Linkerd and contour does not work as expected together

[surajssd]

Bug Report

What is the issue?

When I try to follow the guide to install the contour with linkerd proxy these are the errors I see in the linkerd-proxy container of the envoy pod:

$ kubectl logs envoy-fdqdw linkerd-proxy | tail -10
[   392.256370s]  INFO ThreadId(01) outbound:accept{peer.addr=10.2.67.21:55734 target.addr=10.3.192.17:8001}: linkerd2_app_core::serve: Connection closed error=Transport endpoint is not connected (os error 107)
[   395.164316s]  WARN ThreadId(01) inbound:accept{peer.addr=147.75.70.145:49816 target.addr=10.2.67.21:8002}: linkerd2_app_core::errors: Failed to proxy request: error trying to connect: Connection refused (os error 111)
[   399.051836s]  INFO ThreadId(01) outbound:accept{peer.addr=10.2.67.21:55814 target.addr=10.3.192.17:8001}: linkerd2_app_core::serve: Connection closed error=Transport endpoint is not connected (os error 107)
[   399.164445s]  WARN ThreadId(01) inbound:accept{peer.addr=147.75.70.145:49868 target.addr=10.2.67.21:8002}: linkerd2_app_core::errors: Failed to proxy request: error trying to connect: Connection refused (os error 111)
[   403.164584s]  WARN ThreadId(01) inbound:accept{peer.addr=147.75.70.145:49890 target.addr=10.2.67.21:8002}: linkerd2_app_core::errors: Failed to proxy request: error trying to connect: Connection refused (os error 111)
[   407.164325s]  WARN ThreadId(01) inbound:accept{peer.addr=147.75.70.145:49946 target.addr=10.2.67.21:8002}: linkerd2_app_core::errors: Failed to proxy request: error trying to connect: Connection refused (os error 111)
[   411.164454s]  WARN ThreadId(01) inbound:accept{peer.addr=147.75.70.145:49980 target.addr=10.2.67.21:8002}: linkerd2_app_core::errors: Failed to proxy request: error trying to connect: Connection refused (os error 111)
[   414.161918s]  INFO ThreadId(01) outbound:accept{peer.addr=10.2.67.21:55952 target.addr=10.3.192.17:8001}: linkerd2_app_core::serve: Connection closed error=Transport endpoint is not connected (os error 107)
[   415.164350s]  WARN ThreadId(01) inbound:accept{peer.addr=147.75.70.145:50020 target.addr=10.2.67.21:8002}: linkerd2_app_core::errors: Failed to proxy request: error trying to connect: Connection refused (os error 111)
[   419.164614s]  WARN ThreadId(01) inbound:accept{peer.addr=147.75.70.145:50066 target.addr=10.2.67.21:8002}: linkerd2_app_core::errors: Failed to proxy request: error trying to connect: Connection refused (os error 111)

And the errors that I see in the envoy container are as follows:

$ kubectl logs envoy-fdqdw envoy | tail -10
[2020-11-03 12:49:53.415][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamListeners gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-11-03 12:50:01.023][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamClusters gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-11-03 12:50:11.558][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamListeners gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-11-03 12:50:14.080][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamListeners gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-11-03 12:50:24.836][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamClusters gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-11-03 12:50:32.197][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamClusters gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-11-03 12:50:34.232][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamListeners gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-11-03 12:50:44.879][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamListeners gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-11-03 12:50:46.332][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamClusters gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
[2020-11-03 12:51:06.480][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamClusters gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure

Envoy's readiness fails with following event:

0s          Warning   Unhealthy           pod/envoy-pxq7b                    Readiness probe failed: HTTP probe failed with statuscode: 502

The readiness probe:

readinessProbe:
  failureThreshold: 3
  httpGet:
    path: /ready
    port: 8002
    scheme: HTTP

How can it be reproduced?

Follow guidelines in https://linkerd.io/2/tasks/using-ingress/#contourz.

But for me I installed the contour first. And then followed above guideline.

linkerd check output

$ linkerd check
kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ controller pod is running
√ can initialize the client
√ can query the control plane API

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ control plane PodSecurityPolicies exist

linkerd-identity
----------------
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust anchor

linkerd-api
-----------
√ control plane pods are ready
√ control plane self-check
√ [kubernetes] control plane can talk to Kubernetes
√ [prometheus] control plane can talk to Prometheus
√ tap api service is running

linkerd-version
---------------
√ can determine the latest version
√ cli is up-to-date

control-plane-version
---------------------
√ control plane is up-to-date
√ control plane and cli versions match

linkerd-addons
--------------
√ 'linkerd-config-addons' config map exists

linkerd-grafana
---------------
√ grafana add-on service account exists
√ grafana add-on config map exists
√ grafana pod is running

Status check results are √

Environment

• Kubernetes Version: 1.19.3.
• Cluster Environment: Packet (Equinix) deployed using Lokomotive.
• Host OS: Flatcar Container Linux.
• Linkerd version:

$ linkerd version
Client version: stable-2.8.1
Server version: stable-2.8.1

[grampelberg]

@surajssd the errors suggest that Contour is not listening on the port (8002). Can you telnet to that port?

[surajssd]

@grampelberg the port on the evnoy pod is open, otherwise in following outputs I would have received connection refused.

I have this envoy pod:

$ kubectl get pods envoy-wwpkx -o wide -n projectcontour 
NAME          READY   STATUS    RESTARTS   AGE   IP           NODE                                NOMINATED NODE   READINESS GATES
envoy-wwpkx   2/2     Running   0          11m   10.2.216.9   suraj-lk-cluster-general-worker-1   <none>           <none>

I started a debug pod to connect to this envoy pod:

$ kubectl -n default run -it --rm debug-network-$RANDOM --image-pull-policy=Always --image=surajd/fedora-networki
ng --restart=Never bash      
If you don't see a command prompt, try pressing enter.

curl from the debug pod to the envoy pod:

# curl -I 10.2.216.9:8002
HTTP/1.1 404 Not Found
date: Thu, 05 Nov 2020 08:54:31 GMT
server: envoy
transfer-encoding: chunked

Telnet to envoy pod from debug pod:

# telnet 10.2.216.9 8002
Trying 10.2.216.9...
Connected to 10.2.216.9.
Escape character is '^]'.

[olix0r]

@surajssd Can you confirm that the issue persists with stable-2.9.0 (released yesterday)?

Also, can you share the output of linkerd metrics -n $NS po/$POD | grep ^process_?

[surajssd]

Yep the issue persists on the latest stable as well.

Output as you have requested:

$ linkerd metrics -n projectcontour po/envoy-hv6ck | grep ^process_
process_start_time_seconds 1605088156
process_cpu_seconds_total 0
process_open_fds 24
process_max_fds 1048576
process_virtual_memory_bytes 95715328
process_resident_memory_bytes 17563648

I have updated the output of kubectl logs envoy-fdqdw linkerd-proxy | tail -10 in above description I see some INFO along with the previous WARNs.

[jroper]

With edge-21.6.1, I get an additional error message in the linkerd-proxy logs that might be a hint as to what's going on:

[   484.169131s]  INFO ThreadId(01) linkerd_app_core::serve: Connection closed error=ingress-mode routing is HTTP-only

As I understand it (and I'm not an expert on Contour so this could be wrong), Contour has two parts to its ingress controller, the actual ingress proxy, and the controller which is deployed as a separate component. The proxy connects to the ingress controller using gRPC, and I think this is not a grpc plaintext connection, it's an mTLS connection with a cert managed by contour. So the problem then appears to be that linkerd is preventing the contour proxy from connecting to its ingress controller because contour is using TLS.

I guess the work around here is to exclude this communication via the linkerd skip ports annotation. I'll try this.

[jroper]

Yep, that fixed it, added the following annotation:

config.linkerd.io/skip-outbound-ports: 8001

And now it works.

[kleimkuhler]

@jroper Another suggestion is you should be able to mark 8001 as an opaque port and keep certain features Linkerd provides by default like metrics and load balancing

[kleimkuhler]

I take this back actually. I'd be curious if you can test this easily, but we may actually still error if 8001 is marked as opaque on the Contour controller. I think skip ports is the only solution here.