#6845 Test Plan: See original issue: yugabyte/yugabyte-db#6845 for steps to reproduce the problem. 1. Create universe using helm chart that does not contain this fix. 2. Run commands specified in original issue. Verify it fails. 3. Create universe using helm chart that contains this fix. 2. Run commands specified in original issue. Verify it now works. Reviewers: sanketh Reviewed By: sanketh Subscribers: hsu, yugaware Differential Revision: https://phabricator.dev.yugabyte.com/D12493
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
In a (k8s) cluster that is using DNS addresses (--server_broadcast_addresses and --rpc_bind_addresses set to DNS names) and that has TLS enabled, SQL inserts are failing as seen below. However, create table, select queries, single inserts work.
Repro steps:
Bring up a k8s cluster with tls enabled
Run ysqlsh
This error means that postgres is attempting to connect to a tserver by IP address instead of DNS. Only conns that use DNS addresses work in this cluster because TLS has been set up to use DNS addresess.
The root cause of this appears to be a conn to the local tserver from postgres in the write txn code path -
yugabyte-db/src/yb/yql/pggate/pg_txn_manager.cc
Line 193 in 88e9d59
yugabyte-db/src/yb/tserver/tablet_server.cc
Line 257 in e6e1b52
@tsmull-11 @m-iancu @psudheer21
The text was updated successfully, but these errors were encountered: