nginx (esp) returns 200, even when a backend returns error code. gRPC doesn't work on SSL port.

[dimaf]

As learning example, I created a simple API on python3 that uses GKE, gRPC and endpoints.

There is two issues and after several attempts I don't have any  idea how to resolve them:

1. esp returns Response code 200, even if a realization of a method sets error code for gRPC context.

For instance, if a parameter of a request have been set incorrectly, for grpc context StatusCode is set to INVALID_ARGUMENT:

class DiagnosticServicer(diagnostic_pb2_grpc.diagnosticServicer):
 def __init__(self):
     self.diagnostic = diagnostic.Diagnostic()

 def GetDateTime(self, request, context):
     with status.context(context):
 try:
     resp = diagnostic_pb2.DateTimeResponse()
     resp.datetime = self.diagnostic.get_date_time(request)
     return resp
 except Exception:
     context.set_code(grpc.StatusCode.INVALID_ARGUMENT)
     context.set_details('Invalid time_zone or utc_offset')

The request:

GET https://[EXT_IP]/v1/getdatetime?time_zone=Israel344
HTTP/1.1 200 OK
Date: Tue, 17 Jul 2018 21:31:34 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
accept-encoding: identity,gzip

{}{
    "code": 3,
    "message": "Invalid time_zone or utc_offset",
    "details": [
                   {
                      "@type": "type.googleapis.com/google.rpc.DebugInfo",
                      "stackEntries": [],
                      "detail": "internal"
                   } 
               ]
}
Response code: 200 (OK); Time: 570ms; Content length: 193 bytes

esp logs:

2018-07-17 17:31:34.000 EDT 10.60.4.1 - - [17/Jul/2018:21:31:34 +0000] "GET /v1/getdatetime?time_zone=Israel344 HTTP/1.1" 400 209 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_152-release)"
        severity:  "INFO" 

endpoints logs:

2018-07-17 17:31:34.643 EDT us-east4-a 400 2 ms Method: grpc.diagnostic.GetDateTime
severity:  "ERROR"  

2. esp can't handle gRPC requests on SSL port accepting, only HTTP/1.1 traffic.

Any idea?

Thanks.

deployment.yaml:

apiVersion: v1
kind: Service
metadata:
 name: esp-grpc-diagnostic
spec:
 ports:
 # Port that accepts gRPC and JSON/HTTP2 requests over HTTP.
 - port: 443
 targetPort: 443
 protocol: TCP
 name: https
 - port: 8080
 targetPort: 8080
 protocol: TCP
 name: http
 - port: 9000
 targetPort: 9000
 protocol: TCP
 name: http2
 selector:
 app: esp-grpc-diagnostic
 type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
 name: esp-grpc-diagnostic
spec:
 replicas: 1
 template:
 metadata:
 labels:
 app: esp-grpc-diagnostic
 spec:
 volumes:
 - name: nginx-ssl
 secret:
 secretName: nginx-ssl
 containers:
 - name: esp
 image: gcr.io/endpoints-release/endpoints-runtime:1
 imagePullPolicy: Always
 args: [
 "--http_port=8080",
 "--ssl_port=443",
 "--http2_port=9000",
 "--service=diagnostic.endpoints.ID-PROJ.cloud.goog",
 "--rollout_strategy=managed",
 "--backend=grpc://127.0.0.1:8000"
 ]
 ports:
 - containerPort: 8080
 - containerPort: 443
 - containerPort: 9000
 volumeMounts:
 - mountPath: /etc/nginx/ssl
 name: nginx-ssl
 readOnly: true
 - name: diagnostic
 image: gcr.io/ID-PROJ/python-grpc-diagnostic-server:v1.07
 imagePullPolicy: Always
 ports:
 - containerPort: 8000

[dimaf]

I applied the new development today adding Reflection feature and after it, surprisingly I discovered that nginx returns correct error code. I've tried used as the newest esp release as well as earlier ones and it wasn't helping help until today.

[dimaf]

Now, gRPC traffic can be handled on SSL port by ESP too.