Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
TCPMapping not applying host/tls configuration on specific port
See original GitHub issueDescribe the bug Hi! I’ve been struggling with this issue for the past afternoon, and after a lot of researches, I’m starting to suspect this is a bug. I can’t apply a TCPMapping tls/host configuration. Without TLS I can connect to my rabbitmq server, but I can’t use TLS termination. It is also impossible to use SNI (seems logical as tls doesn’t work). By the way any webservice access works in HTTPS mode.
To Reproduce Steps to reproduce the behavior: 0. Install Ambassador with an additional port on the loadbalancer service :
- name: rabbitmq
port: 5671
targetPort: 5671
protocol: TCP
- TLSContext configuration :
apiVersion: ambassador/v1
kind: TLSContext
name: ocean-certs
secret: ocean-prod-certs
hosts: ["*.ocean.io"]
redirect_cleartext_from: 8080
alpn_protocols: h2,http/1.1
- Apply a TCPMapping
apiVersion: getambassador.io/v1
kind: TCPMapping
metadata:
name: core-production-rabbitmq
spec:
port: 5671
service: core-production-rabbitmq-rabbitmq-ha.namespace:5672
host: rabbitmq.ocean.io
The TLSContext seems not to be applied to the 5671 listener. See my envoy configuration :
"@type": "/envoy.config.bootstrap.v2.Bootstrap",
"static_resources": {
"clusters": [
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_127_0_0_1_8877",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 8877,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_127_0_0_1_8877",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_core_production_rabbitmq_rabbitm-0",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "core-production-rabbitmq-rabbitmq-ha.core-production",
"port_value": 5672,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_core_production_rabbitmq_rabbitm-0",
"type": "STRICT_DNS"
}
],
"listeners": [
{
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 8443,
"protocol": "TCP"
}
},
"filter_chains": [
{
"filters": [
{
"config": {
"access_log": [
{
"config": {
"format": "ACCESS [%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\"\n",
"path": "/dev/fd/1"
},
"name": "envoy.file_access_log"
}
],
"http_filters": [
{
"name": "envoy.cors"
},
{
"name": "envoy.router"
}
],
"http_protocol_options": {
"accept_http_10": false
},
"normalize_path": true,
"route_config": {
"virtual_hosts": [
{
"domains": [
"*"
],
"name": "backend",
"routes": [
{
"match": {
"case_sensitive": true,
"prefix": "/ambassador/v0/check_ready",
"runtime_fraction": {
"default_value": {
"denominator": "HUNDRED",
"numerator": 100
},
"runtime_key": "routing.traffic_shift.cluster_127_0_0_1_8877"
}
},
"route": {
"cluster": "cluster_127_0_0_1_8877",
"prefix_rewrite": "/ambassador/v0/check_ready",
"priority": null,
"timeout": "10.000s"
}
},
{
"match": {
"case_sensitive": true,
"prefix": "/ambassador/v0/check_alive",
"runtime_fraction": {
"default_value": {
"denominator": "HUNDRED",
"numerator": 100
},
"runtime_key": "routing.traffic_shift.cluster_127_0_0_1_8877"
}
},
"route": {
"cluster": "cluster_127_0_0_1_8877",
"prefix_rewrite": "/ambassador/v0/check_alive",
"priority": null,
"timeout": "10.000s"
}
},
{
"match": {
"case_sensitive": true,
"prefix": "/ambassador/v0/",
"runtime_fraction": {
"default_value": {
"denominator": "HUNDRED",
"numerator": 100
},
"runtime_key": "routing.traffic_shift.cluster_127_0_0_1_8877"
}
},
"route": {
"cluster": "cluster_127_0_0_1_8877",
"prefix_rewrite": "/ambassador/v0/",
"priority": null,
"timeout": "10.000s"
}
}
]
}
]
},
"server_name": "envoy",
"stat_prefix": "ingress_http",
"use_remote_address": true,
"xff_num_trusted_hops": 0
},
"name": "envoy.http_connection_manager"
}
],
"tls_context": {
"common_tls_context": {
"alpn_protocols": [
"h2,http/1.1"
],
"tls_certificates": [
{
"certificate_chain": {
"filename": "/ambassador/snapshots/istio-system/secrets-decoded/ocean-prod-certs/XXXXX.crt"
},
"private_key": {
"filename": "/ambassador/snapshots/istio-system/secrets-decoded/ocean-prod-certs/XXXXX.key"
}
}
]
}
},
"use_proxy_proto": false
}
],
"name": "ambassador-listener-8443"
},
{
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 8080,
"protocol": "TCP"
}
},
"filter_chains": [
{
"filters": [
{
"config": {
"access_log": null,
"http_filters": [
{
"name": "envoy.router"
}
],
"http_protocol_options": {
"accept_http_10": false
},
"normalize_path": true,
"route_config": {
"virtual_hosts": [
{
"domains": [
"*"
],
"name": "backend",
"require_tls": "EXTERNAL_ONLY",
"routes": [
{
"match": {
"prefix": "/"
},
"redirect": {
"https_redirect": true
}
}
]
}
]
},
"server_name": "envoy",
"stat_prefix": "ingress_http",
"use_remote_address": true,
"xff_num_trusted_hops": 0
},
"name": "envoy.http_connection_manager"
}
],
"use_proxy_proto": false
}
],
"name": "redirect_listener"
},
{
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 5671,
"protocol": "TCP"
}
},
"filter_chains": [
{
"filters": [
{
"config": {
"stat_prefix": "ingress_tcp_5671",
"weighted_clusters": {
"clusters": [
{
"name": "cluster_core_production_rabbitmq_rabbitm-0",
"weight": 100
}
]
}
},
"name": "envoy.tcp_proxy"
}
]
}
],
"name": "listener-0.0.0.0-5671"
}
]
}
}
Versions (please complete the following information):
- Ambassador: 0.84.1
- Kubernetes environment: EKS
- Version: 1.14
Thanks for your help!
Issue Analytics
- State:
- Created 4 years ago
- Reactions:4
- Comments:20 (3 by maintainers)
Top Results From Across the Web
TCPMapping not applying host/tls configuration on specific port
I can't apply a TCPMapping tls/host configuration. Without TLS I can connect to my rabbitmq server, but I can't use TLS termination. It...
Read more >TCPMapping resources | Ambassador
An Emissary-ingress TCPMapping associates TCP connections with upstream ... If service does not specify a port number: if TLS is not being originated, ......
Read more >TCP Port Forwarding for Remote Device Management
Port forwarding uses a combination of an IP address and a port number to route network requests to specific devices. This technique is...
Read more >Missing entry in the envoy.json configuaration when ...
In my case I need TLS origination but no specific certificate need to be ... if I specify in the TCPMapping the HTTPS...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I am having this problem as well. Is anyone aware of a workaround?
Same issue with version
1.14.2. I defined just oneHostobject and aTCPMappingobject. The correct certificate is returned but the HTTP response is 404 Not Found.When the
Hostobject is created this is added under spec:However there is no label nor field named “hostname” in the
TCPMappingobject. How is it supposed to work ?