New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client tries to connect to remote loadbalancer using server name of the target #3217
Comments
For this specific problem, it seems the root cause is how the TLS credentials is created creds, err := credentials.NewClientTLSFromFile(os.Getenv("CERT_PATH"), "service-xxx") This sets Please try to create the credentials without overriding the name (leaving it as an empty string), and see if that works. There was a behavior change in gRPC (#3073). The new behavior is, TLS handshake will use It also doesn't make sense to me how |
Ah, the behavior change that broke you is actually this: https://github.com/grpc/grpc-go/pull/3119/files#diff-887fcbbbde408218ce725b7de320c30bL332 (Sorry for the breakage) Before, the grpclb client will always override the serverName in TLS to I still believe if you don't set Without
|
This issue is labeled as requiring an update from the reporter, and no update has been received after 7 days. If no update is provided in the next 7 days, this issue will be automatically closed. |
After updating grpc version from
1.24.0
to1.25.0
(and1.25.11
) we have a problem with connecting to the external load balancer.I am labeling this as a question, not issue because in the past it turned out that we have been using grpclb feature the wrong way (#2838). All in all, my goal is to understand whether we are doing something wrong, or is it a regression in
grpc
.Here is an example error from our logs. This is when a client tries to connect to
service-xxx
using an external load balancer atservice-grpclb:5000
. It showed up after updating to the the newest grpc:Looking at the logs
grpc@v1.25.0
, I understand that client application cannot connect toservice-grcplb
, because it assumes it's server name should beservice-xxx
. What is strange is that one part of the log says that server name should beservice-grpclb
({service-grpclb:5000 0 service-grpclb <nil>}
), while other says it should beservice-xxx
(certificate is valid for service-grpclb, not service-xxx"
).I was trying to debug line, where this warning is emitted (https://github.com/grpc/grpc-go/blob/master/clientconn.go#L1285):
In this line
target.Authority
isservice-grpclb
, butcopts.TransportCredentials.config.ServerName
isservice-xxx
. It seems to me thatNewClientTransport
usesServerName
from copts rather thantarget
.I tried to recreate this using a minimal example. Consider the following setup:
service-xxx
, listening onlocalhost:6000
,service-grpclb
listening onlocalhost:5000
. This is mock service. When it asked to resolve addressname:port
, it will answer withlocahost:port
,service-xxx
usingservice-grpclb
as a load balancer. Client is defined here: https://gist.github.com/krzysztofdrys/fa7df8352e667decf0449311fcaf2481 .When I run the client with grpc@v1.25.0, I get the following log:
When I change grpc to
v1.24.0
, I get the following log:My questions are:
The text was updated successfully, but these errors were encountered: