Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running calico-apiserver in insecure mode #9210

Open
lohrbini opened this issue Sep 5, 2024 · 1 comment
Open

Running calico-apiserver in insecure mode #9210

lohrbini opened this issue Sep 5, 2024 · 1 comment

Comments

@lohrbini
Copy link

lohrbini commented Sep 5, 2024

If you deploy the calico apiserver as manifest and with the option --secure-port=0 the pod is stucking in CrashLoopBackOff
panic: runtime error: invalid memory address or nil pointer dereference

Expected Behavior

Running the calico-apiserver on plain http instead of https

Current Behavior

As described above the pod is stuck in crash loop

NAME                                READY   STATUS             RESTARTS         AGE
calico-apiserver-7b85499949-x5f8b   0/1     CrashLoopBackOff   14 (3m36s ago)   50m

Steps to Reproduce (for bugs)

  1. Download the manifests
  2. Update the deployment
...
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    apiserver: "true"
    k8s-app: calico-apiserver
  name: calico-apiserver
  namespace: calico-apiserver
spec:
  replicas: 1
  selector:
    matchLabels:
      apiserver: "true"
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        apiserver: "true"
        k8s-app: calico-apiserver
      name: calico-apiserver
      namespace: calico-apiserver
    spec:
      containers:
      - args:
        - -v=5
        - --secure-port=0
        env:
        - name: DATASTORE_TYPE
          value: kubernetes
        image: calico/apiserver:v3.28.1
        name: calico-apiserver
        readinessProbe:
          httpGet:
            path: /readyz
            port: 80
            scheme: HTTP
          timeoutSeconds: 5
          periodSeconds: 60
        securityContext:
          privileged: false
          runAsUser: 0
        # volumeMounts:
        # - mountPath: /code/apiserver.local.config/certificates
        #   name: calico-apiserver-certs
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: Always
      serviceAccount: calico-apiserver
      serviceAccountName: calico-apiserver
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
      # volumes:
      # - name: calico-apiserver-certs
      #   secret:
      #     secretName: calico-apiserver-certs
...
  1. Apply the manifest with the updated values
  2. Receive Pod in CrashLoopBackOff
Version:      v3.28.1
Build date:   2024-07-30T22:50:38+0000
Git tag ref:  v3.28.1
Git commit:   601856343
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x2135eb4]

goroutine 1 [running]:
github.com/projectcalico/calico/apiserver/cmd/apiserver/server.(*CalicoServerOptions).Config(0xc00052bef0)
	/go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/server/options.go:131 +0x5f4
github.com/projectcalico/calico/apiserver/cmd/apiserver/server.PrepareServer(0xc000720be8?)
	/go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/server/run_server.go:42 +0x65
github.com/projectcalico/calico/apiserver/cmd/apiserver/server.NewCommandStartCalicoServer.func1.2()
	/go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/server/server.go:87 +0x1c
k8s.io/kubernetes/pkg/util/interrupt.(*Handler).Run(0xc0003735f0, 0xc000677b30)
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/interrupt/interrupt.go:92 +0x122
github.com/projectcalico/calico/apiserver/cmd/apiserver/server.NewCommandStartCalicoServer.func1(0xc0001c3b00?, {0x27eed83?, 0x4?, 0x27eed3f?})
	/go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/server/server.go:86 +0x10b
github.com/spf13/cobra.(*Command).execute(0xc000340308, {0xc0001161c0, 0x2, 0x2})
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:987 +0xab1
github.com/spf13/cobra.(*Command).ExecuteC(0xc000340308)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:1039
k8s.io/component-base/cli.run(0xc000340308)
	/go/pkg/mod/k8s.io/[email protected]/cli/run.go:146 +0x290
k8s.io/component-base/cli.Run(0x4?)
	/go/pkg/mod/k8s.io/[email protected]/cli/run.go:46 +0x17
main.main()
	/go/src/github.com/projectcalico/calico/apiserver/cmd/apiserver/apiserver.go:66 +0x30f

Your Environment

  • Calico version: v3.28.0
  • Orchestrator version (e.g. kubernetes, mesos, rkt): Kubernetes v1.30.2
  • Operating System and version: Flatcar stable 3975.2.0
@lohrbini lohrbini changed the title Calico Apiserver insecure not applicable Running calico-apiserver in insecure mode Sep 5, 2024
@caseydavenport
Copy link
Member

Running the calico-apiserver on plain http instead of https

Could you share why you want to do this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@caseydavenport @lohrbini