#OpenSSL error when running using kubernetes pod using jenkins

Hi, i keep getting openssl related error when running in kubernetes pod started by jenkins

21: exec apk add --no-cache ca-certificates

21: [0.11s] fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz

21: [0.15s] 480BB8E98F7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:303:

21: [0.15s] WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.18/main: Permission denied

21: [0.15s] fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz

21: [0.16s] 480BB8E98F7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:303:

21: [0.16s] WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.18/community: Permission denied

21: [0.16s] OK: 46 MiB in 58 packages

21: exec apk add --no-cache ca-certificates DONE



20: exec git clone --recursive https://git*** .

20: [0.16s] Cloning into '.'...

20: [0.16s] fatal: unable to access 'https://git***/': OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to git***:443 

the pod template is following:

apiVersion: v1
kind: Pod
spec:
nodeSelector:
  workload: jenkins
tolerations:
  - key: workload
    operator: Equal
    value: jenkins
    effect: NoSchedule
imagePullSecrets:
  - name: docker-hub
containers:
  - name: dagger
    image: ***/dagger-pipeline:latest
    env:
      - name: _EXPERIMENTAL_DAGGER_CACHE_CONFIG
        value: type=registry,ref=localhost:5000/test-cache,mode=max
      - name: _EXPERIMENTAL_DAGGER_RUNNER_HOST
        value: tcp://localhost:8080
    command:
    - cat
    tty: true

  - name: server
    image: registry.dagger.io/engine:v0.6.4
    securityContext:
      privileged: true
    volumeMounts:
      - mountPath: /var/lib/dagger
        name: dagger-cache
    args: [--addr, tcp://0.0.0.0:8080]

  - name: registry
    image: registry:2
volumes:
  - name: dagger-cache
    emptyDir: {}

the pipeline runs fine in my laptop though

👋 which SDK are you using?

Python SDK

can you validate if your dagger-pipeline pod can effectively reach your git endpoint?

i.e if you exec into the pod and try to run curl or openssl_client against that endpoint, does it work?

Will do.
But previously, the pipeline even fail to connect to github.

does the same dagger-pipeline image works for your locally?

or you run your pipeline locally with pythondirectly?

I'm thinking it can be related on how you package your dagger-pipeline image

i have tried exec-ing to both the dagger-engine and dagger-pipeline image, and wget-ing the same https endpoint was successful

yes, it works locally, with the same arguments

i mean it works in local using the same dagger-engine configuration. here is my docker-compose

network:
    image: busybox
    command: tail -f /dev/null
    ports:
      - 8080:8080

  registry:
    image: registry:2
    network_mode: service:network
    environment:
      REGISTRY_HTTP_SECRET: random-secret
      REGISTRY_STORAGE: s3
      REGISTRY_STORAGE_S3_REGIONENDPOINT:
      REGISTRY_STORAGE_S3_REGION:
      REGISTRY_STORAGE_S3_BUCKET:
      REGISTRY_STORAGE_S3_ROOTDIRECTORY: /dagger
      REGISTRY_STORAGE_S3_ACCESSKEY:
      REGISTRY_STORAGE_S3_SECRETKEY:
      REGISTRY_STORAGE_S3_SECURE: true
  
  dagger-engine:
    image: registry.dagger.io/engine:v0.6.3
    network_mode: service:network
    privileged: true
    volumes:
      - dagger:/var/lib/dagger
    command: --addr tcp://0.0.0.0:8080

i tried chaging the git image to bitnami/git but it turns out the same

@ember berry would it be possible for you to jump into #911305510882513037 and share your screen?

I'd like to try something

which screen? the jenkins?

no, your terminal should be ok

do you have kubectl access to your cluster?

i do

wait

test

we found the issue. Seems to be coming from service mesh restrictiosn on that namespace. After removing them we were able to make progress