Issue
For applications deployed with ISTIO in Kubernetes. You may encounter the following ERROR as ISTIO does not allow traffic to the pod until it passes health checks.
2022-06-30 09:05:54,153 [main c] ERROR - Problem resolving features with com.contrastsecurity.agent.features
java.net.ConnectException: Connection refused (Connection refused)
....
....
[Contrast] Thu Jun 30 09:05:54 GMT 2022 Contrast not enabled. Check log for details - /tmp/contrast/contrast.log
2022-06-30 09:05:54,156 [main ContrastEngine] ERROR - Problem starting up Contrast
com.contrastsecurity.agent.p.h: com.contrastsecurity.agent.features.NoInstructionsAvailableException
at com.contrastsecurity.agent.p.c.a(ChooseFeaturesTask.java:43)
....
....
2022-06-30 09:05:54,157 [main ContrastEngine] ERROR - Proceeding without Contrast
Cause
The agent makes a request to the Contrast UI to resolve the feature set on application start up. The delay in connectivity before the pod passes its health checks causes the request to fail. As a result, the feature set is not retrieved and the application continues without Contrast instrumentation.
Resolution
ISTIO allows configuration through pod annotations. To resolve the connectivity issue with retrieving the feature set from the Contrast UI, add the following as a pod annotation.
This can be configured in the application deployment.
(example)
template:
metadata:
annotations:
proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }'
To configure it at a global level see istio documentation.
NOTE: This option is available from ISTIO version 1.8 onward. Those restricted to using earlier versions of ISTIO should consider the solution outlined in Java Agent fails to connect to Contrast UI: Connection refused instead.
See the following ISTIO documentation for further details:
- https://istio.io/latest/docs/reference/config/annotations/
- https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig
Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. This feature adds hooks to delay application startup until the pod proxy is ready to accept traffic, mitigating some startup race conditions. Default value is ‘false’.
See also: