After encrypting (mTLS ) a ServiceMesh control plane applications Liveness health check does not work

Solution Verified - Updated -

Issue

  • After encrypting spec.security.dataPlane.mtls to true in the ServiceMeshControlPlane applications that are using liveness health check don not work because the probe needs to be an HTTPS probe.

  • Pods with HTTPS health check enabled starts restarting unnecessarily

    Liveness probe failed: Get "http://10.x.10.1:8080/health" read tcp 10.x.x.1:46672->10.x.11.1:8080: read: connection reset by peer

  • The istio-proxy logs show the following when the probes fail:

    info    cache   generated new workload certificate      latency=407.377705ms ttl=23h59m59.570232648s
info    cache   returned delayed workload certificate from cache        ttl=23h59m59.570112338s
info    sds     SDS: PUSH       resource=default
info    sds     SDS: PUSH       resource=ROOTCA
info    sds     SDS: PUSH       resource=ROOTCA
error   Prober does not exists url /app-health/productpage/livez
error   Prober does not exists url /app-health/productpage/livez
error   Prober does not exists url /app-health/productpage/livez
error   Prober does not exists url /app-health/productpage/livez
error   Prober does not exists url /app-health/productpage/livez
error   Prober does not exists url /app-health/productpage/livez

Environment

  • Red Hat OpenShift Container Platform
    • 4.7.x
  • Red Hat OpenShift Service Mesh
    • v2.0.7.1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content