0

I have a gRPC server running on my local mac perfectly with a self-signed certificate and I'm able to connect from the NodeJS client code as well as from the Postman gRPC client ( Beta ). But, when deploying the same service to Kubernetes with these annotations in ingress -

nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"
nginx.ingress.kubernetes.io/grpc-backend: "true"

The Postman is able to connect to the endpoint but, my NodeJS client code is not even able to hit the service. Eventually, the NodeJS client is throwing an error -

Error: 14 UNAVAILABLE: failed to connect to all addresses

Is there any special trick to apply?

Adiii
  • 54,482
  • 7
  • 145
  • 148
Shantanu Mitra
  • 31
  • 1
  • 2
  • can you show the nodejs code snipt where the server start? might be it listening on localhost only? – Adiii Aug 18 '22 at 05:08
  • Hi @Adiii here is the code snippet - ``` server.bind(`${host}:${port}`, rpc.ServerCredentials.createSsl(Buffer.from(serverOptions.__SERVER_CA_ROOT__), [{ cert_chain: Buffer.from(serverOptions.__SERVER_CERT__), private_key: Buffer.from(serverOptions.__SERVER_KEY__) }]; server.start(); ``` Also if I change the hostname from 0.0.0.0 with the host of Ingress the server is throwing error - 30 server_secure_chttp2.cc:81] {"created":"@1660801568.466275887","description":"No address added out of total 2 resolved" – Shantanu Mitra Aug 18 '22 at 06:07
  • Whats the value of host? – Adiii Aug 18 '22 at 07:56
  • It should be 0.0.0.0 – Adiii Aug 18 '22 at 07:56
  • And for which host the certificate is valid? Why not to terminate ssl at ingress? – Adiii Aug 18 '22 at 07:57
  • Yes @Adiii you are right the host is 0.0.0.0 and the cert is valid for the ingress host with name poc.my-cluster.ca-tor.containers.appdomain.cloud. Also the business requirement is to provide the TLS cert at the POD level so we can't use the SSL termination on the Ingress. But, I believe the self-signed cert won't work here right ? So to avoid multiple certs I'm trying to use the ingress level secrets to run the server. Not sure fully where am I doing the wrong? – Shantanu Mitra Aug 18 '22 at 10:07
  • yes, run the same certs that is used at ingress and set the host `0.0.0.0` it should work – Adiii Aug 18 '22 at 10:12
  • No @Adiii actually I'm stuck there itself as I am running my grpc server on 0.0.0.0 and the cert valid for poc.my-cluster.ca-tor.containers.appdomain.cloud. So getting the error - 30 ssl_transport_security.cc:1245] Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number. when the server starting up and on the client side Error: 14 UNAVAILABLE: failed to connect to all addresses while placing the grpc call. – Shantanu Mitra Aug 18 '22 at 11:01
  • do you really need to specify the host? – Adiii Aug 18 '22 at 11:19

0 Answers0