Ignite not discoverable in kubernetes cluster with TcpDiscoveryKubernetesIpFinder

Asked 27/8, 2018 at 4:42 Answered 22/10, 2018 at 19:49

I am trying to make ignite deployed in k8s discoverable using TcpDiscoveryKubernetesIpFinder. I have also used all the deployment configurations as recommended in apache ignite documentation to make it discoverable. Ignite version is v2.6. When I try to access the ignite from another service inside the cluster(and namespace), it fails giving below error.

. . instance-14292nccv10-74997cfdff-kqdqh] Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://kubernetes.default.svc.cluster.local:443/api/v1/namespaces/my-namespace/endpoints/ignite-service [instance-14292nccv10-74997cfdff-kqdqh] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) ~[na:1.8.0_151] [instance-14292nccv10-74997cfdff-kqdqh] at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) ~[na:1.8.0_151] [instance-14292nccv10-74997cfdff-kqdqh] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) ~[na:1.8.0_151] [instance-14292nccv10-74997cfdff-kqdqh] . .

My ignite configurations to make it discoverable are as follows,

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ignite-service
  namespace: my-namespace
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: ignite-service
  namespace: my-namespace
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - endpoints
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ignite-service
roleRef:
  kind: ClusterRole
  name: ignite-service
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: ignite-service
  namespace: my-namespace
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: ignite-service-volume-claim-blr3
  namespace: my-namespace
spec:
  storageClassName: ssd
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: Secret
metadata:
  name: ignite-files
  namespace: my-namespace
data:
  ignite-config.xml: PGJlYW5zIHhtbG5zID0gImh0dHA6Ly93d3cuc3ByaW5nZnJhbWV3b3JrLm9yZy9zY2hlbWEvYmVhbnMiCiAgICAgICB4bWxuczp4c2kgPSAiaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiCiAgICAgICB4bWxuczp1dGlsID0gImh0dHA6Ly93d3cuc3ByaW5nZnJhbWV3b3JrLm9yZy9zY2hlbWEvdXRpbCIKICAgICAgIHhzaTpzY2hlbWFMb2NhdGlvbiA9ICIKICAgICAgIGh0dHA6Ly93d3cuc3ByaW5nZnJhbWV3b3JrLm9yZy9zY2hlbWEvYmVhbnMKICAgICAgIGh0dHA6Ly93d3cuc3ByaW5nZnJhbWV3b3JrLm9yZy9zY2hlbWEvYmVhbnMvc3ByaW5nLWJlYW5zLnhzZAogICAgICAgaHR0cDovL3d3dy5zcHJpbmdmcmFtZXdvcmsub3JnL3NjaGVtYS91dGlsCiAgICAgICBodHRwOi8vd3d3LnNwcmluZ2ZyYW1ld29yay5vcmcvc2NoZW1hL3V0aWwvc3ByaW5nLXV0aWwueHNkIj4KCiAgICA8YmVhbiBjbGFzcyA9ICJvcmcuYXBhY2hlLmlnbml0ZS5jb25maWd1cmF0aW9uLklnbml0ZUNvbmZpZ3VyYXRpb24iPgogICAgICAgIDxwcm9wZXJ0eSBuYW1lID0gImRpc2NvdmVyeVNwaSI+CiAgICAgICAgICAgIDxiZWFuIGNsYXNzID0gIm9yZy5hcGFjaGUuaWduaXRlLnNwaS5kaXNjb3ZlcnkudGNwLlRjcERpc2NvdmVyeVNwaSI+CiAgICAgICAgICAgICAgICA8cHJvcGVydHkgbmFtZSA9ICJpcEZpbmRlciI+CiAgICAgICAgICAgICAgICAgICAgPGJlYW4gY2xhc3MgPSAib3JnLmFwYWNoZS5pZ25pdGUuc3BpLmRpc2NvdmVyeS50Y3AuaXBmaW5kZXIua3ViZXJuZXRlcy5UY3BEaXNjb3ZlcnlLdWJlcm5ldGVzSXBGaW5kZXIiPgogICAgICAgICAgICAgICAgICAgICAgICA8cHJvcGVydHkgbmFtZT0ibmFtZXNwYWNlIiB2YWx1ZT0ibXktbmFtZXNwYWNlIi8+CiAgICAgICAgICAgICAgICAgICAgICAgIDxwcm9wZXJ0eSBuYW1lPSJzZXJ2aWNlTmFtZSIgdmFsdWU9Imlnbml0ZS1zZXJ2aWNlIi8+CiAgICAgICAgICAgICAgICAgICAgPC9iZWFuPgogICAgICAgICAgICAgICAgPC9wcm9wZXJ0eT4KICAgICAgICAgICAgPC9iZWFuPgogICAgICAgIDwvcHJvcGVydHk+CiAgICAgICAgPCEtLSBFbmFibGluZyBBcGFjaGUgSWduaXRlIG5hdGl2ZSBwZXJzaXN0ZW5jZS4gLS0+CiAgICAgICAgPHByb3BlcnR5IG5hbWUgPSAiZGF0YVN0b3JhZ2VDb25maWd1cmF0aW9uIj4KICAgICAgICAgICAgPGJlYW4gY2xhc3MgPSAib3JnLmFwYWNoZS5pZ25pdGUuY29uZmlndXJhdGlvbi5EYXRhU3RvcmFnZUNvbmZpZ3VyYXRpb24iPgogICAgICAgICAgICAgICAgPHByb3BlcnR5IG5hbWUgPSAiZGVmYXVsdERhdGFSZWdpb25Db25maWd1cmF0aW9uIj4KICAgICAgICAgICAgICAgICAgICA8YmVhbiBjbGFzcyA9ICJvcmcuYXBhY2hlLmlnbml0ZS5jb25maWd1cmF0aW9uLkRhdGFSZWdpb25Db25maWd1cmF0aW9uIj4KICAgICAgICAgICAgICAgICAgICAgICAgPHByb3BlcnR5IG5hbWUgPSAicGVyc2lzdGVuY2VFbmFibGVkIiB2YWx1ZSA9ICJ0cnVlIi8+CiAgICAgICAgICAgICAgICAgICAgPC9iZWFuPgogICAgICAgICAgICAgICAgPC9wcm9wZXJ0eT4KICAgICAgICAgICAgICAgIDxwcm9wZXJ0eSBuYW1lID0gInN0b3JhZ2VQYXRoIiB2YWx1ZSA9ICIvZGF0YS9pZ25pdGUvc3RvcmFnZSIvPgogICAgICAgICAgICAgICAgPHByb3BlcnR5IG5hbWUgPSAid2FsUGF0aCIgdmFsdWUgPSAiL2RhdGEvaWduaXRlL2RiL3dhbCIvPgogICAgICAgICAgICAgICAgPHByb3BlcnR5IG5hbWUgPSAid2FsQXJjaGl2ZVBhdGgiIHZhbHVlID0gIi9kYXRhL2lnbml0ZS9kYi93YWwvYXJjaGl2ZSIvPgogICAgICAgICAgICA8L2JlYW4+CiAgICAgICAgPC9wcm9wZXJ0eT4KICAgIDwvYmVhbj4KPC9iZWFucz4=
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
# Name of Ignite Service used by Kubernetes IP finder.
# The name must be equal to TcpDiscoveryKubernetesIpFinder.serviceName.
  name: ignite-service
  namespace: my-namespace
spec:
  clusterIP: None # custom value.
  ports:
    - port: 9042 # custom value.
  selector:
  # Must be equal to one of the labels set in Ignite pods'
  # deployement configuration.
    app: ignite-service
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
# Custom Ignite cluster's name.
 name: ignite-service
 namespace: my-namespace
spec:
# A number of Ignite pods to be started by Kubernetes initially.
 replicas: 1
 template:
  metadata:
    labels:
      # This label has to be added to the selector's section of
      # ignite-service.yaml so that the Kubernetes Ignite lookup service
      # can easily track all Ignite pods available deployed so far.
      app: ignite-service
  spec:
    serviceAccountName: ignite-service
    volumes:
      # Custom name for the storage that holds Ignite's configuration
      # which is example-kube.xml.
      - name: ignite-storage
        persistentVolumeClaim:
         # Must be equal to the PersistentVolumeClaim created before.
         claimName: ignite-service-volume-claim-blr3
      - name: ignite-files
        secret:
          secretName: ignite-files
    containers:
      # Custom Ignite pod name.
    - name: ignite-node
      # Ignite Docker image. Kubernetes IP finder is supported starting from
      # Apache Ignite 2.6.0
      image: apacheignite/ignite:2.6.0
      lifecycle:
            postStart:
              exec:
                command: ['/bin/sh', '/opt/ignite/apache-ignite-fabric/bin/control.sh', '--activate']
      env:
      # Ignite's Docker image parameter. Adding the jar file that
      # contain TcpDiscoveryKubernetesIpFinder implementation.
      - name: OPTION_LIBS
        value: ignite-kubernetes
      # Ignite's Docker image parameter. Passing the Ignite configuration
      # to use for an Ignite pod.
      - name: CONFIG_URI
        value: file:///etc/ignite-files/ignite-config.xml
      - name: ENV
        value: my-namespace
      ports:
      # Ports to open.
      # Might be optional depending on your Kubernetes environment.
      - containerPort: 11211 # REST port number.
      - containerPort: 47100 # communication SPI port number.
      - containerPort: 47500 # discovery SPI port number.
      - containerPort: 49112 # JMX port number.
      - containerPort: 10800 # SQL port number.
      volumeMounts:
      # Mounting the storage with the Ignite configuration.
      - mountPath: "/data/ignite"
        name: ignite-storage
      - name: ignite-files
        mountPath: "/etc/ignite-files"

I saw some links in stackoverflow with similar issue, followed the proposed solution but that doesn't work either. Any pointers on this will be of great help!

Aksoyn answered 27/8, 2018 at 4:42 Comment(4)

can you share your ignite configuration – Nenitanenney 27/8, 2018 at 13:50

Updated with entire deployment.yml for ignite – Aksoyn 27/8, 2018 at 16:53

Can you check kubectl -n my-namespace get svc & kubectl -n my-namespace get ep, does it list the service with name ignite-service – Nenitanenney 29/8, 2018 at 4:23

Both the commands list my service. The first command list that with cluster-Ip as None. The other command shows the Endpoints in the format ip:port. – Aksoyn 29/8, 2018 at 5:16

According to the URL, the IP finder tries to use a service named ignite, while you create it by name ignite-service.

You should provide both namespace and service name in the IP finder configuration:

<bean class="org.apache.ignite.spi.discovery.tcp.ipfinder.kubernetes.TcpDiscoveryKubernetesIpFinder">
    <property name="namespace" value="my-namespace"/>
    <property name="serviceName" value="ignite-service"/>
</bean>

Halverson answered 27/8, 2018 at 20:22 Comment(10)

The error now has changed to, java.io.IOException: Server returned HTTP response code: 403 for URL: kubernetes.default.svc.cluster.local:443/api /v1/namespaces/my-namespace/endpoints/ignite-service – Aksoyn 28/8, 2018 at 5:37

@Kaps, it seems you also need to specify serviceAccountName: ignite-service in the deployment file (like here apacheignite.readme.io/docs/…) – Michaeline 29/8, 2018 at 4:37

@Aksoyn Did you modify the config, but it still doesn't work? If so, please update your question with the latest configuration. – Halverson 29/8, 2018 at 12:48

@ValentinKulichenko, updated the latest deployment file configuration in the question. – Aksoyn 29/8, 2018 at 14:53

@ValentinKulichenko, any thoughts on this? – Aksoyn 31/8, 2018 at 8:29

@Kaps, I tried to reproduce the issue using your deployment files in Google Cloud but without success (discovery works without errors). Is it correct that you don't have problems with starting Ignite cluster? The problem happens in the client application which can not connect to a cluster, right? If so, could you share a YAML-file of the client app? Did you specify a service account for that just like for cluster deployment? – Michaeline 4/9, 2018 at 3:55

@ValentinKulichenko, thats correct, I do not see any error in starting the ignite cluster. But the component which tries to connect to ignite fails with the error "Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: kubernetes.default.svc.cluster.local:443/api/v1/namespaces/…". The error suggests that we need something additional(?) for ignite deployment. Unfortunately, i do not have access to the yml of that component, but is is supposed to work. Were you able to connect to the ignite in Google cloud? – Aksoyn 4/9, 2018 at 4:50

@Kaps, is it running in the same Kubernetes cluster or not? Is it possible that client deployment has the same issue (no serviceAccountName specified)? It's pretty hard to tell what is wrong if you don't have access to yaml files. Not sure why you're convinced your current config is supposed to work if you don't see it. – Halverson 4/9, 2018 at 17:53

@ValentinKulichenko yes they both run in the same k8s cluster. how could I possibly prove that there is something wrong with the deployment of the client component? The client component requires my ignite's serviceName and namespace, but it ends up in above mentioned error while trying to connect to ignite cluster. What wrong if the serviceAccountName is different for the client and the ignite cluster? – Aksoyn 5/9, 2018 at 1:10

@Kaps, every deployment should reference the proper service account name to avoid authorization issues. It looks like you fixed that for server side, but not for client side. – Halverson 5/9, 2018 at 2:51

You need to make sure you have the following locked down and handled.

Creation of your namespace in kubernetes
Creation of your service account in kubernetes
Permissions set for your service account in your namespace in your cluster.

service account permissions

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions

Horizon answered 22/10, 2018 at 19:49 Comment(0)

Recommended topics

Hot tags