0

I have been trying to setup a readinessProbe. I have a spring boot actuator end point like: /actuator/health/readiness.

I cannot use the standard httpGet probe because this endpoint is secured with TLS, yes I have tried scheme:HTTPS doesn't work. Gives error remote error: tls: bad certificate

so I wrote my readinessProbe something like:

readinessProbe:
  exec:
    command:
      - sh
      - -c
      - curl -k --cert /mnt/secret/cert.pem --key /mnt/secret/key.pem "https://localhost:8083/actuator/health/readiness" | grep -q "UP"
   initialDelaySeconds: 50
   periodSeconds: 5
   failureThreshold: 30

When this probe runs it produces the error: curl:(7) Failed to connect to localhost port 8083: Connection refused

After trying this, I then mounted a script running the same command on my pod. This produced the same error, but when execing into my pod and running this script it worked.

From what I understand, the readinessProbe is not being run inside the pod. So it doesnt have correct localHost.

I then tried using the external svc endpoint in the curl command... this did run the request but of course it does not work... because the pod is not ready, and it will never become ready as this request can only go through if the pod is in ready status.

I feel like I have exhausted all my ideas, to get around this issue. Any tips?

Josh
  • 31
  • 4
  • 1
    try using `0.0.0.0` as host instead of `localhost` – about14sheep Sep 16 '22 at 13:36
  • @about14sheep `failed to connect to 0.0.0.0 port 8083: Connection refused` – Josh Sep 16 '22 at 13:40
  • if you are using helm you might find some answers here: https://stackoverflow.com/a/51932875/9583747 – about14sheep Sep 16 '22 at 13:49
  • how about if you try `127.0.0.1`? – ericfossas Sep 16 '22 at 13:59
  • In curl command -k option is used. It is used for insecure connection then again cert and key option is also there. Only use -k option – Nataraj Medayhal Sep 16 '22 at 14:01
  • @ericfossas no didnt work, how can I find the correct host? – Josh Sep 16 '22 at 14:06
  • I don't think that's your issue then. In the docs, it says it performs exec commands in the container itself. I think I'd need to see the entire pod spec to help further. Also, i assume this is mtls since you're providing client certificates? Which probably means your "tls: bad certificate" error is due to hostnames not matching... which complicates things further. this is all very much an anti-pattern in k8s for that matter. rarely if ever do people use app-level tls. mTLS is usually handled by a service mesh or CNI-level tls for just encrypting internal traffic or disable tls on the health – ericfossas Sep 16 '22 at 14:21
  • @ericfossas Worked out the problem... I spelt threshold as 'threshhold' and i expect the first 5 or so requests to fail thats why I set it to 30 but it was set to the default 3. I wrote it correctly in the question however. sorry – Josh Sep 16 '22 at 14:50

0 Answers0