Keep queue-proxy admin server on HTTP for PreStop hooks #16163
Conversation
knative-prow
bot
added
the
size/L
Fedosin
force-pushed
the
https-prehook
branch
from
c8ec4eb to
a2021a7
Compare
|
To simplify this I think we should just have the preStop hook on a non-TLS server. I'd expect it to only be hit by the kubelet. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #16163 +/- ##
==========================================
- Coverage 80.09% 80.08% -0.01%
==========================================
Files 214 214
Lines 16943 16940 -3
==========================================
- Hits 13570 13566 -4
- Misses 3013 3014 +1
Partials 360 360 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Fedosin
force-pushed
the
https-prehook
branch
from
a2021a7 to
c318ee8
Compare
knative-prow
bot
added
size/XS
Fedosin
changed the title
|
@Fedosin do we have a test that can catch this regression? |
Fedosin
force-pushed
the
https-prehook
branch
from
c318ee8 to
6653de8
Compare
knative-prow
bot
added
size/L
|
@dprotaso yes, sure. I created a new function The patch became bigger though... |
Yeah I was thinking less about a unit test and wondering if there's an easy way to see if preStop hook was invoked successfully. For example if there's a Kubernetes event that's emitted when it fails etc. Let me know what you think |
Fedosin
force-pushed
the
https-prehook
branch
2 times, most recently
from
ac4b4d8 to
a0d06bf
Compare
The queue-proxy admin server now always serves HTTP on port 8022, even when system-internal-tls is enabled. This simplifies the PreStop hook configuration and fixes graceful shutdown issues. Changes: - Queue-proxy admin server always uses HTTP, only main server uses TLS - PreStop hooks always use HTTP scheme (removed dynamic configuration) - Updated tests to reflect that admin server is always HTTP Why this approach: - PreStop hooks are called by kubelet locally within the pod (localhost) - No network traffic leaves the pod, so TLS isn't needed for security - Simpler implementation with no dynamic scheme configuration - Prevents TLS handshake errors during pod shutdown This fixes the issue where pods would receive HTTP 502 errors during scale-down operations when system-internal-tls was enabled. The error occurred because the PreStop hook was trying to connect with HTTP to a TLS-enabled admin server, causing immediate SIGTERM and dropped requests.
Fedosin
force-pushed
the
https-prehook
branch
from
a0d06bf to
b2d3c47
Compare
|
/test ? |
|
@maschmid: The following commands are available to trigger required jobs: The following commands are available to trigger optional jobs: Use DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test kourier-stable |
|
/test contour-latest |
|
/test kourier-stable |
|
|
|
/test kourier-stable |
|
/lgtm thanks for the e2e test looks great |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dprotaso, Fedosin The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
the
approved
The queue-proxy admin server now always serves HTTP on port 8022, even when system-internal-tls is enabled. This simplifies the PreStop hook configuration and fixes graceful shutdown issues. Changes: - Queue-proxy admin server always uses HTTP, only main server uses TLS - PreStop hooks always use HTTP scheme (removed dynamic configuration) - Updated tests to reflect that admin server is always HTTP Why this approach: - PreStop hooks are called by kubelet locally within the pod (localhost) - No network traffic leaves the pod, so TLS isn't needed for security - Simpler implementation with no dynamic scheme configuration - Prevents TLS handshake errors during pod shutdown This fixes the issue where pods would receive HTTP 502 errors during scale-down operations when system-internal-tls was enabled. The error occurred because the PreStop hook was trying to connect with HTTP to a TLS-enabled admin server, causing immediate SIGTERM and dropped requests.
… (#1614) The queue-proxy admin server now always serves HTTP on port 8022, even when system-internal-tls is enabled. This simplifies the PreStop hook configuration and fixes graceful shutdown issues. Changes: - Queue-proxy admin server always uses HTTP, only main server uses TLS - PreStop hooks always use HTTP scheme (removed dynamic configuration) - Updated tests to reflect that admin server is always HTTP Why this approach: - PreStop hooks are called by kubelet locally within the pod (localhost) - No network traffic leaves the pod, so TLS isn't needed for security - Simpler implementation with no dynamic scheme configuration - Prevents TLS handshake errors during pod shutdown This fixes the issue where pods would receive HTTP 502 errors during scale-down operations when system-internal-tls was enabled. The error occurred because the PreStop hook was trying to connect with HTTP to a TLS-enabled admin server, causing immediate SIGTERM and dropped requests.
3 participants
Fixes #16162
Proposed Changes
The queue-proxy admin server now always serves HTTP on port 8022, even when system-internal-tls is enabled. This simplifies the PreStop hook configuration and fixes graceful shutdown issues.
Why this approach:
This fixes the issue where pods would receive HTTP 502 errors during scale-down operations when system-internal-tls was enabled. The error occurred because the PreStop hook was trying to connect with HTTP to a TLS-enabled admin server, causing immediate SIGTERM and dropped requests.