Boundary Workers behind NLB

alejandro-belleza-gl · February 23, 2023, 4:40pm

Hi, I’ve deployed Boundary ( v0.12.0 ) workers behind an NLB and all have the same address.

I’m getting a error reading handshake result: failed to read protobuf message: failed to get reader: received close frame: status = StatusInternalError and reason = "refusing to activate session" in the client stderr.

The worker logs show, no tofu token but not in correct session state, in the workers that get a new connection.

Workers are behind an NLB cause the workers are in a private subnet which is allowed to reach the targets. Is this setup possible ?

omkensey · February 23, 2023, 5:49pm

You can’t put multiple Boundary workers behind a single LB address (or at least not that I’ve ever seen work – it fails in exactly the way you’re seeing), but if you’re using HCP Boundary you can expose only a single worker publicly (or use one of the existing HCP-managed workers for this purpose) and reverse-proxy the traffic to other workers through it via HCP Boundary 0.12’s multi-hop worker features.

macmiranda · March 5, 2023, 10:28am

Hey @omkensey, if you could spare a few more minutes on this… I have the same exact problem as @alejandro-belleza-gl in one of my clusters though a fairly similar setup in another cluster that actually works.

The main difference between them: in the one that works, the workers connect to the (controllers’) cluster port directly, i.e. initial_upstreams lists all the controller Pods hostnames. In the other one (that doesn’t work) the workers connect to the cluster port via Ingress (NLB) so, in that case, initial_upstreams is a single external DNS name which the Ingress controller routes to the specific Pods.

I did test the latter without the Ingress but it still doesn’t work so that leads me to believe that there may be differences in that behavior across versions. First cluster is running 0.10.5 and second is running 0.12.0

I just want to understand what exactly is happening internally that prevents it from working.

Just as extra context, if I scale down the number of replicas to 1, everything works as expected. When the number of replicas is greater than 1, if I attempt to connect to the same target multiple times, it does end up working after the Ingress LB has rotated through all the possible workers and connects to the worker that was the first one to be authorized by a controller. (it’s kind of an odd behavior to be honest, that each database connection uses a different worker than the one that was first authorized for that target - though I understand it may be necessary for spreading the load.)

Any help would be appreciated

macmiranda · March 5, 2023, 11:52am

@alejandro-belleza-gl could you clarify whether your controllers are directly accessible from the workers or if they are also behind some NAT device?

macmiranda · March 6, 2023, 12:46pm

For reference, we have submitted a bug in the project repo.

github.com/hashicorp/boundary

Upgrading to `0.12.0` brakes connection to workers behind AWS NLB

opened 12:20PM - 06 Mar 23 UTC

madianas21

**Describe the bug** After upgrading our Boundary cluster from version `0.11.2`… to version `0.12.0`, connections erroring out with ` server closed the connection unexpectedly` in pgAdmin4 and `no tofu token but not in correct session state` errors in Boundary workers. Relevant parts of Boundary Worker logs: ``` 1. pod: "boundary-worker-1" : {"connection_id":"sc_D8zk6zHJSr","msg":"connection successfully authorized","session_id":"s_hwOqxxOyO3"} 2. pod: "boundary-worker-1" : {"msg":"session successfully activated","session_id":"s_hwOqxxOyO3"} 3. pod: "boundary-worker-1" : {"connection_id":"sc_D8zk6zHJSr","msg":"connection closed","session_id":"s_hwOqxxOyO3"} 4. pod: "boundary-worker-0" : {"error":"no tofu token but not in correct session state","error_fields":{},"id":"e_9ln52LRbZM","version":"v0.1","op":"worker.(Worker).handleProxy","info":{"session_id":"s_hwOqxxOyO3"}} 5. pod: "boundary-worker-2" : {"error":"no tofu token but not in correct session state","error_fields":{},"id":"e_v9Bj5hHuTH","version":"v0.1","op":"worker.(Worker).handleProxy","info":{"session_id":"s_hwOqxxOyO3"}} 6. pod: "boundary-worker-1" : {"connection_id":"sc_cAX7tHZJGK","msg":"connection successfully authorized","session_id":"s_hwOqxxOyO3"} ``` As you can see the same session(`s_hwOqxxOyO3`), errors out when it gets routed to a different worker in the cluster. #### About the setup Boundary cluster with 3 controllers and 3 workers is deployed on AWS EKS. Workers are publicly exposed behind an AWS NLB. TCP port `9202` is open on an `ingress-nginx` and routes to a `ClusterIP` Kubernetes Service with three Boundary Worker Pods. Same for controllers, except the port is `9201`. This setup was working fine before the upgrade. **To Reproduce** Steps to reproduce the behavior: 1. Upgrade to version `0.12.0` 2. Connect via Boundary UI 3. Login via pgAdmin4 4. See error: `server closed the connection unexpectedly` 5. Login multiple times 6. Login successful 7. Open database 8. See error: `server closed the connection unexpectedly` **Expected behavior** If we downgrade back to version `0.11.2`, connections work fine without any issues. **Additional context** - Controller and Worker communicate via public TCP ingress connection, switching to an internal cluster network, did not solve the issue. - We are not using the new `address` field in the Boundary Target. - We are using the Worker Tag filters

alejandro-belleza-gl · March 6, 2023, 6:54pm

Access to the controllers cluster port is LB with an NLB.

alejandro-belleza-gl · March 8, 2023, 10:53pm

This issue with the version 0.12.0 was fixed in this PR - Use tofu token from controller by irenarindos · Pull Request #3064 · hashicorp/boundary · GitHub

I’ve tested the build and works without issues. N workers behind an NLB.

Thanks for your help @macmiranda ! The details that you provided in the github issue were critical to identify the bug.

jeff · March 9, 2023, 2:16pm

Awesome! 0.12.1 will be out soon containing this fix.