Envoy proxy stuck in PRE_INITIALIZING state for upstream Encrypted Redis Cluster (Elasticache)

[sabiurr]

Title: Envoy proxy stuck in PRE_INITIALIZING state for upstream Encrypted Redis Cluster (Elasticache)

Description:

I have enabled encryption (Encryption in-transit (TLS)) on my elasticache cluster and now it seems that envoy is stuck in PRE_INITIALIZING state. I believe this is during cluster discovery/initialization. I believe I have to enable using SSL with the redis protocol (rediss). Could someone help my with this configuration?

I am using envoy (v1.11.1) as a redis cluster proxy and running as a sidecar on the client host

Config:

  listeners:
  - name: redis_listener
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 1999
    filter_chains:
    - filters:
      - name: envoy.redis_proxy
        config:
          stat_prefix: egress_redis
          prefix_routes:
            catch_all_route:
               cluster: redis_cluster
          settings:
            op_timeout: 5s
  clusters:
  - name: redis_cluster
    connect_timeout: 0.25s
    dns_lookup_family: V4_ONLY
    lb_policy: CLUSTER_PROVIDED
    upstream_connection_options:
      tcp_keepalive:
        keepalive_time: 60
        keepalive_probes: 1
        keepalive_interval: 5
    hosts:
      - socket_address:
          address: clustercfg.test-encrypted.use1.cache.amazonaws.com
          port_value: 6379
    cluster_type:
      name: envoy.clusters.redis
      typed_config:
        "@type": type.googleapis.com/google.protobuf.Struct
        value:
          cluster_refresh_rate: 360s
          cluster_refresh_timeout: 4s
admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 8001

Logs:

[2019-09-13 17:27:45.871][6][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:839] adding TLS initial cluster redis_cluster
[2019-09-13 17:27:45.871][6][debug][upstream] [source/common/upstream/cluster_manager_impl.cc:75] cm init: adding: cluster=redis_cluster primary=1 secondary=0
[2019-09-13 17:27:45.871][6][info][config] [source/server/configuration_impl.cc:71] loading 1 listener(s)
[2019-09-13 17:27:45.871][6][debug][config] [source/server/configuration_impl.cc:73] listener #0:
[2019-09-13 17:27:45.871][6][debug][config] [source/server/listener_manager_impl.cc:485] begin add/update listener: name=redis_listener hash=8613620242285538431
[2019-09-13 17:27:45.871][6][debug][config] [source/server/listener_manager_impl.cc:57]   filter #0:
[2019-09-13 17:27:45.871][6][debug][config] [source/server/listener_manager_impl.cc:58]     name: envoy.redis_proxy
[2019-09-13 17:27:45.871][6][debug][config] [source/server/listener_manager_impl.cc:61]   config: {"prefix_routes":{"catch_all_route":{"cluster":"redis_cluster"}},"stat_prefix":"egress_redis","settings":{"op_timeout":"5s"}}
[2019-09-13 17:27:45.873][6][debug][config] [source/server/listener_manager_impl.cc:376] add active listener: name=redis_listener, hash=8613620242285538431, address=0.0.0.0:1999
[2019-09-13 17:27:45.873][6][info][config] [source/server/configuration_impl.cc:96] loading tracing configuration
[2019-09-13 17:27:45.873][6][info][config] [source/server/configuration_impl.cc:116] loading stats sink configuration
[2019-09-13 17:27:45.873][6][info][main] [source/server/server.cc:516] starting main dispatch loop
[2019-09-13 17:27:45.887][6][debug][connection] [source/common/network/connection_impl.cc:704] [C0] connecting to <IP>:6379
[2019-09-13 17:27:45.887][6][debug][connection] [source/common/network/connection_impl.cc:713] [C0] connection in progress
[2019-09-13 17:27:45.888][6][debug][connection] [source/common/network/connection_impl.cc:552] [C0] connected
[2019-09-13 17:27:49.891][6][debug][connection] [source/common/network/connection_impl.cc:101] [C0] closing data_to_write=0 type=1
[2019-09-13 17:27:49.891][6][debug][connection] [source/common/network/connection_impl.cc:190] [C0] closing socket: 1

{
 "version": "e349fb6139e4b7a59a9a359be0ea45dd61e589c5/1.11.1/Clean/RELEASE/BoringSSL",
 "state": "PRE_INITIALIZING",
 "command_line_options": {
  "base_id": "0",
  "concurrency": 4,
  "config_path": "/etc/envoy.yaml",
  "config_yaml": "",
  "allow_unknown_fields": false,
  "admin_address_path": "",
  "local_address_ip_version": "v4",
  "log_level": "debug",
  "component_log_level": "",
  "log_format": "[%Y-%m-%d %T.%e][%t][%l][%n] %v",
  "log_path": "/tmp/envoy.log",
  "hot_restart_version": false,
  "service_cluster": "",
  "service_node": "",
  "service_zone": "",
  "mode": "Serve",
  "max_stats": "0",
  "max_obj_name_len": "0",
  "disable_hot_restart": false,
  "enable_mutex_tracing": false,
  "restart_epoch": 0,
  "cpuset_threads": false,
  "file_flush_interval": "10s",
  "drain_time": "600s",
  "parent_shutdown_time": "900s"
 },
 "uptime_current_epoch": "11s",
 "uptime_all_epochs": "11s"
}```

[mattklein123]

cc @HenryYYang

[sabiurr]

Followup question : Does envoy support SSL connections using the redis protocol in the first place?

Also I see this in the docs here : https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/cds.proto#envoy-api-field-cluster-tls-context - The TLS configuration for connections to the upstream cluster. If no TLS configuration is specified, TLS will not be used for new connections.

However when I add

      common_tls_context:
        validation_context:
          trusted_ca:
            filename: /etc/ssl/certs/ca-certificates.crt

to my cluster config, I see different error logs ->

proxy_1  | [2019-09-16 22:46:08.372][6][debug][connection] [source/common/network/connection_impl.cc:713] [C0] connection in progress
proxy_1  | [2019-09-16 22:46:08.372][6][debug][connection] [source/common/network/connection_impl.cc:552] [C0] connected
proxy_1  | [2019-09-16 22:46:08.372][6][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C0] handshake error: 2
proxy_1  | [2019-09-16 22:46:08.374][6][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C0] handshake error: 2
proxy_1  | [2019-09-16 22:46:08.374][6][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C0] handshake error: 2
proxy_1  | [2019-09-16 22:46:08.374][6][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C0] handshake error: 2
proxy_1  | [2019-09-16 22:46:08.374][6][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C0] handshake error: 2
proxy_1  | [2019-09-16 22:46:08.375][6][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:157] [C0] handshake complete
proxy_1  | [2019-09-16 22:46:08.376][6][critical][main] [source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)
proxy_1  | [2019-09-16 22:46:08.376][6][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
proxy_1  | [2019-09-16 22:46:08.376][6][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #0: [0x1192ec8]
proxy_1  | [2019-09-16 22:46:08.376][6][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #1: [0x1192dd9]
proxy_1  | [2019-09-16 22:46:08.376][6][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #2: [0x1309fa6]
proxy_1  | [2019-09-16 22:46:08.376][6][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:81] Caught Aborted, suspect faulting address 0x6
proxy_1  | [2019-09-16 22:46:08.376][6][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
proxy_1  | [2019-09-16 22:46:08.376][6][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:73] #0: __restore_rt [0x7fa3eb0b3390]
proxy_1  | [2019-09-16 22:46:08.376][6][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #1: [0x1192dd9]
proxy_1  | [2019-09-16 22:46:08.376][6][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #2: [0x1309fa6]

[sabiurr]

@HenryYYang friendly bump

[sabiurr]

Unsure if this helps but I modified the config file to connect to a single encrypted redis node instead of using redis cluster proxy and I am able to query redis through envoy however the connection seems to be opened and closed for every request from logs

Logs

proxy_1  | [2019-09-18 17:41:25.274][15][debug][main] [source/server/connection_handler_impl.cc:280] [C2] new connection
proxy_1  | [2019-09-18 17:41:25.274][15][debug][redis] [source/extensions/filters/network/redis_proxy/command_splitter_impl.cc:629] redis: splitting '["get", "test"]'
proxy_1  | [2019-09-18 17:41:25.274][15][debug][connection] [source/common/network/connection_impl.cc:704] [C3] connecting to <IP>:6379
proxy_1  | [2019-09-18 17:41:25.275][15][debug][connection] [source/common/network/connection_impl.cc:713] [C3] connection in progress
proxy_1  | [2019-09-18 17:41:25.275][15][debug][connection] [source/common/network/connection_impl.cc:552] [C3] connected
proxy_1  | [2019-09-18 17:41:25.276][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C3] handshake error: 2
proxy_1  | [2019-09-18 17:41:25.277][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C3] handshake error: 2
proxy_1  | [2019-09-18 17:41:25.277][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C3] handshake error: 2
proxy_1  | [2019-09-18 17:41:25.277][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C3] handshake error: 2
proxy_1  | [2019-09-18 17:41:25.277][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C3] handshake error: 2
proxy_1  | [2019-09-18 17:41:25.277][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C3] handshake error: 2
proxy_1  | [2019-09-18 17:41:25.278][15][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:157] [C3] handshake complete
proxy_1  | [2019-09-18 17:41:25.279][15][debug][connection] [source/common/network/connection_impl.cc:520] [C2] remote close
proxy_1  | [2019-09-18 17:41:25.279][15][debug][connection] [source/common/network/connection_impl.cc:190] [C2] closing socket: 0
proxy_1  | [2019-09-18 17:41:25.279][15][debug][main] [source/server/connection_handler_impl.cc:80] [C2] adding to cleanup list
proxy_1  | [2019-09-18 17:41:30.028][8][debug][main] [source/server/server.cc:170] flushing stats
proxy_1  | [2019-09-18 17:41:35.030][8][debug][main] [source/server/server.cc:170] flushing stats
proxy_1  | [2019-09-18 17:41:35.316][17][debug][main] [source/server/connection_handler_impl.cc:280] [C4] new connection
proxy_1  | [2019-09-18 17:41:35.317][17][debug][redis] [source/extensions/filters/network/redis_proxy/command_splitter_impl.cc:629] redis: splitting '["get", "test"]'
proxy_1  | [2019-09-18 17:41:35.317][17][debug][connection] [source/common/network/connection_impl.cc:704] [C5] connecting to <IP>:6379
proxy_1  | [2019-09-18 17:41:35.317][17][debug][connection] [source/common/network/connection_impl.cc:713] [C5] connection in progress
proxy_1  | [2019-09-18 17:41:35.317][17][debug][connection] [source/common/network/connection_impl.cc:552] [C5] connected
proxy_1  | [2019-09-18 17:41:35.317][17][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C5] handshake error: 2
proxy_1  | [2019-09-18 17:41:35.319][17][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C5] handshake error: 2
proxy_1  | [2019-09-18 17:41:35.319][17][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C5] handshake error: 2
proxy_1  | [2019-09-18 17:41:35.319][17][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C5] handshake error: 2
proxy_1  | [2019-09-18 17:41:35.319][17][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:168] [C5] handshake error: 2
proxy_1  | [2019-09-18 17:41:35.320][17][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:157] [C5] handshake complete
proxy_1  | [2019-09-18 17:41:35.321][17][debug][connection] [source/common/network/connection_impl.cc:520] [C4] remote close
proxy_1  | [2019-09-18 17:41:35.321][17][debug][connection] [source/common/network/connection_impl.cc:190] [C4] closing socket: 0

envoy.yaml

static_resources:
  listeners:
  - name: redis_listener
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 1999
    filter_chains:
    - filters:
      - name: envoy.redis_proxy
        config:
          access_log:
            - name: envoy.log
              config:
                path: "/dev/stdout"
          stat_prefix: egress_redis
          prefix_routes:
            catch_all_route:
               cluster: redis_cluster
          settings:
            op_timeout: 5s
  clusters:
  - name: redis_cluster
    connect_timeout: 30s
    dns_lookup_family: V4_ONLY
    type: STRICT_DNS
    hosts:
      - socket_address:
              address: <REDIS_IP>
              port_value: 6379
    tls_context:
      common_tls_context:
        validation_context:
          trusted_ca:
            filename: /etc/ssl/certs/ca-certificates.crt
admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 8001

[sabiurr]

Hi @mattklein123, is there any update on this?

Appreciate the help

[zentavr]

@sabiurr so what was the issue there?