Troubleshooting
This is a compendium of common errors.
x509: certificate signed by unknown authority
- The error occurs when a container is trying to make an https request but doesn't have any SSL certificates installed locally. Note that these do not have to be signed by a CA.
- This happens when a Dockerfile is created for the container
from scratch
.
Addressing https
traffic to another service within the cluster that is listening for http
traffic
- This commonly occurs when addressing a service
foo
from a servicebar
, both of which are within the cluster Consider the following scenario: - Service
foo
is externally accessible athttps://foo.example.com
with tls-termination and has the port 3000 open on the container. - The right way to access the service
foo
from within the cluster is by targetinghttp://foo:3000
orhttp://foo.myenv.svc.cluster.local:3000
- Note the http and https above.
- Addressing the service
foo
from within the cluster ashttps://foo:3000
will fail - In case it is imperative that some ingress rules and proxy conditions are to be applied to inbound traffic, take a look at this and this
503 errors on deploying a service
- The most common cause is a port misconfiguration
- Verify that
readinessProbe
andlivenessProbe
are targeting the correct container port and that the container port is returning a2xx
for that probe
Working with Cloudflare
Please refer to the guide on cloudflare setup
Environment creation fails (AWS)
An environment consists of a VPC, along with its subnets, NAT gateway, and an external IP. Creating this could fail when there is insufficient quota in the AWS account-region to provision these resources. An increase in quota can be requested through the AWS console.
- EIP increase https://us-east-2.console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-0263D0A3 (or whichever region you choose) - increase from the previous limit to a larger number (say 25). One per env is required.
- VPC increase https://us-east-2.console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-F678F1CE (or whichever region you choose) - increase from the previous limit to a larger number (say 25). One per env is required.
- VPN Gateway increase https://us-east-2.console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-7029FAB6 (or whichever region you choose) - increase from the previous limit to a larger number (say 25). One per env is required.
After this is done, destroy the failed environment and create a new one to resolve this issue.