Communication between pods should happen through SSL on Openshift/K8S when I set "secured"service annotation to true

[fgapito]

Hi,

I'm facing with this possible issue when I try to establish a https/ssl connection from A->B (B has secured annotation on k8s service annotation). It seems that the annotation it is loaded but it is not used to set secure = true inside the KubernetesServiceInstance object. I checked in the KubernetesInformerDiscoveryClient and I see this at line 163 (v 2.1.3)

You can see that secure constructor parameter is always false.

Is it normal? Why, even if I put annotation on service description, the service B is called through http instead of https?

This is the reference to the documentation where secured annotation is mentioned:

https://docs.spring.io/spring-cloud-kubernetes/docs/2.1.1/reference/html/#loadbalancer-for-kubernetes

Thank you

Kind Regards

f

[ryanjbaxter]

That doc is specific to the load balancer not service discovery.

Do you have an https port defined in your service resource?
See the bottom of this section of the docs https://docs.spring.io/spring-cloud-kubernetes/docs/2.1.1/reference/html/#discoveryclient-for-kubernetes

[fgapito]

Yes I have it and the name is "main". I also configured spring cloud discovery to use main as primary port with the appropriate configuration. I also tried renaming that port in "Https". I hacked that class reading the secured annotation value and it works but this is just a bad patch and I do not want to put that in production.

[ryanjbaxter]

Can you tell me how you are using the discovery client to make the request?

[fgapito]

I'm using these deps:

        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-kubernetes-client-discovery</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-loadbalancer</artifactId>
        </dependency>

The rest call is executed using Feign.

The client spring boot service has this configuration:

spring:
  cloud:
    kubernetes:
      discovery:
        primary-port-name: 'main'
      config:
        enabled: false

this is the serice definition of the target service to be called with https

apiVersion: v1
kind: Service
metadata:
  name: target-svc
  annotations:
    secured: 'true'
spec:
  ports:
    - name: main
      protocol: TCP
      port: 44389
      targetPort: 44389
  selector:
    app: target-svc

Let me know if I can give you more info.

F

[ryanjbaxter]

Thanks. How are you making the http request to the service?

[fgapito]

Using feign

@FeignClient(name = "target-svc", configuration = MyFeignConfig.class)

[fgapito]

This is the change that let the https call happen:

[ryanjbaxter]

Would you be interested in submitting a PR?

[fgapito]

Of course, I'm going to do that.

Thank you.

[fgapito]

Here the PR requested.

#1150

and also this for 2.1.X branch

#1151

I think a mantainer should approve

Let me know if I missed something.

Thank you.

[fgapito]

HI,

do you know approximatively when the spring-cloud-kubernetes version 2.1.6 (that should contains this fix) will be pushed on official maven repositories?

thank you.

f

[ryanjbaxter]

@fgapito you can find tentative release dates here https://github.com/spring-cloud/spring-cloud-release/milestones

[fgapito]

Hi, I tought it was DONE in 2021.0.5 but it seems not. Did something go wrong or should I wait for 2021.0.6?
f

[ryanjbaxter]

2021.0.5 was released on November 3rd, we didn't merge this till December 6th it will be included in 2021.0.6