New probe port for Gossip Router when TLS is enabled #1675
Conversation
| @@ -51,6 +51,8 @@ func GossipRouter(i *ispnv1.Infinispan, ctx pipeline.Context) { | |||
| } | |||
| mutateFn := func() error { | |||
| routerLabels := i.GossipRouterPodLabels() | |||
| var enableJgrpDiag bool = consts.JGroupsDiagnosticsFlag == "TRUE" | |||
There was a problem hiding this comment.
type declaration is redudant, this can just be enableJgrpDiag := ...
| @@ -67,6 +69,10 @@ func GossipRouter(i *ispnv1.Infinispan, ctx pipeline.Context) { | |||
|
|
|||
| var addKeystoreVolume, addTruststoreVolume bool | |||
| if i.IsSiteTLSEnabled() { | |||
| // enable diagnostic for k8s probes | |||
| enableJgrpDiag = true | |||
There was a problem hiding this comment.
Do we always want diagnostics enabled whenever XSIte TLS is enabled?
There was a problem hiding this comment.
yes, because I need the Gossip Router to open the port so probe can "ping" it.
There was a problem hiding this comment.
So we need to use the diagnostic port as it's a TCP probe and when TLS is enabled there's no other way for the health check to succeed on the router pod?
There was a problem hiding this comment.
The health check succeeds with TLS but the issue is the gossip router logging javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake because the probe does not do the TLS handshake (it looks like it only tries to ping it).
With this PR, I'm enabling the diagnostic port when TLS is enabled; the health check can probe that port and we avoided the exceptions in the log.
There was a problem hiding this comment.
The exception reported when using openssl is different until wildfly-security/wildfly-openssl#123 is merged
pruivo
force-pushed
the
t_gossip_router_diag_port
branch
from
41c2615 to
da47ced
Compare
|
Maybe it's worth investigating a micrometer-based endpoint for the GossipRouter so that it can be scraped by Prometheus |
|
Thanks @pruivo |
Closes #1602