Temporal cli cannot connect to frontend service via Ingress

Andrei-Moiseev · May 10, 2023, 12:27pm

I deployed Temporal Cluster on on-prem K8s. My deployment is based on Helm Chart with some modifications.
I created Ingress for exposing frontend service outside of K8s, but Temporal cli tool fails to connect. All works like a charm if I expose service with port forwarding.

Ingress config:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/backend-protocol: GRPC
    nginx.ingress.kubernetes.io/force-ssl-redirect: 'false'
    nginx.ingress.kubernetes.io/proxy-body-size: 50m
    nginx.ingress.kubernetes.io/proxy-connect-timeout: '60'
    nginx.ingress.kubernetes.io/proxy-read-timeout: '60'
    nginx.ingress.kubernetes.io/proxy-send-timeout: '60'
    nginx.ingress.kubernetes.io/ssl-passthrough: 'false'
    nginx.ingress.kubernetes.io/ssl-redirect: 'false'
    nginx.org/grpc-services: temporal-frontend
  name: temporal-frontend
  namespace: temporal-stage
spec:
  rules:
    - host: api.temporal.stage.stellar-dev.detmir-infra.ru
      http:
        paths:
          - backend:
              service:
                name: temporal-frontend
                port:
                  name: grpc-rpc
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - api.temporal.stage.stellar-dev.detmir-infra.ru
      secretName: temporal-frontend-cert

I was able to connect to external address using grpcurl:

 grpcurl api.temporal.stage.stellar-dev.detmir-infra.ru:443 list

grpc.health.v1.Health
grpc.reflection.v1alpha.ServerReflection
temporal.api.operatorservice.v1.OperatorService
temporal.api.workflowservice.v1.WorkflowService
temporal.server.api.adminservice.v1.AdminService

But when I triyng to connect with temporal cli I got an error:

 temporal workflow list --env stage

 FATAL   Failed to create SDK client     {"error": "failed reaching server: last connection error: connection error: desc = \"error reading server preface: http2: frame too large\"", "logging-call-at": "factory.go:141"}

 temporal env get stage

address  api.temporal.stage.stellar-dev.detmir-infra.ru:443

tihomir · May 19, 2023, 10:43pm

Were you able to get to the bottom of this issue? Can you tell from service_requests server metric if operation ListWorkflowExecutions was received by frontend? If not maybe was blocked with this error by nginx?

jackban · July 3, 2023, 4:17am

+1, same problem

Andrei-Moiseev · July 3, 2023, 6:29am

Yes, sorry for long delay.
The issue was with LetsEncrypt certificate which is not recognized as valid certificate authority by CLI tool.
Solved by adding parameter --tls-ca-path referencing the .pem file with root LetsEncrypt certificate. It turns out that this certificate is also required to connect with Java SDK.

Topic		Replies	Views
Get ingress working for frontend gRPC service Community Support	1	216	September 13, 2024
Struggling to get ingress working for frontend gRPC service Community Support kubernetes , grpc	9	6968	May 14, 2024
Kubernetes + Helm + Nginx Ingress in combination with Temporal TLS not working. Help needed Community Support helm , web-ui , kubernetes , tls	1	278	July 25, 2024
Temporal on kubernetes Community Support java-sdk , deployment	4	1251	October 28, 2022
Expose temporal frontend route outside cluster Server Deployment	1	43	September 23, 2024

Temporal cli cannot connect to frontend service via Ingress

Related topics