-
Notifications
You must be signed in to change notification settings - Fork 770
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Helm updates can lose dual HTTP3 port #982
Comments
@mloiseleur The issue is entirely unrelated to either of those links. The problem here is that the Kubernetes API server munges the Helm-generated patch request (as described in the linked issue), merging the port definitions in the deployment for websecure/websecure-http3 into a single one - which causes either the websecure or websecure-http3 port definition to disappear. The result on that is the the Service object can't route any HTTPS/HTTP3 traffic anymore, since it ends up referring to a port by a name that doesn't exist on the container definition in the Pod. Edit: As a side note; due to when/how the issue happens, it'll likely only appear if you perform certain helm upgrades which change the list of ports. Edit 2: To try to better explain what's going on, here's an example of how the update fails - here with the TCP port disappearing into the ether after the merge; $ kubectl --namespace traefik get deploy traefik-2 -o jsonpath='{.spec.template.spec.containers[0].ports}' | jq
[
{
"containerPort": 8000,
"name": "web",
"protocol": "TCP"
},
{
"containerPort": 8443,
"name": "websecure",
"protocol": "TCP"
}
]
$ cat /tmp/example-patch.yaml
spec:
template:
spec:
containers:
- name: traefik-2
ports:
- containerPort: 8000
name: web
protocol: TCP
- containerPort: 8443
name: websecure
protocol: TCP
- containerPort: 8443
name: websecure-http3
protocol: UDP
$ kubectl --namespace traefik patch deploy traefik-2 --patch-file /tmp/example-patch.yaml
deployment.apps/traefik-2 patched
$ kubectl --namespace traefik get deploy traefik-2 -o jsonpath='{.spec.template.spec.containers[0].ports}' | jq
[
{
"containerPort": 8000,
"name": "web",
"protocol": "TCP"
},
{
"containerPort": 8443,
"name": "websecure-http3",
"protocol": "UDP"
}
] |
\o I get it. The one on the |
It seems to be somewhat related to the Kubernetes environment, Helm, and probably configuration as well. My thought is that just offering the option to render the |
Ah yeah, this seems likes exactly the kind of problems I encountered while working on #656 and tried to avoid there by not introducing any additional named ports with the same numbers. Basically this only happens when using patch (i.e. (There is some kind of choice to be made here, as it is possible to go back to ensuring each number is used in a single pors only in all places, to avoid these kind of bugs. Altough this looks a bit ugly, as the UDP version is not declared, it does work as the container port list declaration is considered to be primarily informational; i.e. if a service on the container listens to a port, it is exposed regardless if it is listed or not. However this is quite confusing to users. However, I do agree this is semantically weird and not preferable.) As for how to work around this particular issue in practice, I do the following:
Also worth mentioning: there is an open proposal for Helm to add Server Side Apply support (see helm/community#312). If that is ever implemented, this issue would be solved by Helm itself. |
The |
Welcome!
What version of the Traefik's Helm Chart are you using?
26.0.0
What version of Traefik are you using?
2.10.6
What did you do?
Installed the Helm chart with;
This results in a Deployment configured as;
And a service like;
What did you see instead?
This configuration unfortunately seems to run into kubernetes/kubernetes#105610 on
helm upgrade
s, causing the two ports to merge into one - with the first websecure winning and removing the UDP port from existence.The resulting deployment looks like;
And the service ends up as;
This causes the incoming service traffic to fail as there's no
websecure-http3
port to referenceWhat is your environment & configuration?
Bare-metal Kubernetes.
Traefik installed from Helm chart using FluxCD.
Additional Information
To keep the deployment working for now, I've added a post-renderer which replaces the service definition for the HTTP3 port to point directly to the port number instead of referring to it by name.
As a note, the template that the Helm Chart renders is correct.
The issue is that Kubernetes API server unfortunately messes up the port list when applying upgrades - for at least certain setups, and since the service object the Helm chart renders refers to the ports by name this means that one of the HTTPS/HTTP3 ports ends up unable to be routed to. (Depending on which one gets lost by the API server merge)
The text was updated successfully, but these errors were encountered: