We are using linkerd stable-2.14.8 along with Traefik ingressroutes using ingress mode.(linkerd.io/inject: ingress)
we had to use Traefik middleware to add l5d-dst-override header previously when on 2.13.4 version otherwise it was breaking requests.
Now we were getting “Protocol detection timeouts” even for http requests going towards port 80. so we decided to try marking port 80 as opaque.
when we did so via annotation in destination service/globally via linkerd helm chart, and restarted proxies . we started to get 502 bad gateway
It started to work again in following scenarios :
- Either on reverting opaque port changes.(removing port 80 from opaque port list).
- or removing linkerd proxy injection from traefik ingress controller pods.
- or removing
l5d-dst-overrideheader added via middleware.
my questions are :
- is
l5d-dst-overridereally required after upgrading to stable-2.14.8 and traefik controller pods injected with ingress mode ?We don’t want to use routing functionality from Linkerd but would like to get request metrics and mtls.
Documentation on website seems bit confusing to me
( Warning When an ingress is meshed in ingress mode, you must configure it to remove thel5d-dst-overrideheader to avoid creating an open relay to cluster-local and external endpoints.
Note Linkerd versions 2.13.0 through 2.13.4 had a bug whereby thel5d-dst-overrideheader was required in ingress mode, or the request would fail. This bug was fixed in 2.13.5, and was not present prior to 2.13.0.)
- any hints why it broke on marking port 80 as opaque ?
- is it normal to get “Protocol detection timeouts” even for http requests going towards port 80 ?
any suggestions/hints would be much appreciated