Pomerium sync error: no healthy upstream

Wijxex · January 11, 2023, 11:02pm

What happened?

I am upgrading Pomerium from pomerium/pomerium:v0.5.0 → pomerium/pomerium:main so I configured the authenticate/authorize/databroker/proxy services and deployments + ingress + config as configured here : pomerium/examples/kubernetes at main · pomerium/pomerium · GitHub

What did you expect to happen?

I expect to access my services.

How’d it happen?

Enter one of my routes
I get the access identification page
If the email is correct, I access the service succesfully.

What’s your environment like?

Pomerium version: main image
Kubernetes version: 1.21.14-gke.3000

What’s your config.yaml?

address: ":80"
grpc_address: ":80"
grpc_insecure: true
insecure_server: true
administrators: "username1@hello.com,username2@hello.com"

authenticate_service_url: https://auth-pre.hello.team
authorize_service_url: https://pomerium-authz.hello-sys-security.svc.cluster.local
databroker_service_url: http://pomerium-databroker-service.hello-sys-security.svc.cluster.local

###################
idp_provider: google
idp_client_id: <client_id>
idp_client_secret: <client_secret>
###################

routes:
  - from: https://grafana-pre.hello.team
    to: http://grafana-service.hello-sys-monitoring.svc.cluster.local:3000
    allowed_domains:
      - hello.com
  - from: https://prometheus-pre.hello.team
    to: http://prometheus.hello-sys-monitoring.svc.cluster.local:9090
    allowed_domains:
      - hello.com
  - from: https://alertmanager-pre.hello.team
    to: http://alertmanager-alerts.hello-sys-monitoring.svc.cluster.local:9093
    allowed_domains:
      - hello.com
  - from: https://wiki.hello.team
    to: http://wiki-4all.dev-tools.svc.cluster.local:3000
    allow_public_unauthenticated_access: true
  - from: https://monitoring-pre.hello.team
    to: http://monitoring-proxy.hello-sys-monitoring.svc.cluster.local:8080
#    allowed_domains:
 #     - hello.com
 #   cors_allow_preflight: true
    policy:
      - allow:
          or:
            - domain:
                is: hello.com

What did you see in the logs?

error during initial sync: error receiving record: rpc error: code = Unavailable desc = no healthy upstream

syncer_id: "databroker"
syncer_type: "type.googleapis.com/pomerium.config.Config"

Additional context

I deleted the old Pomerium and kept the same idp/shared/cookie secrets.

denis · January 11, 2023, 11:36pm

Check the status of your databroker service and endpoints - no healthy upstream means it cannot be contacted

However I would recommend you to use the simpler all in one deployment Installation | Pomerium

Wijxex · January 12, 2023, 9:25am

Thank you for the reply.
It’s mentioned in the requirements that I need PostgreSQL 11 or higher installed in my cluster, I would like to understand the purpose of it when installing the latest version of Pomerium?

denis · January 12, 2023, 4:54pm

Topic		Replies	Views
Pomerium large version upgrade Support k8s	1	308	December 21, 2022
Getting connection_failure errors Support	12	1509	March 23, 2022
Databroker stuck getting no_helathy_upstream errors Support	1	307	September 30, 2022
Upstream connect error with Pomerium Ingress Controller Support k8s	2	365	December 21, 2021
Pomerium is not working Support	1	426	March 13, 2023