Skip to content

[release-v1.17] Keep queue-proxy admin server on HTTP for PreStop hooks (#16163) #1614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Oct 21, 2025
Merged

[release-v1.17] Keep queue-proxy admin server on HTTP for PreStop hooks (#16163) #1614

openshift-merge-bot merged 1 commit into from
Oct 21, 2025

Conversation

@Fedosin
Copy link

@Fedosin Fedosin commented Oct 21, 2025

What this PR does / why we need it:

The queue-proxy admin server now always serves HTTP on port 8022, even when system-internal-tls is enabled. This simplifies the PreStop hook configuration and fixes graceful shutdown issues.

Changes:

  • Queue-proxy admin server always uses HTTP, only main server uses TLS
  • PreStop hooks always use HTTP scheme (removed dynamic configuration)
  • Updated tests to reflect that admin server is always HTTP

Why this approach:

  • PreStop hooks are called by kubelet locally within the pod (localhost)
  • No network traffic leaves the pod, so TLS isn't needed for security
  • Simpler implementation with no dynamic scheme configuration
  • Prevents TLS handshake errors during pod shutdown

This fixes the issue where pods would receive HTTP 502 errors during scale-down operations when system-internal-tls was enabled. The error occurred because the PreStop hook was trying to connect with HTTP to a TLS-enabled admin server, causing immediate SIGTERM and dropped requests.

Cherry-picked from knative#16163

Which issue(s) this PR fixes:

JIRA: https://issues.redhat.com/browse/SRVKS-1332

Does this PR needs for other branches:

Does this PR (patch) needs to update/drop in the future?:

JIRA:

@Fedosin
Keep queue-proxy admin server on HTTP for PreStop hooks (knative#16163)
855e6e4 
The queue-proxy admin server now always serves HTTP on port 8022, even
when system-internal-tls is enabled. This simplifies the PreStop hook
configuration and fixes graceful shutdown issues.

Changes:
- Queue-proxy admin server always uses HTTP, only main server uses TLS
- PreStop hooks always use HTTP scheme (removed dynamic configuration)
- Updated tests to reflect that admin server is always HTTP

Why this approach:
- PreStop hooks are called by kubelet locally within the pod (localhost)
- No network traffic leaves the pod, so TLS isn't needed for security
- Simpler implementation with no dynamic scheme configuration
- Prevents TLS handshake errors during pod shutdown

This fixes the issue where pods would receive HTTP 502 errors during
scale-down operations when system-internal-tls was enabled. The error
occurred because the PreStop hook was trying to connect with HTTP to
a TLS-enabled admin server, causing immediate SIGTERM and dropped
requests.
@openshift-ci openshift-ci bot requested review from dsimansk and mvinkler October 21, 2025 19:22
@dsimansk
Copy link

dsimansk commented Oct 21, 2025

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 21, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 21, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dsimansk, Fedosin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 635a078 into openshift-knative:release-v1.17 Oct 21, 2025
35 checks passed
@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Oct 21, 2025

@Fedosin: cannot checkout release-vX.Y: error checking out "release-vX.Y": exit status 1 error: pathspec 'release-vX.Y' did not match any file(s) known to git

Details

In response to this:

What this PR does / why we need it:

The queue-proxy admin server now always serves HTTP on port 8022, even when system-internal-tls is enabled. This simplifies the PreStop hook configuration and fixes graceful shutdown issues.

Changes:

  • Queue-proxy admin server always uses HTTP, only main server uses TLS
  • PreStop hooks always use HTTP scheme (removed dynamic configuration)
  • Updated tests to reflect that admin server is always HTTP

Why this approach:

  • PreStop hooks are called by kubelet locally within the pod (localhost)
  • No network traffic leaves the pod, so TLS isn't needed for security
  • Simpler implementation with no dynamic scheme configuration
  • Prevents TLS handshake errors during pod shutdown

This fixes the issue where pods would receive HTTP 502 errors during scale-down operations when system-internal-tls was enabled. The error occurred because the PreStop hook was trying to connect with HTTP to a TLS-enabled admin server, causing immediate SIGTERM and dropped requests.

Cherry-picked from knative#16163

Which issue(s) this PR fixes:

JIRA: https://issues.redhat.com/browse/SRVKS-1332

Does this PR needs for other branches:

Does this PR (patch) needs to update/drop in the future?:

JIRA:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dsimansk dsimansk Awaiting requested review from dsimansk

@mvinkler mvinkler Awaiting requested review from mvinkler

Assignees

@dsimansk dsimansk

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Fedosin @dsimansk @openshift-cherrypick-robot