Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: apisix with kubernetes discovery will fail after token file expires #11779

Open
jaysonsantos opened this issue Nov 22, 2024 · 0 comments
Open

bug: apisix with kubernetes discovery will fail after token file expires #11779

jaysonsantos opened this issue Nov 22, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@jaysonsantos
Copy link
Contributor

Current Behavior

apisix uses a singleton to load the service account file and kubernetes rotates roughly every 90 days and after that time, the discovery will fail to get new pods with Unauthorized returned from kubernetes' API leading to stale pods in memory and nginx making calls to pods that do not exist anymore (in case deployments were rolled out)

Expected Behavior

apisix should re-read the token file every X days

Error Logs

apisix-57c57fd48b-hqzq9 apisix 2024/11/22 13:34:23 [error] 57#57: *509002587 [lua] informer_factory.lua:295: list failed, kind: Endpoints, reason: Unauthorized, message : {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
apisix-57c57fd48b-xgcjv apisix 2024/11/22 13:34:24 [error] 57#57: *508864131 [lua] informer_factory.lua:295: list failed, kind: Endpoints, reason: Unauthorized, message : {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
apisix-57c57fd48b-zgp7b apisix 2024/11/22 13:34:25 [error] 56#56: *508946548 [lua] informer_factory.lua:295: list failed, kind: Endpoints, reason: Unauthorized, message : {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

Steps to Reproduce

If there is a way to rotate the service account, this would reproduce it but i am not sure it is possible

Environment

  • APISIX version (run apisix version):
    /usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua version
    3.5.0
  • Operating system (run uname -a):
    Linux apisix-7bd7684cdf-2k524 5.10.220-209.869.amzn2.x86_64 change: added doc of how to load plugin. #1 SMP Wed Jul 17 15:10:20 UTC 2024 x86_64 GNU/Linux
  • OpenResty / Nginx version (run openresty -V or nginx -V):
nginx version: openresty/1.21.4.2
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1s  1 Nov 2022
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.21.4.2.0 -DNGX_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_HTTP_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_LUA_ABORT_AT_PA
NIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2
 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-modu
le=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.13 --with-ld-opt='-Wl,-rpa
th,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr
/local/openresty/openssl111/lib' --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../ngx_multi_upstream_module-1.1.1 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../apisix-nginx-modu
le-1.14.0 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../apisix-nginx-module-1.14.0/src/stream --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../apisix-nginx-module-1.14.0/src/meta --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../wasm-nginx-mod
ule-0.6.5 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.0EeoYgSz2t/openresty-1.21.4.2/../grpc-client-nginx-module-v0.4.3 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-st
ream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_
link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
@dosubot dosubot bot added the bug Something isn't working label Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Apache APISIX backlog
Status: 📋 Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jaysonsantos