-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Opaqueness not applied to off-cluster destination with enable-external-profiles annotation #10354
Comments
Hey folks 👋🏼 I saw this was labelled for 2.13, but just wanted to know if you think this is an issue in stable-2.12? or possibly something we have misconfigured? |
@dkulchinsky We suspect this is a problem with stable-2.12 but need to spend more time debugging before we know for certain. |
Thanks @jeremychase 👍🏼 let me know if you need additional information from me. |
Hey @jeremychase, @risingspiral 👋🏼 Just saw Linkerd 2.13.0 was released, congrats! 🥳 Wanted to check in to see if this issue is something already covered/fixed in 2.13? or would that be in a future path release? |
@dkulchinsky It will be in the future path. In 2.13 we've begun to change the discovery system away from ServiceProfiles. I think we're unlikely to invest more in "external service profiles", but we're still keenly interested in solving the underlying problem of being able to disable protocol detection for out-of-cluster traffic. |
Thanks @olix0r, I think decoupling these concerns makes total sense. Will be watching this space for updates as this is one of those issues that we constantly trip over with our users 😓 I'm guessing there's no ETA you can share at this point? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
still an issue AFAIK, hoping there's some news about this? @olix0r |
Have the same issue in the latest 2.14.0 still can see the protocol detection for one of the opaquePorts I have also tried to set with skipSubnets (--subnets-to-ignore), but protocol detection still running for the request...
Only |
For the record, we hear y'all on this one: being able to do egress traffic without protocol detection delays would be a good thing. We want to separate the solution of that problem from the mechanism of ServiceProfiles, though, especially as we've been moving more toward Gateway API. Any thoughts on what kind of mechanisms would fit your use cases particularly well? |
What is the issue?
We're running Linekrd stable-2.12.2
Linkerd is configured with:
We set
config.linkerd.io/enable-external-profiles: "true"
annotation on application Pods that connect to a MySQL server off-cluster on port 3306 (following the instructions from https://linkerd.io/2.12/features/protocol-detection/#setting-the-enable-external-profiles-annotation)However, the application is failing to connect to the MySQL server and we see the following errors in linkerd proxy logs:
the address
10.14.0.218
is outside the cluster networks ranges (defined as:clusterNetworks: 172.20.0.0/17,172.20.128.0/17
)Here's the manifest metadata of the running Pod:
I was reviewing a related issue #8273, which seem to suggest that this was fixed by linkerd/linkerd2-proxy#1617 and from what I can tell should be included in stable-2.12.2, unfortunately we are not able to get this to work as expected.
For now we're using
config.linkerd.io/skip-outbound-ports: "3306"
as a workaround, but we are hoping to not need this and use the external profiles method instead.How can it be reproduced?
config.linkerd.io/enable-external-profiles: "true"
annotation connecting to a MySQL server on port 3306 running off-cluster (not in theclusterNetworks
range(s))protocol detection timed out after 10s
Logs, error output, etc
output of
linkerd check -o short
Environment
Possible solution
as a workaround, we are currently using the
config.linkerd.io/skip-outbound-ports
annotation to skip port 3306 on Pods that need to connect to MySQL database off-clusterAdditional context
Opaqueness for port 3306 works just fine for MySQL database running in-cluster, so this is only affecting connections to MySQL servers running off-cluster.
Would you like to work on fixing this bug?
None
The text was updated successfully, but these errors were encountered: