Use HTTP/1.1 to perform readiness check (#156)

This change re-enables the readiness check, using HTTP/1.1 instead of HTTP/2 to invoke it. The readiness checks are unauthenticated and are throttled when the feature gate UnauthenticatedHTTP2DOSMitigation is set to true, which is the default starting in Kubernetes 1.29 (see https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates). This was the cause of the "GOAWAY received" errors that have been observed on Kubernetes 1.29. This change also decouples starting of the servers from waiting until they become ready, so that if the readiness check fails due to some error that propagates out of the polling loop (e.g. IOException), the caller is free to catch it and continue waiting.
java-operator-sdk · Jan 18, 2024 · 8137188 · 8137188
1 parent 9518531
commit 8137188
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/core/src/main/java/io/javaoperatorsdk/jenvtest/process/KubeAPIServerProcess.java b/core/src/main/java/io/javaoperatorsdk/jenvtest/process/KubeAPIServerProcess.java
@@ -89,9 +89,7 @@ public void waitUntilReady() {
     var readinessChecker = new ProcessReadinessChecker();
     var timeout = config.getStartupTimeout();
     var startTime = System.currentTimeMillis();
-    // the 1.29.0 binary has issue with this. Will temporarily comment out and further investigate.
-    // But with this now all the executions are failing
-    // readinessChecker.waitUntilReady(apiServerPort, "readyz", KUBE_API_SERVER, true, timeout);
+    readinessChecker.waitUntilReady(apiServerPort, "readyz", KUBE_API_SERVER, true, timeout);
     int newTimout = (int) (timeout - (System.currentTimeMillis() - startTime));
     readinessChecker.waitUntilDefaultNamespaceAvailable(apiServerPort, binaryManager, certManager,
         config, newTimout);

diff --git a/core/src/main/java/io/javaoperatorsdk/jenvtest/process/ProcessReadinessChecker.java b/core/src/main/java/io/javaoperatorsdk/jenvtest/process/ProcessReadinessChecker.java
@@ -177,8 +177,13 @@ public void checkServerTrusted(
               }
           },
           null);
+      // Set protocol to HTTP/1.1 for unauthenticated invocations of "GET /readyz". Sending
+      // unauthenticated requests using HTTP/2 is problematic on Kubernetes >=1.29, which enables
+      // denial-of-service mitigation for authenticated HTTP/2 by default with the
+      // UnauthenticatedHTTP2DOSMitigation feature gate.
       return HttpClient.newBuilder()
           .sslContext(sslContext)
+          .version(HttpClient.Version.HTTP_1_1)
           .build();
     } catch (NoSuchAlgorithmException | KeyManagementException e) {
       throw new JenvtestException(e);