What happened?

We have a Java Spring boot app deployed on AKS cluster that in response provides a json object. App works fine without Kuma but as soon as Kuma is enabled, urls throws an upstream error and reason being protocol error. I can say, Kuma in general is working as we have other apps on the cluster that are working as expected. Been trying to troubleshoot for a while but gone no where with it. Any insights on how to troubleshoot or if there is anything that needs to be fixed in Kuma. I see 502 Bad gateway error when I do a curl on the endpoint, at least from what I understood(could be wrong as well) Kuma is not liking the json response from the backend and throwing a 502.

Summary

If a DPP starts with a missing or invalid CA cert, both the DPP and CP get in an endless error loop. The DPP should fail and exit as a retry isn't going to ever succeed:

DPP:

[2021-05-21 17:19:18.477][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:334] StreamHealthCheck gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-05-21 17:19:18.477][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:71] HdsDelegate stream/connection failure, will retry in 535 ms.
[2021-05-21 17:19:19.015][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:334] StreamHealthCheck gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-05-21 17:19:19.015][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:71] HdsDelegate stream/connection failure, will retry in 226 ms.
[2021-05-21 17:19:19.246][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:334] StreamHealthCheck gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-05-21 17:19:19.246][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:71] HdsDelegate stream/connection failure, will retry in 427 ms.
[2021-05-21 17:19:19.671][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:334] StreamHealthCheck gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-05-21 17:19:19.671][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:71] HdsDelegate stream/connection failure, will retry in 918 ms.
[2021-05-21 17:19:20.594][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:334] StreamHealthCheck gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2021-05-21 17:19:20.594][1921][warning][upstream] [source/common/upstream/health_discovery_service.cc:71] HdsDelegate stream/connection failure, will retry in 628 ms.

CP:

2021/05/21 17:19:12 http: TLS handshake error from 172.31.4.238:40740: remote error: tls: unknown certificate authority
2021/05/21 17:19:13 http: TLS handshake error from 172.31.4.238:40742: remote error: tls: unknown certificate authority
2021/05/21 17:19:13 http: TLS handshake error from 172.31.4.238:40744: remote error: tls: unknown certificate authority
2021/05/21 17:19:13 http: TLS handshake error from 172.31.4.238:40746: remote error: tls: unknown certificate authority
2021/05/21 17:19:14 http: TLS handshake error from 172.31.4.238:40748: remote error: tls: unknown certificate authority
2021/05/21 17:19:14 http: TLS handshake error from 172.31.4.238:40750: remote error: tls: unknown certificate authority
2021/05/21 17:19:15 http: TLS handshake error from 172.31.4.238:40752: remote error: tls: unknown certificate authority
2021/05/21 17:19:15 http: TLS handshake error from 172.31.4.238:40754: remote error: tls: unknown certificate authority
2021/05/21 17:19:15 http: TLS handshake error from 172.31.4.238:40756: remote error: tls: unknown certificate authority
2021/05/21 17:19:16 http: TLS handshake error from 172.31.4.238:40758: remote error: tls: unknown certificate authority
2021/05/21 17:19:16 http: TLS handshake error from 172.31.4.238:40760: remote error: tls: unknown certificate authority
2021/05/21 17:19:17 http: TLS handshake error from 172.31.4.238:40762: remote error: tls: unknown certificate authority
2021/05/21 17:19:18 http: TLS handshake error from 172.31.4.238:40764: remote error: tls: unknown certificate authority
2021/05/21 17:19:18 http: TLS handshake error from 172.31.4.238:40766: remote error: tls: unknown certificate authority
2021/05/21 17:19:18 http: TLS handshake error from 172.31.4.238:40768: remote error: tls: unknown certificate authority
2021/05/21 17:19:19 http: TLS handshake error from 172.31.4.238:40770: remote error: tls: unknown certificate authority
2021/05/21 17:19:19 http: TLS handshake error from 172.31.4.238:40772: remote error: tls: unknown certificate authority
2021/05/21 17:19:19 http: TLS handshake error from 172.31.4.238:40774: remote error: tls: unknown certificate authority
2021/05/21 17:19:20 http: TLS handshake error from 172.31.4.238:40776: remote error: tls: unknown certificate authority

Steps To Reproduce

[root@ip-172-31-2-167 ~]# env | grep KUMA KUMA_GENERAL_TLS_KEY_FILE=/home/ec2-user/ip-172-31-2-167.us-east-2.compute.internal.key KUMA_DP_SERVER_TLS_KEY_FILE=/home/ec2-user/ip-172-31-2-167.us-east-2.compute.internal.key KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR=/home/ec2-user KUMA_GENERAL_TLS_CERT_FILE=/home/ec2-user/ip-172-31-2-167.us-east-2.compute.internal.crt KUMA_DP_SERVER_TLS_CERT_FILE=/home/ec2-user/ip-172-31-2-167.us-east-2.compute.internal.crt [root@ip-172-31-2-167 ~]# KUMA_MODE=remote KUMA_MULTIZONE_REMOTE_ZONE=universal-2 KUMA_MULTIZONE_REMOTE_GLOBAL_ADDRESS=grpcs://ip-172-31-7-0.us-east-2.compute.internal:5685 KUMA_DNS_SERVER_PORT=53 kuma-cp run --license-path=/home/ec2-user/license.json

2. ```
[ec2-user@ip-172-31-4-238 ~]$ env | grep KUMA
KUMA_GENERAL_TLS_KEY_FILE=/home/ec2-user/ip-172-31-4-238.us-east-2.compute.internal.key
KUMA_DNS_SERVER_PORT=53
KUMA_DNS_SERVER_CIDR=240.0.0.0/4
KUMA_DP_SERVER_TLS_KEY_FILE=/home/ec2-user/ip-172-31-4-238.us-east-2.compute.internal.key
KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR=/home/ec2-user
KUMA_DNS_SERVER_DOMAIN=mesh
KUMA_GENERAL_TLS_CERT_FILE=/home/ec2-user/ip-172-31-4-238.us-east-2.compute.internal.crt
KUMA_DP_SERVER_TLS_CERT_FILE=/home/ec2-user/ip-172-31-4-238.us-east-2.compute.internal.crt
[ec2-user@ip-172-31-4-238 ~]$ kuma-dp run --cp-address=https://ip-172-31-2-167.us-east-2.compute.internal:5678/ --dataplane-token-file=/home/ec2-user/universal-token --dataplane-file=/home/ec2-user/dataplane-universal.yaml  --dns-enabled

Summary

For alternate overlay networking(other than the basic CNI provided by EKS for example, like cilium), This is mandatory value that has to be set, otherwise it will have communication errors with the control plane. If you are using the default CNI component, it's running on the default network.

Full changelog

• Implement hostNetwork: true in cp-deployment.yaml file.

Documentation

• [ ] Link to the website documentation PR

Testing

• [ ] Unit tests
• [ ] E2E tests
• [ ] Manual testing on Universal
• [ X ] Manual testing on Kubernetes

Backwards compatibility

• [ ] Update UPGRADE.md with any steps users will need to take when upgrading.
• [ ] Add backport-to-stable label if the code follows our backporting policy

What happened?

1. Follow installation instructions (https://kuma.io/docs/1.2.x/installation/eks/)

	./kumactl install control-plane | kubectl apply -f - 

	kumactl install control-plane | kubectl apply -f -
	Error: Failed to render helm template files: Failed to render templates: template: kuma/templates/cp-webhooks-and-secrets.yaml:20:16: executing "kuma/templates/cp-webhooks-and-secrets.yaml" at <lookup "v1" "Secret" .Release.Namespace $secretName>: error calling lookup: unable to get apiresource from unstructured: /v1, Kind=Secret: exec plugin: invalid apiVersion "client.authentication.k8s.io/v1alpha1"
	error: error parsing STDIN: error converting YAML to JSON: yaml: line 2: mapping values are not allowed in this context

2. Install Kuma with helm

	helm install --create-namespace --namespace kuma-system kuma kuma/kuma

3. Launch UI to verify installation all looks well

	kubectl port-forward svc/kuma-control-plane -n kuma-system 5681:5681

4. Install demo app

	kubectl apply -f demo.yaml

5. Note that no demo pods are coming up, look at demo app replicaset and see the following error

	Warning  FailedCreate  8m30s (x20 over 49m)  replicaset-controller  Error creating: Internal error occurred: failed calling webhook "namespace-kuma-injector.kuma.io": failed to call webhook: Post "[https://kuma-control-plane.kuma-system.svc:443/inject-sidecar?timeout=10s](https://kuma-control-plane.kuma-system.svc/inject-sidecar?timeout=10s)": context deadline exceeded

6. Take a look at the control plane logs; no errors only this interesting message repeated over and over

	2022-06-25T11:38:10.363Z    INFO    defaults    trying to create default Mesh

7. Look in helm chart docs for debug flag and redeploy helm

	helm upgrade --install --set controlPlane.logLevel=debug --namespace kuma-system kuma kuma/kuma

8. Take a look at the control plane logs

	2022-06-25T11:40:55.488Z    INFO    defaults    trying to create default Mesh                                                                          │
	│ 2022-06-25T11:41:05.496Z    DEBUG    defaults    could not create default mesh    {"err": "failed to create k8s resource: Internal error occurred: fai │
	│ led calling webhook \"mesh.defaulter.kuma-admission.kuma.io\": failed to call webhook: Post \"https://kuma-control-plane.kuma-system.svc:443/default-k │
	│ uma-io-v1alpha1-mesh?timeout=10s\": context deadline exceeded", "errVerbose": "Internal error occurred: failed calling webhook \"mesh.defaulter.kuma-a │
	│ dmission.kuma.io\": failed to call webhook: Post \"https://kuma-control-plane.kuma-system.svc:443/default-kuma-io-v1alpha1-mesh?timeout=10s\": context │
	│  deadline exceeded\nfailed to create k8s resource\ngithub.com/kumahq/kuma/pkg/plugins/resources/k8s.(*KubernetesStore).Create\n\t/home/circleci/projec │
	│ t/pkg/plugins/resources/k8s/store.go:75\ngithub.com/kumahq/kuma/pkg/core/resources/store.(*paginationStore).Create\n\t/home/circleci/project/pkg/core/ │
	│ resources/store/pagination_store.go:30\ngithub.com/kumahq/kuma/pkg/metrics/store.(*MeteredStore).Create\n\t/home/circleci/project/pkg/metrics/store/st │
	│ ore.go:38\ngithub.com/kumahq/kuma/pkg/core/resources/store.(*customizableResourceStore).Create\n\t/home/circleci/project/pkg/core/resources/store/cust │
	│ omizable_store.go:30\ngithub.com/kumahq/kuma/pkg/core/managers/apis/mesh.(*meshManager).Create\n\t/home/circleci/project/pkg/core/managers/apis/mesh/m │
	│ esh_manager.go:82\ngithub.com/kumahq/kuma/pkg/core/resources/manager.(*customizableResourceManager).Create\n\t/home/circleci/project/pkg/core/resource │
	│ s/manager/customizable_manager.go:48\ngithub.com/kumahq/kuma/pkg/defaults.(*defaultsComponent).createMeshIfNotExist\n\t/home/circleci/project/pkg/defa │
	│ ults/mesh.go:26\ngithub.com/kumahq/kuma/pkg/defaults.(*defaultsComponent).Start.func1.1\n\t/home/circleci/project/pkg/defaults/components.go:90\ngithu │
	│ b.com/sethvargo/go-retry.Do\n\t/home/circleci/.go-kuma-go/pkg/mod/github.com/sethvargo/[email protected]/retry.go:60\ngithub.com/kumahq/kuma/pkg/default │
	│ s.(*defaultsComponent).Start.func1\n\t/home/circleci/project/pkg/defaults/components.go:89\nruntime.goexit\n\t/home/circleci/go/src/runtime/asm_amd64. │
	│ s:1571"}

9. Scratch head 😕

Summary

Facing error on terminal while hitting command zsh: too many levels of symbolic links: kumactl

Steps To Reproduce

1. echo "type: Mesh name: my-first-mesh" | kumactl apply -f - .

Additional Details & Logs

Following this

• Version
• Error logs -- zsh: too many levels of symbolic links: kumactl
• Configuration
• Platform and Operating System -- MAC OS
• Installation Method (Helm, kumactl, AWS CloudFormation, etc.) -- kumactl

Summary

kumactl and kuma-dp communicates to kuma-cp over http. In case kuma-cp is behind a https reverese proxy, kumactl cannot connect to it. Added support to upgrade connection to https and disable client security check for ssl.

this PR will enable https://github.com/Kong/kuma/issues/597

Summary

Currently, there is no place to specify the resource limits for control plane deployment. This PR provides the option to specify limits for control plane deployment

Full changelog

Helm - Provided resource limits option for kuma-cp deployment

Testing

• [ ] Unit tests
• [ ] E2E tests
• [ ] Manual testing on Universal
• [X] Manual testing on Kubernetes

Backwards compatibility

Does not effect backwards compatibility.

Signed-off-by: Gaurav Dasson [email protected]

Signed-off-by: Tharun [email protected]

Summary

Added support for udp protocol.

Issues resolved

Fix #239

Documentation

• [ ] Link to the website documentation PR

Checklist prior to review

• [x] Link to docs PR or issue -- https://github.com/kumahq/kuma/issues/3121
• [x] Link to UI issue or PR -- n/a
• [x] Is the issue worked on linked? --
• [x] The PR does not hardcode values that might break projects that depend on kuma (e.g. "kumahq" as a image registry) --
• [x] The PR will work for both Linux and Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
• [x] Unit Tests --
• [x] E2E Tests --
• [ ] Manual Universal Tests --
• [ ] Manual Kubernetes Tests --
• [x] Do you need to update UPGRADE.md? -- no
• [x] Does it need to be backported according to the backporting policy? -- no
• [ ] Do you need to explicitly set a > Changelog: entry here or add a ci/ label to run fewer/more tests?

Description

As discussed here: https://kuma-mesh.slack.com/archives/CN2GN4HE1/p1649873274317209 I would like to understand if the following use case - and related feature - would be interesting for the Kuma community.

The use case is based on security enforcement: let's say that microservice A wants to send a request to an authenticated API of microservice B. If the microservice A needs a JWT token from a IdP, the first solution would be to implement via application code the interaction with the IdP.

Since that Kuma provides mTLS and traffic policy, it would be great to offload this phase of getting the JWT token from an Idp to the Kuma sidecar instead of implementing it in the application.

I would like to get some feedbacks from the community!

Summary

This PR adds a validating webhook to validate the kuma.io scoped labels and annotations. A lot of the boilerplate was inspired from #611.

Full changelog

• Add a map in metadata.annotations to check for valid annotations/labels.
• Add webhook configuration in the relevant yaml manifests.
• Add pod_validator.go and pod_validator_test.go which contain the code for the webhook's Handle and validate methods.

Issues resolved

Fix #2331

Testing

• [x] Unit tests

What happened?

What happened?

Cannot see traffic traces on Jaeger

Mesh and Traffic Trace configurations

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: kuma-counter
spec:
  tracing:
    defaultBackend: jaeger-collector
    backends:
    - name: jaeger-collector
      type: zipkin
      sampling: 100.0
      conf:
        url: http://jaeger-collector.telemetry.svc:9411/api/v2/spans

apiVersion: kuma.io/v1alpha1
kind: TrafficTrace
mesh: kuma-counter
metadata:
  name: trace-all-traffic
spec:
  selectors:
  - match:
      kuma.io/service: '*'
  conf:
    backend: jaeger-collector

Kuma Envoy sidecar and Kuma Controlplane logs

k logs demo-app-68bc95bf6-6r8j2 -n demo-app -c kuma-sidecar |tee -a envoy.log k logs kuma-control-plane-6b5f78f944-pn78r -n kuma |tee -a kuma-cp.log

envoy.log kuma-cp.log

Jaeger metrics

curl -s http://jaeger-collector.telemetry.svc:14269/metrics |grep "jaeger_collector_spans_received"
# HELP jaeger_collector_spans_received_total received
# TYPE jaeger_collector_spans_received_total counter
jaeger_collector_spans_received_total{debug="false",format="jaeger",svc="other-services",transport="grpc"} 0
jaeger_collector_spans_received_total{debug="false",format="jaeger",svc="other-services",transport="http"} 0
jaeger_collector_spans_received_total{debug="false",format="jaeger",svc="other-services",transport="unknown"} 0
jaeger_collector_spans_received_total{debug="false",format="proto",svc="other-services",transport="grpc"} 0
jaeger_collector_spans_received_total{debug="false",format="proto",svc="other-services",transport="http"} 0
jaeger_collector_spans_received_total{debug="false",format="proto",svc="other-services",transport="unknown"} 0
jaeger_collector_spans_received_total{debug="false",format="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_spans_received_total{debug="false",format="unknown",svc="other-services",transport="http"} 0
jaeger_collector_spans_received_total{debug="false",format="unknown",svc="other-services",transport="unknown"} 0
jaeger_collector_spans_received_total{debug="false",format="zipkin",svc="other-services",transport="grpc"} 0
jaeger_collector_spans_received_total{debug="false",format="zipkin",svc="other-services",transport="http"} 0
jaeger_collector_spans_received_total{debug="false",format="zipkin",svc="other-services",transport="unknown"} 0
jaeger_collector_spans_received_total{debug="true",format="jaeger",svc="other-services",transport="grpc"} 0
jaeger_collector_spans_received_total{debug="true",format="jaeger",svc="other-services",transport="http"} 0
jaeger_collector_spans_received_total{debug="true",format="jaeger",svc="other-services",transport="unknown"} 0
jaeger_collector_spans_received_total{debug="true",format="proto",svc="other-services",transport="grpc"} 0
jaeger_collector_spans_received_total{debug="true",format="proto",svc="other-services",transport="http"} 0
jaeger_collector_spans_received_total{debug="true",format="proto",svc="other-services",transport="unknown"} 0
jaeger_collector_spans_received_total{debug="true",format="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_spans_received_total{debug="true",format="unknown",svc="other-services",transport="http"} 0
jaeger_collector_spans_received_total{debug="true",format="unknown",svc="other-services",transport="unknown"} 0
jaeger_collector_spans_received_total{debug="true",format="zipkin",svc="other-services",transport="grpc"} 0
jaeger_collector_spans_received_total{debug="true",format="zipkin",svc="other-services",transport="http"} 0
jaeger_collector_spans_received_total{debug="true",format="zipkin",svc="other-services",transport="unknown"} 0
root@temp:/# curl -s http://jaeger-collector.telemetry.svc:14269/metrics |grep "jaeger_collector_traces_received"
# HELP jaeger_collector_traces_received_total received
# TYPE jaeger_collector_traces_received_total counter
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="const",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="const",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="const",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="lowerbound",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="lowerbound",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="lowerbound",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="probabilistic",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="probabilistic",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="probabilistic",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="ratelimiting",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="ratelimiting",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="ratelimiting",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="unknown",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="jaeger",sampler_type="unknown",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="const",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="const",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="const",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="lowerbound",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="lowerbound",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="lowerbound",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="probabilistic",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="probabilistic",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="probabilistic",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="ratelimiting",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="ratelimiting",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="ratelimiting",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="unknown",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="proto",sampler_type="unknown",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="const",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="const",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="const",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="lowerbound",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="lowerbound",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="lowerbound",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="probabilistic",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="probabilistic",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="probabilistic",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="ratelimiting",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="ratelimiting",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="ratelimiting",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="unknown",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="unknown",sampler_type="unknown",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="const",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="const",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="const",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="lowerbound",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="lowerbound",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="lowerbound",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="probabilistic",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="probabilistic",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="probabilistic",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="ratelimiting",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="ratelimiting",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="ratelimiting",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="unknown",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="false",format="zipkin",sampler_type="unknown",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="const",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="const",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="const",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="lowerbound",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="lowerbound",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="lowerbound",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="probabilistic",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="probabilistic",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="probabilistic",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="ratelimiting",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="ratelimiting",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="ratelimiting",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="unknown",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="jaeger",sampler_type="unknown",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="const",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="const",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="const",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="lowerbound",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="lowerbound",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="lowerbound",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="probabilistic",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="probabilistic",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="probabilistic",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="ratelimiting",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="ratelimiting",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="ratelimiting",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="unknown",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="proto",sampler_type="unknown",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="const",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="const",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="const",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="lowerbound",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="lowerbound",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="lowerbound",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="probabilistic",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="probabilistic",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="probabilistic",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="ratelimiting",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="ratelimiting",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="ratelimiting",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="unknown",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="unknown",sampler_type="unknown",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="const",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="const",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="const",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="lowerbound",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="lowerbound",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="lowerbound",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="probabilistic",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="probabilistic",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="probabilistic",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="ratelimiting",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="ratelimiting",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="ratelimiting",svc="other-services",transport="unknown"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="unknown",svc="other-services",transport="grpc"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="unknown",svc="other-services",transport="http"} 0
jaeger_collector_traces_received_total{debug="true",format="zipkin",sampler_type="unknown",svc="other-services",transport="unknown"} 0

How do I setup de environment

helm install kuma kuma/kuma -n kuma

helm list -n kuma
NAME	NAMESPACE	REVISION	UPDATED                             	STATUS  	CHART     	APP VERSION
kuma	kuma     	1       	2022-12-29 10:47:04.340357 -0300 -03	deployed	kuma-2.0.1	2.0.1

jaeger-collector-service.txt jaeger-collector.txt jaeger-query-service.txt jaeger-query.txt

Bumps github.com/testcontainers/testcontainers-go from 0.15.0 to 0.17.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

What happened?

The policy:

kind: MeshTimeout
apiVersion: kuma.io/v1alpha1
metadata:
  namespace: kuma-system
  name: eg
spec:
  targetRef:
    kind: MeshService
    name: edge-gateway
  to:
    - targetRef:
        kind: MeshService
        name: frontend_kuma-demo_svc_8080
      default:
        http:
          streamIdleTimeout: 32s

sets streamIdleTimeout for the edge gateway listener. This listener is shared across all destination services so it's not correct to set it this way.

What happened?

When setting up a timeout the stat that's changed is: envoy_cluster_internal_upstream_rq_xx

The status code dashboards use: envoy_cluster_external_upstream_rq_xx

So we have a weird view like:

We should do something better here (either sum them together or just show them differently)

What happened?

Seems to be an error in the merge algorithm

panic: expected struct or pointer to a struct got ptr                                                                                                                                                   
                                                                                                                                                                                                       
goroutine 1663 [running]:                                                                                                                                                                               
github.com/kumahq/kuma/pkg/core/xds.mustUnwrapStruct({0x27adb20?, 0xc000bde468?, 0x8?})                                                                                                                 
    /home/circleci/project/pkg/core/xds/merge.go:115 +0xb4                                                                                                                                              
github.com/kumahq/kuma/pkg/core/xds.appendSlices({0x27adb20?, 0xc000bdedb0?, 0x0?}, {0x27adb20?, 0xc000bde468?, 0x27adb20?})                                                                            
    /home/circleci/project/pkg/core/xds/merge.go:87 +0x9b                                                                                                                                               
github.com/kumahq/kuma/pkg/core/xds.appendSlices({0x23bbc00?, 0xc000bdedb0?, 0xb0?}, {0x2311a60?, 0xc000e4d250?, 0x30?})                                                                                
    /home/circleci/project/pkg/core/xds/merge.go:103 +0x31f                                                                                                                                             
github.com/kumahq/kuma/pkg/core/xds.MergeConfs({0xc002038160, 0x2, 0x0?})                                                                                                                               
    /home/circleci/project/pkg/core/xds/merge.go:49 +0x4af                                                                                                                                              
github.com/kumahq/kuma/pkg/core/xds.BuildRules({0xc00206d940, 0x2, 0xc000ed4e70?})                                                                                                                      
    /home/circleci/project/pkg/core/xds/rules.go:162 +0x570                                                                                                                                             
github.com/kumahq/kuma/pkg/plugins/policies/matchers.fromRules(0xc00155b328?)                                                                                                                           
    /home/circleci/project/pkg/plugins/policies/matchers/match.go:98 +0xff                                                                                                                              
github.com/kumahq/kuma/pkg/plugins/policies/matchers.MatchedPolicies({0x282755a, 0xb}, 0xc001563710, {0xc001941fb0?, 0xc000f66180?})                                                                    │
    /home/circleci/project/pkg/plugins/policies/matchers/match.go:55 +0x2fd                                                                                                                             
github.com/kumahq/kuma/pkg/plugins/policies/meshtimeout/plugin/v1alpha1.plugin.MatchedPolicies(...)                                                                                                     
    /home/circleci/project/pkg/plugins/policies/meshtimeout/plugin/v1alpha1/plugin.go:34                                                                                                                
github.com/kumahq/kuma/pkg/xds/sync.(*DataplaneProxyBuilder).matchPolicies(0xc0003b3020?, {{0xc001662e40, 0x2c}, 0xc0016ed338, {0xc001941fb0, 0xc000f66180}, 0xc001738db0, 0xc001739410, 0xc001739560,  │
    /home/circleci/project/pkg/xds/sync/dataplane_proxy_builder.go:165 +0x791                                                                                                                           
github.com/kumahq/kuma/pkg/xds/sync.(*DataplaneProxyBuilder).Build(0xc0003b3020, {0x32096e0, 0xc000a730c0}, {{0xc0007abd70?, 0xc0007d9fc0?}, {0xc0007abd78?, 0xc0007abd70?}}, {{0xc001662e40, 0x2c}, 0x │
    /home/circleci/project/pkg/xds/sync/dataplane_proxy_builder.go:45 +0x14b                                                                                                                            
github.com/kumahq/kuma/pkg/xds/sync.(*DataplaneWatchdog).syncDataplane(0xc001aecd20, {0x32096e0, 0xc000a730c0}, 0xc00252c320)                                                                           
    /home/circleci/project/pkg/xds/sync/dataplane_watchdog.go:117 +0x42e                                                                                                                                
github.com/kumahq/kuma/pkg/xds/sync.(*DataplaneWatchdog).Sync(0xc001aecd20, {0x32096e0, 0xc000a730c0})                                                                                                  
    /home/circleci/project/pkg/xds/sync/dataplane_watchdog.go:66 +0x171                                                                                                                                 
github.com/kumahq/kuma/pkg/xds/sync.(*dataplaneWatchdogFactory).New.func2()                                                                                                                             
    /home/circleci/project/pkg/xds/sync/dataplane_watchdog_factory.go:46 +0xc7                                                                                                                          
github.com/kumahq/kuma/pkg/util/watchdog.(*SimpleWatchdog).Start(0xc000766820, 0xc001434660)                                                                                                            
    /home/circleci/project/pkg/util/watchdog/watchdog.go:25 +0xe2                                                                                                                                       
created by github.com/kumahq/kuma/pkg/xds/server/callbacks.(*dataplaneSyncTracker).OnProxyConnected                                                                                                     
    /home/circleci/project/pkg/xds/server/callbacks/dataplane_sync_tracker.go:55 +0x40a

echo 'kind: MeshTimeout
apiVersion: kuma.io/v1alpha1
metadata:
  namespace: kuma-system
  name: from-all
spec:
  targetRef:
    kind: Mesh
  from:
    - targetRef:
        kind: Mesh
      default:
        connectionTimeout: 15s
        idleTimeout: 1h
        http:
          requestTimeout: 15s
          streamIdleTimeout: 1s
          maxStreamDuration: 0s
          maxConnectionDuration: 0s' | kc apply -f-

echo 'kind: MeshTimeout
apiVersion: kuma.io/v1alpha1
metadata:
  namespace: kuma-system
  name: fronted-to-backend
spec:
  targetRef:
    kind: MeshService
    name: frontend_kuma-demo_svc_8080
  from:
    - targetRef:
        kind: Mesh
      default:
        http:
          streamIdleTimeout: 2s
  to:
    - targetRef:
        kind: MeshService
        name: backend_kuma-demo_svc_3001
      default:
        connectionTimeout: 15s
        idleTimeout: 1h
        http:
          requestTimeout: 15s
          streamIdleTimeout: 3s
          maxStreamDuration: 0s
          maxConnectionDuration: 0s' | kc apply -f-