Panic crash caused by new multiport functionality

darkn3rd · October 4, 2022, 5:15pm

I cannot get basic functionality with simple service supporting two ports: 8080 (HTTP) and 9080 (GRPC). I was followed the steps listed here using a small greeter service that I wrote:

However, it is not working, as the injector pods does this, which I guess is not the desired outcome.

anic: runtime error: index out of range [-1]

goroutine 258 [running]:
github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).createServiceRegistrations(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc0003d3760, 0x1f}, {0xc0003d3780, 0x1a}, {0xc000623b20, ...}, ...}, ...}, ...)
	/home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:417 +0x2374
github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).registerServicesAndHealthCheck(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc0003d3760, 0x1f}, {0xc0003d3780, 0x1a}, {0xc000623b20, ...}, ...}, ...}, ...)
	/home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:251 +0x2e8
github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).Reconcile(0xc000305e00, {0x2689b60, 0xc00059f800}, {{{0xc0007da990?, 0x20f4f80?}, {0xc0008ca4b0?, 0xc0005be000?}}})
	/home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:195 +0x10db
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0xc0005d7cc0, {0x2689b60, 0xc00059f770}, {{{0xc0007da990?, 0x20f4f80?}, {0xc0008ca4b0?, 0xc000791c80?}}})
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:114 +0x222
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0005d7cc0, {0x2689ab8, 0xc0005be380}, {0x1f9d360?, 0xc000446e80?})
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:311 +0x2e9
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0005d7cc0, {0x2689ab8, 0xc0005be380})
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:266 +0x1d9
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:227 +0x85
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2
	/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:223 +0x307

I am deducing that this is a bug, so I wrote an issue:

github.com/hashicorp/consul-k8s

consul-connect-injector panic with multiport config

opened 10:09AM - 04 Oct 22 UTC

darkn3rd

type/bug

### Community Note * Please vote on this issue by adding a 👍 [reaction](https…://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you! * Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request. * If you are interested in working on this issue or have submitted a pull request, please leave a comment. ### Overview of the Issue Unable to establish connectivity through either HTTP or gRPC with Consul Service Mesh. I was following [kubernetes-pods-with-multiple-ports](https://www.consul.io/docs/k8s/connect#kubernetes-pods-with-multiple-ports) docs, and after deployment, consul-connect will panic. Below is 6 times it restarted and panic before hitting the threshold. ``` pod/consul-connect-injector-85b7dc57dd-g4g98 0/1 CrashLoopBackOff 6 (3m22s ago) 12m pod/consul-connect-injector-85b7dc57dd-xcsrb 0/1 CrashLoopBackOff 6 (3m42s ago) 12m ``` ### Reproduction Steps 1. Deploy Consul Service Mesh ```yaml global: name: consul connectInject: enabled: true controller: enabled: true ui: enabled: true service: type: LoadBalancer ``` 2. Deploy multiport service: `kubectl apply -n greeter-server -f manifest.yaml`: ```yaml --- apiVersion: v1 kind: ServiceAccount metadata: name: greeter-server --- apiVersion: v1 kind: ServiceAccount metadata: name: greeter-server-grpc --- apiVersion: v1 kind: Service metadata: name: greeter-server spec: ports: - name: http port: 8080 protocol: TCP targetPort: 8080 selector: app: greeter-server --- apiVersion: v1 kind: Service metadata: name: greeter-server-grpc spec: ports: - name: grpc port: 9080 protocol: TCP targetPort: 9080 selector: app: greeter-server --- apiVersion: apps/v1 kind: Deployment metadata: name: greeter-server spec: replicas: 1 selector: matchLabels: app: greeter-server template: metadata: annotations: consul.hashicorp.com/connect-inject: "true" consul.hashicorp.com/connect-service: http,grpc consul.hashicorp.com/connect-service-port: 8080,9080 consul.hashicorp.com/transparent-proxy: "false" labels: app: greeter-server name: greeter-server spec: containers: - image: darknerd/greeter-server name: greeter-server ports: - containerPort: 9080 name: grpc - containerPort: 8080 name: http serviceAccountName: greeter-server ``` 3. `kubectl get pods --namespace consul` ### Logs <details> <summary>kubectl logs pod/consul-connect-injector-85b7dc57dd-jtmmm -n consul</summary> ``` 2022-10-04T09:44:59.817Z INFO controller-runtime.metrics metrics server is starting to listen {"addr": "0.0.0.0:9444"} 2022-10-04T09:44:59.818Z INFO controller-runtime.webhook registering webhook {"path": "/mutate"} 2022-10-04T09:44:59.818Z INFO attempting to acquire leader lease consul/consul-controller-lock... 2022-10-04T09:44:59.818Z INFO starting metrics server {"path": "/metrics"} 2022-10-04T09:44:59.818Z INFO controller-runtime.webhook.webhooks starting webhook server 2022-10-04T09:44:59.819Z INFO controller-runtime.certwatcher Updated current TLS certificate 2022-10-04T09:44:59.819Z INFO controller-runtime.webhook serving webhook server {"host": "", "port": 8080} 2022-10-04T09:44:59.856Z INFO controller-runtime.certwatcher Starting certificate watcher 2022-10-04T09:45:15.058Z INFO successfully acquired lease consul/consul-controller-lock 2022-10-04T09:45:15.059Z INFO controller.endpoints Starting EventSource {"reconciler group": "", "reconciler kind": "Endpoints", "source": "kind source: /, Kind="} 2022-10-04T09:45:15.059Z INFO controller.endpoints Starting EventSource {"reconciler group": "", "reconciler kind": "Endpoints", "source": "kind source: /, Kind="} 2022-10-04T09:45:15.059Z INFO controller.endpoints Starting Controller {"reconciler group": "", "reconciler kind": "Endpoints"} 2022-10-04T09:45:15.360Z INFO controller.endpoints Starting workers {"reconciler group": "", "reconciler kind": "Endpoints", "worker count": 1} 2022-10-04T09:45:15.360Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-ss79v"} 2022-10-04T09:45:15.361Z INFO controller.endpoints retrieved {"name": "consul-connect-injector", "ns": "consul"} 2022-10-04T09:45:15.362Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-xbjkp"} 2022-10-04T09:45:15.362Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-879jg"} 2022-10-04T09:45:15.561Z INFO controller.endpoints retrieved {"name": "greeter-client", "ns": "greeter-client"} 2022-10-04T09:45:15.765Z INFO controller.endpoints registering service with Consul {"name": "greeter-client", "id": "greeter-client-55fc8944ff-2smkz-greeter-client", "agentIP": "10.128.0.18"} 2022-10-04T09:45:15.811Z INFO controller.endpoints registering proxy service with Consul {"name": "greeter-client-sidecar-proxy"} 2022-10-04T09:45:15.852Z INFO controller.endpoints updating health check status for service {"name": "greeter-client", "reason": "Kubernetes health checks passing", "status": "passing"} 2022-10-04T09:45:15.853Z INFO controller.endpoints updating health check {"id": "greeter-client/greeter-client-55fc8944ff-2smkz-greeter-client/kubernetes-health-check"} 2022-10-04T09:45:16.034Z INFO controller.endpoints retrieved {"name": "greeter-server-grpc", "ns": "greeter-server"} panic: runtime error: index out of range [-1] goroutine 258 [running]: github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).createServiceRegistrations(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc0003d3760, 0x1f}, {0xc0003d3780, 0x1a}, {0xc000623b20, ...}, ...}, ...}, ...) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:417 +0x2374 github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).registerServicesAndHealthCheck(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc0003d3760, 0x1f}, {0xc0003d3780, 0x1a}, {0xc000623b20, ...}, ...}, ...}, ...) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:251 +0x2e8 github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).Reconcile(0xc000305e00, {0x2689b60, 0xc00059f800}, {{{0xc0007da990?, 0x20f4f80?}, {0xc0008ca4b0?, 0xc0005be000?}}}) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:195 +0x10db sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0xc0005d7cc0, {0x2689b60, 0xc00059f770}, {{{0xc0007da990?, 0x20f4f80?}, {0xc0008ca4b0?, 0xc000791c80?}}}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:114 +0x222 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0005d7cc0, {0x2689ab8, 0xc0005be380}, {0x1f9d360?, 0xc000446e80?}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:311 +0x2e9 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0005d7cc0, {0x2689ab8, 0xc0005be380}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:266 +0x1d9 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2() /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:227 +0x85 created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:223 +0x307 ``` </details> <details> <summary>kubectl logs consul-connect-injector-85b7dc57dd-dxz5b -n consul</summary> ``` 2022-10-04T09:47:04.245Z INFO controller-runtime.metrics metrics server is starting to listen {"addr": "0.0.0.0:9444"} 2022-10-04T09:47:04.343Z INFO controller-runtime.webhook registering webhook {"path": "/mutate"} 2022-10-04T09:47:04.344Z INFO attempting to acquire leader lease consul/consul-controller-lock... 2022-10-04T09:47:04.344Z INFO starting metrics server {"path": "/metrics"} 2022-10-04T09:47:04.344Z INFO controller-runtime.webhook.webhooks starting webhook server 2022-10-04T09:47:04.345Z INFO controller-runtime.certwatcher Updated current TLS certificate 2022-10-04T09:47:04.345Z INFO controller-runtime.webhook serving webhook server {"host": "", "port": 8080} 2022-10-04T09:47:04.443Z INFO controller-runtime.certwatcher Starting certificate watcher 2022-10-04T09:47:20.343Z INFO successfully acquired lease consul/consul-controller-lock 2022-10-04T09:47:20.344Z INFO controller.endpoints Starting EventSource {"reconciler group": "", "reconciler kind": "Endpoints", "source": "kind source: /, Kind="} 2022-10-04T09:47:20.345Z INFO controller.endpoints Starting EventSource {"reconciler group": "", "reconciler kind": "Endpoints", "source": "kind source: /, Kind="} 2022-10-04T09:47:20.345Z INFO controller.endpoints Starting Controller {"reconciler group": "", "reconciler kind": "Endpoints"} 2022-10-04T09:47:20.645Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-xbjkp"} 2022-10-04T09:47:20.646Z INFO controller.endpoints Starting workers {"reconciler group": "", "reconciler kind": "Endpoints", "worker count": 1} 2022-10-04T09:47:20.646Z INFO controller.endpoints retrieved {"name": "consul-connect-injector", "ns": "consul"} 2022-10-04T09:47:20.649Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-879jg"} 2022-10-04T09:47:20.649Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-ss79v"} 2022-10-04T09:47:20.660Z INFO controller.endpoints retrieved {"name": "greeter-server", "ns": "greeter-server"} panic: runtime error: index out of range [-1] goroutine 254 [running]: github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).createServiceRegistrations(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc00077b1c0, 0x1f}, {0xc00077b1e0, 0x1a}, {0xc0007ed1f0, ...}, ...}, ...}, ...) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:417 +0x2374 github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).registerServicesAndHealthCheck(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc00077b1c0, 0x1f}, {0xc00077b1e0, 0x1a}, {0xc0007ed1f0, ...}, ...}, ...}, ...) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:251 +0x2e8 github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).Reconcile(0xc0005d4140, {0x2689b60, 0xc000a5be90}, {{{0xc00012a680?, 0x20f4f80?}, {0xc00012a630?, 0xc0000c4100?}}}) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:195 +0x10db sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0xc0008bc1e0, {0x2689b60, 0xc000a5be00}, {{{0xc00012a680?, 0x20f4f80?}, {0xc00012a630?, 0xc0000c56c0?}}}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:114 +0x222 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0008bc1e0, {0x2689ab8, 0xc0000c4540}, {0x1f9d360?, 0xc00045e7a0?}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:311 +0x2e9 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0008bc1e0, {0x2689ab8, 0xc0000c4540}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:266 +0x1d9 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2() /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:227 +0x85 created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:223 +0x307 ``` </details> ### Expected behavior I expected that the side-car proxy containers would be injected, and that the connect-injector container would not continuously panic. ### Environment details Additionally, please provide details regarding the Kubernetes Infrastructure, as shown below: - Kubernetes version: **v1.22** (`v1.22.12-gke.300`) - Cloud Provider: **GKE** - Networking CNI plugin in use: default whatever that is ### Additional Context * Related: https://github.com/hashicorp/consul/issues/5388

I hope someone can look at this, and determine if there is something missing in the docs that is missing or not clear that could cause this.

t-eckert · October 4, 2022, 5:39pm

Hi @darkn3rd, thank you for opening this question. I was able to solve it for you where you opened the issue on the GitHub repository.

github.com/hashicorp/consul-k8s

consul-connect-injector panic with multiport config

opened 10:09AM - 04 Oct 22 UTC

darkn3rd

type/bug

### Community Note * Please vote on this issue by adding a 👍 [reaction](https…://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you! * Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request. * If you are interested in working on this issue or have submitted a pull request, please leave a comment. ### Overview of the Issue Unable to establish connectivity through either HTTP or gRPC with Consul Service Mesh. I was following [kubernetes-pods-with-multiple-ports](https://www.consul.io/docs/k8s/connect#kubernetes-pods-with-multiple-ports) docs, and after deployment, consul-connect will panic. Below is 6 times it restarted and panic before hitting the threshold. ``` pod/consul-connect-injector-85b7dc57dd-g4g98 0/1 CrashLoopBackOff 6 (3m22s ago) 12m pod/consul-connect-injector-85b7dc57dd-xcsrb 0/1 CrashLoopBackOff 6 (3m42s ago) 12m ``` ### Reproduction Steps 1. Deploy Consul Service Mesh ```yaml global: name: consul connectInject: enabled: true controller: enabled: true ui: enabled: true service: type: LoadBalancer ``` 2. Deploy multiport service: `kubectl apply -n greeter-server -f manifest.yaml`: ```yaml --- apiVersion: v1 kind: ServiceAccount metadata: name: greeter-server --- apiVersion: v1 kind: ServiceAccount metadata: name: greeter-server-grpc --- apiVersion: v1 kind: Service metadata: name: greeter-server spec: ports: - name: http port: 8080 protocol: TCP targetPort: 8080 selector: app: greeter-server --- apiVersion: v1 kind: Service metadata: name: greeter-server-grpc spec: ports: - name: grpc port: 9080 protocol: TCP targetPort: 9080 selector: app: greeter-server --- apiVersion: apps/v1 kind: Deployment metadata: name: greeter-server spec: replicas: 1 selector: matchLabels: app: greeter-server template: metadata: annotations: consul.hashicorp.com/connect-inject: "true" consul.hashicorp.com/connect-service: http,grpc consul.hashicorp.com/connect-service-port: 8080,9080 consul.hashicorp.com/transparent-proxy: "false" labels: app: greeter-server name: greeter-server spec: containers: - image: darknerd/greeter-server name: greeter-server ports: - containerPort: 9080 name: grpc - containerPort: 8080 name: http serviceAccountName: greeter-server ``` 3. `kubectl get pods --namespace consul` ### Logs <details> <summary>kubectl logs pod/consul-connect-injector-85b7dc57dd-jtmmm -n consul</summary> ``` 2022-10-04T09:44:59.817Z INFO controller-runtime.metrics metrics server is starting to listen {"addr": "0.0.0.0:9444"} 2022-10-04T09:44:59.818Z INFO controller-runtime.webhook registering webhook {"path": "/mutate"} 2022-10-04T09:44:59.818Z INFO attempting to acquire leader lease consul/consul-controller-lock... 2022-10-04T09:44:59.818Z INFO starting metrics server {"path": "/metrics"} 2022-10-04T09:44:59.818Z INFO controller-runtime.webhook.webhooks starting webhook server 2022-10-04T09:44:59.819Z INFO controller-runtime.certwatcher Updated current TLS certificate 2022-10-04T09:44:59.819Z INFO controller-runtime.webhook serving webhook server {"host": "", "port": 8080} 2022-10-04T09:44:59.856Z INFO controller-runtime.certwatcher Starting certificate watcher 2022-10-04T09:45:15.058Z INFO successfully acquired lease consul/consul-controller-lock 2022-10-04T09:45:15.059Z INFO controller.endpoints Starting EventSource {"reconciler group": "", "reconciler kind": "Endpoints", "source": "kind source: /, Kind="} 2022-10-04T09:45:15.059Z INFO controller.endpoints Starting EventSource {"reconciler group": "", "reconciler kind": "Endpoints", "source": "kind source: /, Kind="} 2022-10-04T09:45:15.059Z INFO controller.endpoints Starting Controller {"reconciler group": "", "reconciler kind": "Endpoints"} 2022-10-04T09:45:15.360Z INFO controller.endpoints Starting workers {"reconciler group": "", "reconciler kind": "Endpoints", "worker count": 1} 2022-10-04T09:45:15.360Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-ss79v"} 2022-10-04T09:45:15.361Z INFO controller.endpoints retrieved {"name": "consul-connect-injector", "ns": "consul"} 2022-10-04T09:45:15.362Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-xbjkp"} 2022-10-04T09:45:15.362Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-879jg"} 2022-10-04T09:45:15.561Z INFO controller.endpoints retrieved {"name": "greeter-client", "ns": "greeter-client"} 2022-10-04T09:45:15.765Z INFO controller.endpoints registering service with Consul {"name": "greeter-client", "id": "greeter-client-55fc8944ff-2smkz-greeter-client", "agentIP": "10.128.0.18"} 2022-10-04T09:45:15.811Z INFO controller.endpoints registering proxy service with Consul {"name": "greeter-client-sidecar-proxy"} 2022-10-04T09:45:15.852Z INFO controller.endpoints updating health check status for service {"name": "greeter-client", "reason": "Kubernetes health checks passing", "status": "passing"} 2022-10-04T09:45:15.853Z INFO controller.endpoints updating health check {"id": "greeter-client/greeter-client-55fc8944ff-2smkz-greeter-client/kubernetes-health-check"} 2022-10-04T09:45:16.034Z INFO controller.endpoints retrieved {"name": "greeter-server-grpc", "ns": "greeter-server"} panic: runtime error: index out of range [-1] goroutine 258 [running]: github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).createServiceRegistrations(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc0003d3760, 0x1f}, {0xc0003d3780, 0x1a}, {0xc000623b20, ...}, ...}, ...}, ...) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:417 +0x2374 github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).registerServicesAndHealthCheck(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc0003d3760, 0x1f}, {0xc0003d3780, 0x1a}, {0xc000623b20, ...}, ...}, ...}, ...) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:251 +0x2e8 github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).Reconcile(0xc000305e00, {0x2689b60, 0xc00059f800}, {{{0xc0007da990?, 0x20f4f80?}, {0xc0008ca4b0?, 0xc0005be000?}}}) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:195 +0x10db sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0xc0005d7cc0, {0x2689b60, 0xc00059f770}, {{{0xc0007da990?, 0x20f4f80?}, {0xc0008ca4b0?, 0xc000791c80?}}}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:114 +0x222 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0005d7cc0, {0x2689ab8, 0xc0005be380}, {0x1f9d360?, 0xc000446e80?}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:311 +0x2e9 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0005d7cc0, {0x2689ab8, 0xc0005be380}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:266 +0x1d9 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2() /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:227 +0x85 created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:223 +0x307 ``` </details> <details> <summary>kubectl logs consul-connect-injector-85b7dc57dd-dxz5b -n consul</summary> ``` 2022-10-04T09:47:04.245Z INFO controller-runtime.metrics metrics server is starting to listen {"addr": "0.0.0.0:9444"} 2022-10-04T09:47:04.343Z INFO controller-runtime.webhook registering webhook {"path": "/mutate"} 2022-10-04T09:47:04.344Z INFO attempting to acquire leader lease consul/consul-controller-lock... 2022-10-04T09:47:04.344Z INFO starting metrics server {"path": "/metrics"} 2022-10-04T09:47:04.344Z INFO controller-runtime.webhook.webhooks starting webhook server 2022-10-04T09:47:04.345Z INFO controller-runtime.certwatcher Updated current TLS certificate 2022-10-04T09:47:04.345Z INFO controller-runtime.webhook serving webhook server {"host": "", "port": 8080} 2022-10-04T09:47:04.443Z INFO controller-runtime.certwatcher Starting certificate watcher 2022-10-04T09:47:20.343Z INFO successfully acquired lease consul/consul-controller-lock 2022-10-04T09:47:20.344Z INFO controller.endpoints Starting EventSource {"reconciler group": "", "reconciler kind": "Endpoints", "source": "kind source: /, Kind="} 2022-10-04T09:47:20.345Z INFO controller.endpoints Starting EventSource {"reconciler group": "", "reconciler kind": "Endpoints", "source": "kind source: /, Kind="} 2022-10-04T09:47:20.345Z INFO controller.endpoints Starting Controller {"reconciler group": "", "reconciler kind": "Endpoints"} 2022-10-04T09:47:20.645Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-xbjkp"} 2022-10-04T09:47:20.646Z INFO controller.endpoints Starting workers {"reconciler group": "", "reconciler kind": "Endpoints", "worker count": 1} 2022-10-04T09:47:20.646Z INFO controller.endpoints retrieved {"name": "consul-connect-injector", "ns": "consul"} 2022-10-04T09:47:20.649Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-879jg"} 2022-10-04T09:47:20.649Z INFO controller.endpoints received update for Consul client pod {"name": "consul-client-ss79v"} 2022-10-04T09:47:20.660Z INFO controller.endpoints retrieved {"name": "greeter-server", "ns": "greeter-server"} panic: runtime error: index out of range [-1] goroutine 254 [running]: github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).createServiceRegistrations(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc00077b1c0, 0x1f}, {0xc00077b1e0, 0x1a}, {0xc0007ed1f0, ...}, ...}, ...}, ...) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:417 +0x2374 github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).registerServicesAndHealthCheck(_, {{{0x1b293d8, 0x3}, {0x22c9093, 0x2}}, {{0xc00077b1c0, 0x1f}, {0xc00077b1e0, 0x1a}, {0xc0007ed1f0, ...}, ...}, ...}, ...) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:251 +0x2e8 github.com/hashicorp/consul-k8s/control-plane/connect-inject.(*EndpointsController).Reconcile(0xc0005d4140, {0x2689b60, 0xc000a5be90}, {{{0xc00012a680?, 0x20f4f80?}, {0xc00012a630?, 0xc0000c4100?}}}) /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/endpoints_controller.go:195 +0x10db sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0xc0008bc1e0, {0x2689b60, 0xc000a5be00}, {{{0xc00012a680?, 0x20f4f80?}, {0xc00012a630?, 0xc0000c56c0?}}}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:114 +0x222 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0008bc1e0, {0x2689ab8, 0xc0000c4540}, {0x1f9d360?, 0xc00045e7a0?}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:311 +0x2e9 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0008bc1e0, {0x2689ab8, 0xc0000c4540}) /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:266 +0x1d9 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2() /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:227 +0x85 created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:223 +0x307 ``` </details> ### Expected behavior I expected that the side-car proxy containers would be injected, and that the connect-injector container would not continuously panic. ### Environment details Additionally, please provide details regarding the Kubernetes Infrastructure, as shown below: - Kubernetes version: **v1.22** (`v1.22.12-gke.300`) - Cloud Provider: **GKE** - Networking CNI plugin in use: default whatever that is ### Additional Context * Related: https://github.com/hashicorp/consul/issues/5388

darkn3rd · October 4, 2022, 6:07pm

Thanks.

Question: Should the injector panic or just fail with an error?

t-eckert · October 4, 2022, 8:30pm

To me, it makes sense to panic as it makes the error more obvious. But I can also see an argument for just erroring out. I made a note in the engineering sync agenda for next week where the Consul on Kubernetes engineers will discuss what the better user experience is.

darkn3rd · October 4, 2022, 9:49pm

Thanks. I was worried that panic as a form of feed back to end users has been normalized.

darkn3rd · October 5, 2022, 8:02am

I took my multi-port demo application and published it here:

I am working a more advanced application that is a distributed graph database that requires multiple ports. I pray this one works. If I can get this to work, I can work on other features, such as observability, ACLs, and ingress gateway.

I have been on this journey thus far for 11 days, so I am happy to see some success with Consul Connect. In the past, I experimented with NGINX Service Mesh (took 5 days), Istio (3 days), and Linkerd (1 day).

dpankros · October 6, 2022, 2:40pm

I’m seeing this too.

In our case, I had tried to configure multiple consul services for rabbitmq: one for amqp and one for UI/http, but it started crashing randomly. Can someone post the link to the issue when it is created so that others who encounter this issue know where to track it?

darkn3rd · October 6, 2022, 4:26pm

This is not documented very clearly (but docs that are there are definitely appreciated). This is what I found with multiple ports used by a single service.

cannot have two services that use the same port. Thus in case you are using a StatefulSet that has a headless service and a regular service, you will need to add a label on the headless service to tell Consul to ignore it, i.e. consul.hashicorp.com/service-ignore: 'true'
cannot have a service with 2+ ports, so you have to segregate this to one port to service
server: add consul.hashicorp.com/connect-service annotation to list each of the services.
clients: add consul.hashicorp.com/connect-service-upstreams annotation listing the services the client can connect to.
transparent proxy will not work with this, so to show that, I add consul.hashicorp.com/transparent-proxy: "false" annotation.
metrics will not work with multi-port, so metrics should not be enabled, as this will cause stacktraces.

dpankros · October 9, 2022, 9:16pm

@darkn3rd This worked perfectly! Thank you!

darkn3rd · October 10, 2022, 5:40am

I found another thing, and I am not sure about the workaround. With transparent proxy, traffic should go through the mesh. But when you use upstream, you can tunnel through local host. However, other containers in or outside the mesh can reach the service that should be secured. I’m looking for annotations or other docs that could fix this, but I have not found it yet. I wrote this up as Connections bypass ACL security in multi-port · Issue #1606 · hashicorp/consul-k8s · GitHub.

darkn3rd · October 11, 2022, 6:28pm

Following up on this issue, essentially when you enable multi-port and it turns off transparent-proxy mode, the service will be vulnerable. The only way to further restrict this is to restrict the service running on the system to local-host, so the actual service has to do the fire walling, or use another technology, such as network policies. This causes a unique challenge to integrate ingress-controllers or API gateways if the service has to be restricted to local host.

The current architecture of Consul does not seem compatible for a service mesh solution for multi-port, given security and observability issues. Essentially, it doesn’t support finalized Kubernetes APIs, such as a service that supports a list of ports, where Consul can only support a single port for tranparent proxy and observability. Contrast to other SMs, out of the box they support multiple ports and transparent proxy is the default and only option.

dpankros · October 11, 2022, 9:24pm

For the ingress-controller issue, couldn’t you create a consul ingress-gateway and point the ingress to the service there? Essentially the ingress gateway provides the external visibility and the entrance to the service mesh. Then the localhost issue would be irrelevant because the gateway is going to hit the envoy proxy. Am I thinking about this wrong?

[Ingress Controller] ---(ingress)--> [Ingress Gateway] --(consul service def)--> [Multi-port service]

darkn3rd · October 11, 2022, 9:38pm

I thought of this, but the current docs/tutorial is in Terraform + Kustomize and requires installing EKS. It would take time to break that up and extract the needed solution path to be able to use it.

Also, out of the box, it doesn’t yet support gRPC. So if gRPC is needed on the edge, this is a no -solution.

dpankros · October 11, 2022, 11:02pm

The ingress gateway is just a CRD. You can create one easily:

apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
metadata:
  name: <name>
  namespace: <namespace>
spec:
  listeners:
    - port: 8080
      protocol: tcp
      services:
        - name: <consul service>
  tls: # you can enable this
    enabled: false

You’ll need to update your ingress definition to point to the ingress-gateway and a service intention to allow the inbound traffic from the ingress-gateway to your service.

I’ve never tried gRPC. We use web sockets and there is support at L4 but not L7 for them. We’re making do for now. Are you sure you can’t just treat them like straight tcp sockets?

darkn3rd · October 11, 2022, 11:09pm

I could do that, but then I lose certificates correct? I haven’t tried the Ingress Gateway, as I thought this was a datacenter-to-datacenter use case.

Right now I cannot get service intentions to work from service and client in different namespaces.

dpankros · October 11, 2022, 11:20pm

You’re probably thinking of Mesh Gateways for dc to dc.

You would lose tls at level 4 (tcp). Logically, I believe you need to be using L7 for that.

I believe the service intentions would list the consul service, not the k8s service. If you’re using namespaces (and not using enterprise), you’ve probably got the wrong service name.