This is a brand new Istio 1.1 installation on GKE.The cluster version is 1.10. Un fortunately Istio 1.1 has not been tested with 1.10, but my admin won't upgrade until June.
There is a feature in Istio 1.1 that does not exist in 1.0 that I need. And that is to configure a Gateway to look for TLS certs in kubernetes secrets.
However... I can't get any application to work because Envoy is not showing any access logs. How can I debug anything if I don't have the access logs?
I do see a whole lot of deprecated logs in the istio-proxy:
3 Using deprecated option 'envoy.api.v2.Cluster.hosts'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
92 Using deprecated option 'envoy.api.v2.listener.Filter.config'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
1 Using deprecated option 'envoy.api.v2.Listener.use_original_dst'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
44 Using deprecated option 'envoy.api.v2.route.Route.per_filter_config'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
19 Using deprecated option 'envoy.config.filter.network.http_connection_manager.v2.HttpFilter.config'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
1 Using deprecated option 'envoy.config.trace.v2.Tracing.Http.config'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
Does that have something to do with it?
Never mind... It looks like the new default for Istio 1.1 is that you must enable Envoy access logging...
https://github.com/istio/istio/issues/12854
You may want to enable Envoy access logging in Istio.
Related
Thanks in advance for the help.
I received an email from Google Platform notifying me of the following
Our records show that you own projects with App Engine applications or Cloud Functions that are still calling the pre-GA v0.1 and v1beta1 endpoints of the App Engine and Cloud Functions metadata server. After September 30, 2020, requests to the v0.1 and v1beta1 endpoints will no longer be supported, and may return HTTP 404 NOT FOUND responses. As a result, before September 30, 2020, you will need to update your requests to use the v1 endpoint, which was available starting in 2016.
After investigation, it turns out I'm using these endpoints indirectly as a result of "using an old Google client library which is making requests to the legacy endpoints".
I believe I've followed the instructions to upgrade all the old Google client libraries to address this problem, but I'm not positive. How can I confirm that my application is no longer using these legacy endpoints indirectly? I don't want my application to stop working on September 30th, but I have no way to know if I've successfully migrated.
I hope you have an idea.
I am working with an ActiveMQ Artemis Broker and installed a metrics plugin to use with prometheus and grafana (https://github.com/rh-messaging/artemis-prometheus-metrics-plugin/). Like the instruction says, I added <app url="metrics" war="metrics.war"/> to the bootstrap.xml
We're working with a vendor providing us with the Grafana dashboards as long as we are providing metrics they can work with. The problem is that the vendor wants to access the metrics page (https://activemq:port/metrics) via HTTP and not HTTPS, which is configured in the bootstrap.xml ( <web bind="https://0.0.0.0:port" path="web" keyStorePath=...) Their effort would be disproportionately high to change their system to work with HTTPS now.
Is it possible to configure the jetty-Webserver to serve the console etc. via HTTPS and the URL activemq:port/metrics via HTTP?
I tried to add another web-container in the bootstrap.xml, now binding bind="http://0.0.0.0:port/" and adding the metrics plugin in it but the webserver wasn't happy with two web-containers :/
Thanks for your help :)
This is not currently possible. However, the project could be enhanced to support multiple web instances in bootstrap.xml. Contributions are always welcome.
I try to use WSO2 ESB at workplace where Proxy Server is available.
Set Proxy Server settings in axis2.xml,
Install certificate.
Initialize Salesforce connector(Salesforce certificate has been installed).
Test the API, run into an exception - SOAPProcessingException,
Really appreciate if someone can give ideas of solution.
First of all I have tried this type of a scenario using WSO2 ESB 4.9.0 and which was perfectly working fine. By looking at your error messages I can see that there was an Authentication failure, hence Sales Force end point returns some HTML error message. The ESB tries to build this HTML error message using the SOAP builder leading to this situation.
This could be due to some missing configuration in your setting. You may follow [1] to enable HTTP Proxy to Sales Force. Then to setup Sales Force [2] will be helpful.
Couple of thing I need to highlight here. Did you import the Salesforce certificate into the ESBs client trust store using the keytool import command. If not please go ahead and do so. Also is there a particular reason for you to use NHTTP transport here. Ideally we would use Passthrough transport to add the proxy host as given in [1].
If you still get the error after following the above steps please enable the wirelogs and post it here to investigate further. Follow these steps to enable wirelogs.
Open log4j.properties file from a text editor.
log4j.properties file is located in $ESB_HOME/repository/conf directory.
Un-comment the following entry.
log4j.logger.org.apache.synapse.transport.http.wire=DEBUG
Hope this helps you.
[1] https://docs.wso2.com/display/ESB470/Enabling+SSL+Tunneling+through+a+Proxy+Server
[2]https://docs.wso2.com/display/ESBCONNECTORS/Working+with+Salesforce+Connector+Operations
I am setting up a new WSO2 EMM server and, in order to maintain my organization's PCI DSS certification, I have to disable support for any encryption protocol lower than TLSv1.1 before I can put it into production (see this for more information on PCI 3.1).
I edited the file /repository/conf/tomcat/catalina-server.xml as per the documentation. Here is what I tried:
I changed the attribute sslEnabledProtocols from TLS to TLSv1.1,TLSv1.2, but this generates the error
ERROR {org.wso2.carbon.tomcat.internal.CarbonTomcat} -
LifeCycleException while starting tomcat connector
{org.wso2.carbon.tomcat.internal.CarbonTomcat}
in my wso2carbon.log and I'm unable to log into the EMM web console.
Does anyone know how to disable TLSv1.0 without breaking my installation?
cheers,
Found it!
you have to get rid of sslProtocol attribute and replace it with sslEnabledProtocols, they look very similar.
wso2 or vaadin people
I follow this guide to setup ELB for WSO2 Application Server
http://docs.wso2.org/wiki/display/ELB203/Setup+ELB+with+WSO2+Application+Server
The ELB works perfectly. However, My vaadin application show this error.
Cookies disabled
This application requires cookies to function.
Please enable cookies in your browser and click here to try again.
Vaadin related commit link.
http://dev.vaadin.com/changeset/11570/svn
It should be some problem related to session/cookie.
I am willing to provide more information if needed
It turns out the bug is fixed in wso2 svn trunk but not in lastest ELB/ESB. I get two JSESSIONID cookie, thats why passthrough proxy fails. Hope it helps someone.
See https://wso2.org/jira/browse/ESBJAVA-1659
Can please you try to access your application bypassing WSO2 ELB and send us the http headers that are flowing through to the application (use TCPMon in between Client and your application) ?
FYI WSO2 ELB do preserve JSESSIONID cookie.