-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move to use okhttp4 for Kubernetes cluster using IPV6 #4002
Comments
ppatierno
changed the title
Move to use okhttp4 for handling cluster using IPV6
Move to use okhttp4 for Kubernetes cluster using IPV6
Nov 25, 2020
I just opened a corresponding issue in fabric8 as well. It would be great having that library updating to the okhttp4 version directly. |
This needs to be fixed in Fabric8 Kubernetes client => closing this issue. |
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you are running a Kubernetes cluster with IPV6 based infrastructure, the current cluster operator raises the following exception:
The problem seems to be related to a bug in the okhttp3 library that is used by the fabric8 Kubernetes client used by Strimzi. The okhttp3 library seems not able to handle IPV6 address correctly when verifying hostname during TLS certificate verification.
For that bug, the okhttp project seems to have the following fix square/okhttp#5889. It was already merged into the master but anyway it's planned to be delivered in okhttp4 library (milestone set to 4.5). While we should evaluate the impact of okhttp moving from 3 to 4 (which anyway means to test fabric8 as well), there is a really easy workaround that doesn't need any kind of update.
The fabric8 client reaches the Kubernetes master API through the
KUBERNETES_MASTER
env var which is, by default, defined ashttps://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT
where, in an IPV6 cluster, we haveKUBERNETES_SERVICE_HOST: fd02::1
. This is causing the issue in okhttp3 library not able to handle that IPV6 address for reaching the master URL.The workaround I used and verified is setting the
KUBERNETES_MASTER
to the actual Kubernetes master on the got through thekubectl cluster-info
command.It could even be one of the IPV4 addresses listed in the subjectAltNames of the logged exception above (i.e. kubernetes.default.svc).
The
KUBERNETES_MASTER
has to be set in the Deployment YAML file of the cluster operator in thespec.template.spec.containers
as env for the pod template.Another way to work around this is just disabling the hostname verification so setting the
KUBERNETES_DISABLE_HOSTNAME_VERIFICATION
env var to false (in the cluster operator Deployment YAML file)Even if a workaround exists we should track okhttp4 release together with fabric8 and if it's going to use this new version, in order to avoid the need of the workaround just described.
The text was updated successfully, but these errors were encountered: