This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

apigee-mtls health checks default ports

Posted on 07-07-2022 01:57 AM
pietjacobs
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi all,

I am wondering if other OPDK users who have installed the apigee-mtls solution are also facing the same issue regarding health checks that the Consul Agents execute.

My basic understanding is that you install apigee-mtls to achieve internal (mutually) encrypted traffic. As a result the ports are  translated internally to 10XXX without the actual apigee components knowing about this change. And thanks to the apigee-mtls solution we now want to close those unencrypted default ports, so the services are only reachable by the Consul Agents.

Now here comes the weird behavior regarding health checks. Once the default ports are closed, apigee-mtls logfiles (/opt/apigee/var/log/apigee-mtls/consul-*.log) start flooding with errors because of a large amount of health checks being done on those default ports that we want to close off:
---------------
2022/07/05 14:59:31 [WARN] agent: Check "zookeeper-2888-192-168-20-10-id-ingress-check" socket connection failed: dial tcp 192.168.20.10:2181: connect: connection refused
2022/07/05 14:59:31 [WARN] agent: Check "zookeeper-2181-192-168-20-10-id-ingress-check" socket connection failed: dial tcp 192.168.20.10:2181: connect: connection refused
2022/07/05 14:59:31 [WARN] agent: Check "zookeeper-2888-192-168-20-12-id-ingress-check" socket connection failed: dial tcp 192.168.20.12:2181: connect: connection refused
2022/07/05 14:59:31 [WARN] agent: Check "zookeeper-3888-192-168-20-10-id-ingress-check" socket connection failed: dial tcp 192.168.20.10:2181: connect: connection refused
2022/07/05 14:59:31 [WARN] agent: Check "postgresql-8084-192-168-20-15-id-ingress-check" socket connection failed: dial tcp 192.168.20.15:5432: connect: connection refused
2022/07/05 14:59:31 [WARN] agent: Check "postgresql-4530-192-168-20-18-id-ingress-check" socket connection failed: dial tcp 192.168.20.18:5432: connect: connection refused
----------------

So now we are uncertain if this is expected behavior of apigee-mtls, but it seems not normal that we have to keep those unprotected default ports open simply to keep the health checks successful... Based on the server.json config file (/opt/apigee/apigee-mtls/conf/server.json), maybe it is by design?

My apologies for the long write-up and thank you if you made it this far. I hope I made my issue clear.

Kind regards,
Piet

1 0 97
Topic Labels
0 REPLIES 0
Top Solution Authors
View all