Enabling mTLS breaks Readiness/Liveness probes

Moved from GitHub charts/9

Posted by fl-max:

Enabling mTLS on the Alpha nodes breaks the livenessProbe and readinessProbe. A workaround is to run a command probe instead but the best fix IMO is to allow the /health path to be served on HTTP instead.

fl-max commented :

My workaround to use a command probe via curl has issues too:

# curl https://dgraph-alpha-0:8080/health --cacert /dgraph/tls/ca.crt --cert /dgraph/tls/client.dgraphadmin.crt --key /dgraph/tls/client.dgraphadmin.key
curl: (16) Error in the HTTP2 framing layer

This is a server-side error but there may be a fix (see here) in curl v7.65.0 (see changelog) to help mitigate it on the client-side. However, v7.58.0 is the latest for Ubuntu 18.04 with v7.68.0 only being available in experimental releases.

A workaround to the above is to force HTTP/1.1:
curl https://dgraph-alpha-0:8080/health --cacert /dgraph/tls/ca.crt --cert /dgraph/tls/client.dgraphadmin.crt --key /dgraph/tls/client.dgraphadmin.key --http1.1

1 Like

For this first part, the current version of the helm chart 0.0.10, supports in addition to the canned liveness and readiness probes added:

  • alpha.customLivenessProbe,
  • alpha.customReadinessProbe,
  • zero.customLivenessProbe, and
  • zero.customReadinessProbe.

With these, you can put in the curl command in these.

As dgraph docker images are built with ubuntu:latest which is currently Focal Fossa (20.04.1), so unless the image is really old, they should now get the later version Ubuntu.

I am thinking it would drop some examples for this in the recently added examples directory: