-
Notifications
You must be signed in to change notification settings - Fork 222
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default chart values break outbound HTTPS in Istio clusters #500
Comments
Interesting... |
nvm |
@congzhegao you need to open a PR from your fork, so fork this repo, commit the change there to some branch and then open PR from the branch on your fork. |
btw, this should be also fixed on the core https://github.com/kedacore/keda/blob/main/config/webhooks/service.yaml |
Both PRs are merged, so I close the issue as solved. Changes will be released soon (we plan to cut a release these weeks) |
Discovered a weird one today. If you have the following setup:
...all outbound HTTPS traffic will be blocked with mysterious "SSL protocol failure" and similar errors. This is due to an unpleasant interaction between keda and Istio, and while the onus may be on Istio to fix, keda can also proactively avoid contributing to it.
Expected Behavior
HTTPS traffic is able to reach external endpoints without issue.
Actual Behavior
All HTTPS traffic on pods with Istio sidecars is blocked with TLS/SSL protocol errors.
Steps to Reproduce the Problem
Note that this blog is what informed me of the issue: https://fable.sh/blog/istio-port-443-and-ssl-errors./
That's not specific to keda, but it is apparent that the Istio fix did not account for every scenario: istio/istio#16458
This is being logged as a keda bug as changing the admission webhook service can easily avoid causing this problem:
The specific combination of the port
name
beinghttp
and theport
being443
causes this. Changing either of those values will avoid this. Calling ithttp-web
, for instance, will do the job just fine.Specifications
The text was updated successfully, but these errors were encountered: