[ysql] [k8s] Transactional writes in a cluster with DNS addressing and TLS certs fail #6845

iSignal · 2021-01-12T03:11:04Z

In a (k8s) cluster that is using DNS addresses (--server_broadcast_addresses and --rpc_bind_addresses set to DNS names) and that has TLS enabled, SQL inserts are failing as seen below. However, create table, select queries, single inserts work.

Repro steps:

Bring up a k8s cluster with tls enabled

$ kubectl create namespace sanketh-tmp-2; helm3 install yb-demo  ~/code/charts/stable/yugabyte/ --set tls.enabled=true --set resource.master.requests.cpu=0.25,resource.master.requests.memory=0.5Gi,resource.tserver.requests.cpu=0.25,resource.tserver.requests.memory=0.5Gi --namespace sanketh-tmp-2 --wait
$ kubectl exec -it yb-tserver-0 -n sanketh-tmp-2 -- bash

Run ysqlsh

[root@yb-tserver-0 cores]# /home/yugabyte/bin/ysqlsh -h yb-tserver-0.yb-tservers.sanketh-tmp-2.svc.cluster.local
ysqlsh (11.2-YB-2.3.2.0-b0)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
yugabyte=# create table foo(id int primary key);
CREATE TABLE
yugabyte=# select * from foo;
 id
----
(0 rows)
root@yb-tserver-0 yugabyte]# bin/ysqlsh -h yb-tserver-1.yb-tservers.sanketh-tmp-2.svc.cluster.local
ysqlsh (11.2-YB-2.3.2.0-b0)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
yugabyte=# insert into foo (select * from generate_series(1,10));
ERROR:  Network error: Handshake failed: certificate verify failed, address: 10.32.2.90, hostname: 10.32.2.90
yugabyte=#

This error means that postgres is attempting to connect to a tserver by IP address instead of DNS. Only conns that use DNS addresses work in this cluster because TLS has been set up to use DNS addresess.

The root cause of this appears to be a conn to the local tserver from postgres in the write txn code path -

yugabyte-db/src/yb/yql/pggate/pg_txn_manager.cc

Line 193 in 88e9d59

    
           LOG(INFO) << "Using TServer endpoint: " << (**tserver_shared_object_).endpoint();

which is set from

yugabyte-db/src/yb/tserver/tablet_server.cc

Line 257 in e6e1b52

shared_object_->SetEndpoint(bound_addresses.front());

to the actual bound IP address of the server instead of its rpc_bind/server_broadcast address.

@tsmull-11 @m-iancu @psudheer21

The text was updated successfully, but these errors were encountered:

…g to use DNS name instead of IP for local tserver connection Summary: In case of using DNS names for cluster staring (`--server_broadcast_addresses` and `--rpc_bind_addresses`) SSL certificates must be configured with using DNS names as well. In this case connections to local `tserver` must use DNS names instead of IP to establish secure connections. Having SSL encryption for local connections is excess. And a long term solution is to disable SSL for local connection by using Unix sockets. As a result ability to use DNS names for local tserver is kind of workaround and it is guarded by the gflag which is `false` by default. Test Plan: Jenkins Reviewers: sanketh, sergei Reviewed By: sergei Subscribers: yql, bogdan Differential Revision: https://phabricator.dev.yugabyte.com/D10389

d-uspenskiy · 2021-04-12T12:21:45Z

New use_node_hostname_for_local_tserver gflag can be used to overcome the issue.

…er' gflag to use DNS name instead of IP for local tserver connection Summary: In case of using DNS names for cluster staring (`--server_broadcast_addresses` and `--rpc_bind_addresses`) SSL certificates must be configured with using DNS names as well. In this case connections to local `tserver` must use DNS names instead of IP to establish secure connections. Having SSL encryption for local connections is excess. And a long term solution is to disable SSL for local connection by using Unix sockets. As a result ability to use DNS names for local tserver is kind of workaround and it is guarded by the gflag which is `false` by default. Test Plan: Jenkins Reviewers: sanketh, sergei Reviewed By: sergei Subscribers: yql, bogdan Differential Revision: https://phabricator.dev.yugabyte.com/D10389

Summary: This flag should be set by default for k8s universes in order to allow TLS-enabled universes to successfully perform transactional writes. See: yugabyte/yugabyte-db#6845 Test Plan: See original issue: yugabyte/yugabyte-db#6845 for steps to reproduce the problem. 1. Create universe using helm chart that does not contain this fix. 2. Run commands specified in original issue. Verify it fails. 3. Create universe using helm chart that contains this fix. 2. Run commands specified in original issue. Verify it now works. Reviewers: sanketh Reviewed By: sanketh Subscribers: hsu, yugaware Differential Revision: https://phabricator.dev.yugabyte.com/D12493

iSignal added area/ysql Yugabyte SQL (YSQL) area/kubernetes Kubernetes support and deployments. labels Jan 12, 2021

iSignal assigned d-uspenskiy Jan 13, 2021

d-uspenskiy closed this as completed Apr 12, 2021

iSignal mentioned this issue Jul 20, 2021

[k8s] [charts] Set use_node_hostname_for_local_tserver cmd line flag in yugabyte helm charts #9375

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[ysql] [k8s] Transactional writes in a cluster with DNS addressing and TLS certs fail #6845

[ysql] [k8s] Transactional writes in a cluster with DNS addressing and TLS certs fail #6845

iSignal commented Jan 12, 2021

d-uspenskiy commented Apr 12, 2021

[ysql] [k8s] Transactional writes in a cluster with DNS addressing and TLS certs fail #6845

[ysql] [k8s] Transactional writes in a cluster with DNS addressing and TLS certs fail #6845

Comments

iSignal commented Jan 12, 2021

Repro steps:

d-uspenskiy commented Apr 12, 2021