Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorino operator pod fails on some open shift clusters #274

Closed
eyalcha opened this issue Mar 19, 2024 · 14 comments
Closed

Authorino operator pod fails on some open shift clusters #274

eyalcha opened this issue Mar 19, 2024 · 14 comments
Labels
kind/bug Something isn't working

Comments

@eyalcha
Copy link

eyalcha commented Mar 19, 2024

/kind bug

I have two OpenShift clusters with 4.13.xx version. Authorinio operator pod fails when I change the service to authorino-authorino-authorization.opendatahub-auth-provider.svc.cluster.local. It doesn't happen on the other cluster.

Failing cluster:
image

Other cluster which doesn't fail:
image
@eyalcha eyalcha added the kind/bug Something isn't working label Mar 19, 2024
@eyalcha
Copy link
Author

eyalcha commented Mar 19, 2024

The version which fails is 0.11.1
The version that works is 0.10.0

@bartoszmajsak
Copy link

bartoszmajsak commented Mar 20, 2024
edited

Thanks for opening the issue and sorry for the struggle @eyalcha. Are there any logs you could share?

What I wonder about is if the naming changed between those versions @guicassolato? EDIT: Sorry for tagging, I just realized it can be another issue, see my comment below.

@bartoszmajsak
Copy link

bartoszmajsak commented Mar 20, 2024
edited

@eyalcha why are you changing the name on the authorino side though? Is it because of this problem opendatahub-io/opendatahub-operator#892? If that is the case, change configuration of service mesh control plane on the ODH side instead to match the actual authorino service name.

@guicassolato
Copy link

@eyalcha, please listen to @bartoszmajsak's recommendations (not mine!) if editing any Authorino resource manually. Those changes may be attempted to be reconciled by the ODH Operator and/or by Authorino Operator.

In general, you should not change the name of the *-authorino-authorization service, nor of any other resource created by Authorino Operator out of an Authorino custom resource. In case the name of the service does change (by following the proper means to it), the new hostname should be reflected in the mesh config (i.e. servicemeshcontrolplane.spec.techPreview.meshConfig.extensionProviders[].envoyExtAuthzGrpc.service.)

Either way, I'd be interested to understand the restarts of the authorino-operator and authorino-webhook pods captured at your screenshot above. If you could please share the logs, I'd appreciated it. Thanks!

@israel-hdez
Copy link

@guicassolato FWIW, I'm seeing a crash in authorino pod (the instance, not the operator nor the webhook) in a cluster. Latest v0.11.1 version in OperatorHub.

These are the logs:

{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"starting http auth service","port":5001,"tls":false}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"starting http oidc service","port":8083,"tls":false}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"starting reconciliation manager"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"starting server","kind":"health probe","addr":"[::]:8081"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.metrics","msg":"Starting metrics server"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.metrics","msg":"Serving metrics server","bindAddress":":8080","secure":false}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"Starting EventSource","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig","source":"kind source: *v1beta1.AuthConfig"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"Starting Controller","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"Starting EventSource","controller":"secret","controllerGroup":"","controllerKind":"Secret","source":"kind source: *v1.Secret"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"Starting Controller","controller":"secret","controllerGroup":"","controllerKind":"Secret"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"starting status update manager"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"Starting EventSource","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig","source":"kind source: *v1beta1.AuthConfig"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"Starting Controller","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"Starting workers","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig","worker count":1}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"}}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"Starting workers","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig","worker count":1}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.bootstrap","msg":"building the index","count":2}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-auth/llama-auth"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-test/sklearn-v2-iris"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino","msg":"Starting workers","controller":"secret","controllerGroup":"","controllerKind":"Secret","worker count":1}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-auth/llama-auth"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-auth/llama-auth"}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"}}
{"level":"info","ts":"2024-03-22T18:44:21Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-test/sklearn-v2-iris"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x1c080dd]
goroutine 227 [running]:
github.com/kuadrant/authorino/pkg/service.(*AuthService).Check(0xc000312fe0, {0x24fe668, 0xc0022fc3c0}, 0xc0022c64b0)
/usr/src/authorino/pkg/service/auth.go:238 +0x7d
github.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1({0x24fe668, 0xc0022fc3c0}, {0x1ffaa00?, 0xc0022c64b0})
/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:699 +0x78
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1({0x24fe668, 0xc0022c6480}, {0x1ffaa00, 0xc0022c64b0}, 0xc0022ad920, 0xc0022fa1b0)
/opt/app-root/src/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.1/interceptor.go:326 +0x51a
google.golang.org/grpc.getChainUnaryHandler.func1({0x24fe668, 0xc0022c6480}, {0x1ffaa00, 0xc0022c64b0})
/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1163 +0xb9
github.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1({0x24fe668, 0xc0022c6480}, {0x1ffaa00, 0xc0022c64b0}, 0xc0022ad920?, 0xc0022c5980)
/opt/app-root/src/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0/server_metrics.go:107 +0x87
google.golang.org/grpc.chainUnaryInterceptors.func1({0x24fe668, 0xc0022c6480}, {0x1ffaa00, 0xc0022c64b0}, 0xc00220aa00?, 0x1e6b500?)
/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1154 +0x8f
github.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler({0x1f63780?, 0xc000312fe0}, {0x24fe668, 0xc0022c6480}, 0xc000645780, 0xc000312f80)
/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:701 +0x138
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00012c3c0, {0x24fe668, 0xc0022c6390}, {0x2506520, 0xc000557ba0}, 0xc002298240, 0xc000466db0, 0x3650e80, 0x0)
/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1343 +0xe49
google.golang.org/grpc.(*Server).handleStream(0xc00012c3c0, {0x2506520, 0xc000557ba0}, 0xc002298240)
/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1737 +0xca6
google.golang.org/grpc.(*Server).serveStreams.func1.1()
/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:986 +0x8c
created by google.golang.org/grpc.(*Server).serveStreams.func1
/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:997 +0x15c

@guicassolato
Copy link

@israel-hdez, this seems to be a problem of the ext_authz protocol. It looks like the grpc message does not comply with the format – missing the http attributes of the request in the payload to the ext_authz service.

Can you please enable debug log level in the Authorino CR, so we can try to inspect further? I could also use the logs from the istio proxy.

@guicassolato
Copy link

@israel-hdez, I've just sent a patch upstream with an improved handler for those ext_authz requests errors.

If you want to please try overriding the Authorino image in the Authorino CR with the following one: quay.io/kuadrant/authorino:fix-invalid-ext-authz-req, only for the purpose of debugging this, we should be able to get better quality log messages.

@zdtsw
Copy link
Member

zdtsw commented Mar 26, 2024

i wonder if the debugging has to be performed from @eyalcha 's cluster

@israel-hdez
Copy link

@israel-hdez, I've just sent a patch upstream with an improved handler for those ext_authz requests errors.

If you want to please try overriding the Authorino image in the Authorino CR with the following one: quay.io/kuadrant/authorino:fix-invalid-ext-authz-req, only for the purpose of debugging this, we should be able to get better quality log messages.

These are the logs:

{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"setting instance base logger","min level":"debug","mode":"production"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"booting up authorino","version":"9a4e4d4ba5214f07f13c4c412a70c6acac84736c","cmd":"server"}
{"level":"debug","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"setting up with options","allow-superseding-host-subsets":"false","auth-config-label-selector":"security.opendatahub.io/authorization-group=default","deep-metrics-enabled":"false","enable-leader-election":"false","evaluator-cache-size":"1","ext-auth-grpc-port":"50051","ext-auth-http-port":"5001","health-probe-addr":":8081","log-level":"debug","log-mode":"production","max-http-request-body-size":"8192","metrics-addr":":8080","oidc-http-port":"8083","oidc-tls-cert":"","oidc-tls-cert-key":"","secret-label-selector":"authorino.kuadrant.io/managed-by=authorino","timeout":"0","tls-cert":"","tls-cert-key":"","tracing-service-endpoint":"","tracing-service-insecure":"false","tracing-service-tag":"[]","watch-namespace":"","webhook-service-port":"9443"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"starting grpc auth service","port":50051,"tls":false}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"starting http oidc service","port":8083,"tls":false}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"starting http auth service","port":5001,"tls":false}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"starting reconciliation manager"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino.controller-runtime.metrics","msg":"Starting metrics server"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino.controller-runtime.metrics","msg":"Serving metrics server","bindAddress":":8080","secure":false}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"starting server","kind":"health probe","addr":"[::]:8081"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"Starting EventSource","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig","source":"kind source: *v1beta1.AuthConfig"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"Starting Controller","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"Starting EventSource","controller":"secret","controllerGroup":"","controllerKind":"Secret","source":"kind source: *v1.Secret"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"Starting Controller","controller":"secret","controllerGroup":"","controllerKind":"Secret"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"starting status update manager"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"Starting EventSource","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig","source":"kind source: *v1beta1.AuthConfig"}
{"level":"info","ts":"2024-03-26T19:58:53Z","logger":"authorino","msg":"Starting Controller","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig"}
{"level":"error","ts":"2024-03-26T19:58:53Z","logger":"authorino.controller-runtime.source.EventHandler","msg":"failed to get informer from cache","error":"failed to get API group resources: unable to retrieve the complete list of server APIs: authorino.kuadrant.io/v1beta1: Get \"https://172.30.0.1:443/apis/authorino.kuadrant.io/v1beta1\": dial tcp 172.30.0.1:443: connect: connection refused","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:68\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func1\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:49\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:50\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:56"}
{"level":"error","ts":"2024-03-26T19:58:53Z","logger":"authorino.controller-runtime.source.EventHandler","msg":"failed to get informer from cache","error":"failed to get API group resources: unable to retrieve the complete list of server APIs: authorino.kuadrant.io/v1beta1: Get \"https://172.30.0.1:443/apis/authorino.kuadrant.io/v1beta1\": dial tcp 172.30.0.1:443: connect: connection refused","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:68\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func1\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:49\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:50\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:56"}
{"level":"error","ts":"2024-03-26T19:58:53Z","logger":"authorino.controller-runtime.source.EventHandler","msg":"failed to get informer from cache","error":"failed to get API group resources: unable to retrieve the complete list of server APIs: authorino.kuadrant.io/v1beta1: Get \"https://172.30.0.1:443/apis/authorino.kuadrant.io/v1beta1\": dial tcp 172.30.0.1:443: connect: connection refused","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:68\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:73\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:74\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:56"}
{"level":"error","ts":"2024-03-26T19:58:53Z","logger":"authorino.controller-runtime.source.EventHandler","msg":"failed to get informer from cache","error":"failed to get API group resources: unable to retrieve the complete list of server APIs: authorino.kuadrant.io/v1beta1: Get \"https://172.30.0.1:443/apis/authorino.kuadrant.io/v1beta1\": dial tcp 172.30.0.1:443: connect: connection refused","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:68\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:73\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:74\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:56"}
{"level":"error","ts":"2024-03-26T19:58:53Z","logger":"authorino.controller-runtime.source.EventHandler","msg":"failed to get informer from cache","error":"failed to get API group resources: unable to retrieve the complete list of server APIs: v1: Get \"https://172.30.0.1:443/api/v1\": dial tcp 172.30.0.1:443: connect: connection refused","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:68\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func1\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:49\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:50\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:56"}
{"level":"error","ts":"2024-03-26T19:58:53Z","logger":"authorino.controller-runtime.source.EventHandler","msg":"failed to get informer from cache","error":"failed to get API group resources: unable to retrieve the complete list of server APIs: v1: Get \"https://172.30.0.1:443/api/v1\": dial tcp 172.30.0.1:443: connect: connection refused","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1.1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:68\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext.func2\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:73\nk8s.io/apimachinery/pkg/util/wait.loopConditionUntilContext\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/loop.go:74\nk8s.io/apimachinery/pkg/util/wait.PollUntilContextCancel\n\t/opt/app-root/src/go/pkg/mod/k8s.io/apimachinery@v0.28.3/pkg/util/wait/poll.go:33\nsigs.k8s.io/controller-runtime/pkg/internal/source.(*Kind).Start.func1\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/source/kind.go:56"}
{"level":"error","ts":"2024-03-26T19:58:59Z","logger":"authorino.service.auth","msg":"missing http attributes","request":"attributes:{source:{address:{socket_address:{address:\"10.129.2.30\"  port_value:45288}}}  destination:{address:{socket_address:{address:\"10.130.2.37\"  port_value:3000}}}}","request id":"a0860c7e-7333-40d6-aa77-98867ca77ac4","error":"invalid authorization request","stacktrace":"github.com/kuadrant/authorino/pkg/service.(*AuthService).Check\n\t/usr/src/authorino/pkg/service/auth.go:250\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:699\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.1/interceptor.go:326\ngoogle.golang.org/grpc.getChainUnaryHandler.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1163\ngithub.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0/server_metrics.go:107\ngoogle.golang.org/grpc.chainUnaryInterceptors.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1154\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:701\ngoogle.golang.org/grpc.(*Server).processUnaryRPC\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1343\ngoogle.golang.org/grpc.(*Server).handleStream\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1737\ngoogle.golang.org/grpc.(*Server).serveStreams.func1.1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:986"}
{"level":"error","ts":"2024-03-26T19:59:01Z","logger":"authorino.service.auth","msg":"missing http attributes","request":"attributes:{source:{address:{socket_address:{address:\"10.130.2.15\"  port_value:51844}}}  destination:{address:{socket_address:{address:\"10.130.2.37\"  port_value:8086}}}}","request id":"826bf4d6-457c-4ca8-b4bd-1766b4db8c82","error":"invalid authorization request","stacktrace":"github.com/kuadrant/authorino/pkg/service.(*AuthService).Check\n\t/usr/src/authorino/pkg/service/auth.go:250\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:699\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.1/interceptor.go:326\ngoogle.golang.org/grpc.getChainUnaryHandler.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1163\ngithub.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0/server_metrics.go:107\ngoogle.golang.org/grpc.chainUnaryInterceptors.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1154\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:701\ngoogle.golang.org/grpc.(*Server).processUnaryRPC\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1343\ngoogle.golang.org/grpc.(*Server).handleStream\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1737\ngoogle.golang.org/grpc.(*Server).serveStreams.func1.1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:986"}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino","msg":"Starting workers","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig","worker count":1}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"llama-auth","namespace":"kserve-auth"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"Unknown"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/8","numIdentitySources":1,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"Unknown"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/8","numIdentitySources":1,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino","msg":"Starting workers","controller":"authconfig","controllerGroup":"authorino.kuadrant.io","controllerKind":"AuthConfig","worker count":1}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.bootstrap","msg":"building the index","count":2}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-auth/llama-auth"}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-test/sklearn-v2-iris"}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino","msg":"Starting workers","controller":"secret","controllerGroup":"","controllerKind":"Secret","worker count":1}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["sklearn-v2-iris-kserve-test.apps.rosa.kserve-auth-dev.6ing.p3.openshiftapps.com","sklearn-v2-iris-predictor-kserve-test.apps.rosa.kserve-auth-dev.6ing.p3.openshiftapps.com","sklearn-v2-iris-predictor.kserve-test","sklearn-v2-iris-predictor.kserve-test.svc","sklearn-v2-iris-predictor.kserve-test.svc.cluster.local","sklearn-v2-iris.kserve-test","sklearn-v2-iris.kserve-test.svc","sklearn-v2-iris.kserve-test.svc.cluster.local"],"numHostsReady":"8/8","numIdentitySources":1,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"}}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-test/sklearn-v2-iris"}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"llama-auth","namespace":"kserve-auth"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["llama-auth-kserve-auth.apps.rosa.kserve-auth-dev.6ing.p3.openshiftapps.com","llama-auth-predictor-kserve-auth.apps.rosa.kserve-auth-dev.6ing.p3.openshiftapps.com","llama-auth-predictor.kserve-auth","llama-auth-predictor.kserve-auth.svc","llama-auth-predictor.kserve-auth.svc.cluster.local","llama-auth.kserve-auth","llama-auth.kserve-auth.svc","llama-auth.kserve-auth.svc.cluster.local"],"numHostsReady":"8/8","numIdentitySources":1,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"sklearn-v2-iris","namespace":"kserve-test"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"llama-auth","namespace":"kserve-auth"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/8","numIdentitySources":1,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-auth/llama-auth"}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-auth/llama-auth"}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"llama-auth","namespace":"kserve-auth"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["llama-auth-kserve-auth.apps.rosa.kserve-auth-dev.6ing.p3.openshiftapps.com","llama-auth-predictor-kserve-auth.apps.rosa.kserve-auth-dev.6ing.p3.openshiftapps.com","llama-auth-predictor.kserve-auth","llama-auth-predictor.kserve-auth.svc","llama-auth-predictor.kserve-auth.svc.cluster.local","llama-auth.kserve-auth","llama-auth.kserve-auth.svc","llama-auth.kserve-auth.svc.cluster.local"],"numHostsReady":"8/8","numIdentitySources":1,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"llama-auth","namespace":"kserve-auth"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2024-03-26T19:59:03Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["llama-auth-kserve-auth.apps.rosa.kserve-auth-dev.6ing.p3.openshiftapps.com","llama-auth-predictor-kserve-auth.apps.rosa.kserve-auth-dev.6ing.p3.openshiftapps.com","llama-auth-predictor.kserve-auth","llama-auth-predictor.kserve-auth.svc","llama-auth-predictor.kserve-auth.svc.cluster.local","llama-auth.kserve-auth","llama-auth.kserve-auth.svc","llama-auth.kserve-auth.svc.cluster.local"],"numHostsReady":"8/8","numIdentitySources":1,"numMetadataSources":0,"numAuthorizationPolicies":1,"numResponseItems":0,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kserve-auth/llama-auth"}
{"level":"error","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"llama-auth","namespace":"kserve-auth"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"llama-auth\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:92\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:49\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"debug","ts":"2024-03-26T19:59:03Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"llama-auth","namespace":"kserve-auth"}}
{"level":"error","ts":"2024-03-26T19:59:06Z","logger":"authorino.service.auth","msg":"missing http attributes","request":"attributes:{source:{address:{socket_address:{address:\"10.129.2.30\"  port_value:59092}}}  destination:{address:{socket_address:{address:\"10.130.2.37\"  port_value:8086}}}}","request id":"e91971a3-cb46-4249-82b2-e280dc34f257","error":"invalid authorization request","stacktrace":"github.com/kuadrant/authorino/pkg/service.(*AuthService).Check\n\t/usr/src/authorino/pkg/service/auth.go:250\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:699\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.1/interceptor.go:326\ngoogle.golang.org/grpc.getChainUnaryHandler.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1163\ngithub.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0/server_metrics.go:107\ngoogle.golang.org/grpc.chainUnaryInterceptors.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1154\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:701\ngoogle.golang.org/grpc.(*Server).processUnaryRPC\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1343\ngoogle.golang.org/grpc.(*Server).handleStream\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1737\ngoogle.golang.org/grpc.(*Server).serveStreams.func1.1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:986"}
{"level":"error","ts":"2024-03-26T19:59:23Z","logger":"authorino.service.auth","msg":"missing http attributes","request":"attributes:{source:{address:{socket_address:{address:\"10.130.2.15\"  port_value:59386}}}  destination:{address:{socket_address:{address:\"10.130.2.37\"  port_value:3000}}}}","request id":"89cf5a6d-d887-42ee-a06c-09a07bce7626","error":"invalid authorization request","stacktrace":"github.com/kuadrant/authorino/pkg/service.(*AuthService).Check\n\t/usr/src/authorino/pkg/service/auth.go:250\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:699\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.1/interceptor.go:326\ngoogle.golang.org/grpc.getChainUnaryHandler.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1163\ngithub.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0/server_metrics.go:107\ngoogle.golang.org/grpc.chainUnaryInterceptors.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1154\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:701\ngoogle.golang.org/grpc.(*Server).processUnaryRPC\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1343\ngoogle.golang.org/grpc.(*Server).handleStream\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1737\ngoogle.golang.org/grpc.(*Server).serveStreams.func1.1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:986"}
{"level":"error","ts":"2024-03-26T19:59:29Z","logger":"authorino.service.auth","msg":"missing http attributes","request":"attributes:{source:{address:{socket_address:{address:\"10.129.2.30\"  port_value:40474}}}  destination:{address:{socket_address:{address:\"10.130.2.37\"  port_value:3000}}}}","request id":"d78abda9-55b6-43c7-9a89-84a744c57d4b","error":"invalid authorization request","stacktrace":"github.com/kuadrant/authorino/pkg/service.(*AuthService).Check\n\t/usr/src/authorino/pkg/service/auth.go:250\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:699\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.1/interceptor.go:326\ngoogle.golang.org/grpc.getChainUnaryHandler.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1163\ngithub.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0/server_metrics.go:107\ngoogle.golang.org/grpc.chainUnaryInterceptors.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1154\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:701\ngoogle.golang.org/grpc.(*Server).processUnaryRPC\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1343\ngoogle.golang.org/grpc.(*Server).handleStream\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1737\ngoogle.golang.org/grpc.(*Server).serveStreams.func1.1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:986"}
{"level":"error","ts":"2024-03-26T19:59:31Z","logger":"authorino.service.auth","msg":"missing http attributes","request":"attributes:{source:{address:{socket_address:{address:\"10.130.2.15\"  port_value:55948}}}  destination:{address:{socket_address:{address:\"10.130.2.37\"  port_value:8086}}}}","request id":"dc78011f-48d5-47f0-b375-9b507df1cbee","error":"invalid authorization request","stacktrace":"github.com/kuadrant/authorino/pkg/service.(*AuthService).Check\n\t/usr/src/authorino/pkg/service/auth.go:250\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:699\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.1/interceptor.go:326\ngoogle.golang.org/grpc.getChainUnaryHandler.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1163\ngithub.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0/server_metrics.go:107\ngoogle.golang.org/grpc.chainUnaryInterceptors.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1154\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:701\ngoogle.golang.org/grpc.(*Server).processUnaryRPC\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1343\ngoogle.golang.org/grpc.(*Server).handleStream\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1737\ngoogle.golang.org/grpc.(*Server).serveStreams.func1.1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:986"}
{"level":"error","ts":"2024-03-26T19:59:36Z","logger":"authorino.service.auth","msg":"missing http attributes","request":"attributes:{source:{address:{socket_address:{address:\"10.129.2.30\"  port_value:45458}}}  destination:{address:{socket_address:{address:\"10.130.2.37\"  port_value:8086}}}}","request id":"e1bf6b16-99b2-4b1d-a5da-0ff3c5171a82","error":"invalid authorization request","stacktrace":"github.com/kuadrant/authorino/pkg/service.(*AuthService).Check\n\t/usr/src/authorino/pkg/service/auth.go:250\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:699\ngo.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.1/interceptor.go:326\ngoogle.golang.org/grpc.getChainUnaryHandler.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1163\ngithub.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1\n\t/opt/app-root/src/go/pkg/mod/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0/server_metrics.go:107\ngoogle.golang.org/grpc.chainUnaryInterceptors.func1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1154\ngithub.com/envoyproxy/go-control-plane/envoy/service/auth/v3._Authorization_Check_Handler\n\t/opt/app-root/src/go/pkg/mod/github.com/envoyproxy/go-control-plane@v0.11.1/envoy/service/auth/v3/external_auth.pb.go:701\ngoogle.golang.org/grpc.(*Server).processUnaryRPC\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1343\ngoogle.golang.org/grpc.(*Server).handleStream\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:1737\ngoogle.golang.org/grpc.(*Server).serveStreams.func1.1\n\t/opt/app-root/src/go/pkg/mod/google.golang.org/grpc@v1.59.0/server.go:986"}

BTW this image does not crash. Also the updated .v0.17 tag also does not crash.
Looks like you managed to fix it.

@guicassolato
Copy link

BTW this image does not crash. Also the updated .v0.17 tag also does not crash.
Looks like you managed to fix it.

We may have managed to fix the crash, but there are still a couple of things weird here.

First one is failed to get informer from cache. I need to investigate this. It could be an RBAC issue, but not sure. I could use more details of the deployment, such as:

  • OpenShift version
  • Output of kubectl auth can-i --list --as=system:serviceaccount:${authorino-cr-ns}:${authorino-cr-name}-authorino

Then, there's missing http attributes. This means the request from the proxy is invalid. It looks like Authorino was hooked as a TCP filter instead of a HTTP one. We need to dig into the Istio configs to see why it's not passing all attributes.

What kind of API client is this? Is it gRPC? Do you have settings such as includeRequestHeadersInCheck in the mesh config?

@israel-hdez
Copy link

  • OpenShift version

4.15.2

  • Output of kubectl auth can-i --list --as=system:serviceaccount:${authorino-cr-ns}:${authorino-cr-name}-authorino

I had to use another cluster for this, as the original one had hibernated. But the setup should be similar (if not the same). See attached file: authorino-can-i.txt

What kind of API client is this? Is it gRPC? Do you have settings such as includeRequestHeadersInCheck in the mesh config?

I'm not sure how to answer the first two :-) I can say there are two services deployed: one is a restful service (kserve-test/sklearn-v2-iris in the logs) and the other one should be grpc (kserve-auth/llama-auth).

Also, I know that I didn't have to do any request, and still was crashing. It must have been some request coming from the networking stack (either Istio or Knative), or a request from the cluster (perhaps the readines/liveness probes) that would fire the check with Authorino.

About the 3rd Q, see the following YAML which contains the SMCP of the cluster.

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: data-science-smcp
  namespace: istio-system
spec:
  addons:
    grafana:
      enabled: false
    jaeger:
      name: jaeger
    kiali:
      enabled: false
      name: kiali
    prometheus:
      enabled: false
  gateways:
    ingress:
      service:
        metadata:
          labels:
            knative: ingressgateway
    openshiftRoute:
      enabled: false
  profiles:
    - default
  proxy:
    networking:
      trafficControl:
        inbound:
          excludedPorts:
            - 8444
            - 8022
        outbound: {}
  security:
    dataPlane:
      mtls: true
    identity:
      type: ThirdParty
  techPreview:
    meshConfig:
      defaultConfig:
        terminationDrainDuration: 35s
      extensionProviders:
        - envoyExtAuthzGrpc:
            port: 50051
            service: authorino-authorino-authorization.opendatahub-auth-provider.svc.cluster.local
          name: opendatahub-auth-provider
  tracing:
    type: None
  version: v2.5

@guicassolato
Copy link

@israel-hdez can you please point to me the instructions in the docs to try to reproduce this myself?

I see a couple differences in the RBAC rules, compared to what I was expecting. However, running Authorino in OpenShift 4.15 passed in QE. So, I guess for now I'm deeming those boot-up errors as a hiccup... At least until proven otherwise. (We'd need authz requests passing through to tell for sure whether those are affecting the flow or not. Maybe they aren't.)

Let's focus on the "missing http attributes", which is more concerning.

@guicassolato
Copy link

Is this still relevant?

I reckon a couple different issues were mentioned in the description and comments (e.g. failing Authorino Operator pod, invalid authorization payload, etc.) It's not clear to me if it's still an Authorino issue or a deployment/management one. There's also some possible distinction to be made between boot-up issue vs. authorisation request issue perhaps.

Maybe we want to try to confirm which is which and close/open proper new issues accordingly? Hopefully with detailed steps to reproduce.

@israel-hdez
Copy link

@guicassolato I'll close this ticket. We are not observing any issues around RBAC policies.

About the "missing http attributes", we may want to discuss it under this Jira ticket: https://issues.redhat.com/browse/RHOAIENG-6269. Such issue was observed again quite recently. I don't know what are the conditions that lead to that, and the cluster that was showing it is no longer having that issue. The people who opened that Jira may have a way to reproduce it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
ODH Model Serving Planning
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bartoszmajsak @zdtsw @guicassolato @israel-hdez @eyalcha