Post Webhook method keeps returning dial tcp timeout (ACL issue?)

Question

Post Webhook method keeps returning dial tcp timeout (ACL issue?)

bellamariz opened this issue 8 months ago · 1 comments

What happened

Hello! I built a Golang app that sends messages to a Slack channel using a Slack Bot I also created. I'm using the goslack.PostWebhook method and it keeps returning a Post \"https://hooks.slack.com/services/private-webhook-url\": dial tcp 54.163.235.119:443: i/o timeout error.

Expected behaviour

Whenever I run my code locally using Docker, there are no issues:

Successfully built b35fb1a54931
Successfully tagged gitlab-reminder:v1.2.13
docker run -it -p 9395:9395 gitlab-reminder:v1.2.13
2:51PM INF reminder/reminder.go:55 > reminder sent about merge requests!
2:51PM INF reminder/reminder.go:62 > reminder sent about recently failed jobs!

Real behaviour

But when I try to run my app using the Tsuru Service or a Kubernetes Job, I keep getting the timeout error:

2:37PM WRN slack/api.go:45 > failed to post message through slack webhook error="failed to post webhook: Post \"https://hooks.slack.com/services/private-webhook-url\": dial tcp 54.163.235.119:443: i/o timeout"
2:37PM ERR main.go:44 > failed to run gitlab reminder error="error in call to slack api"

Steps

My code simple, as follows:

// Posts message to Slack using Webhook URL
func (s *API) PostWebhookMessage(msg string) error {
	err := goslack.PostWebhook(s.WebhookURL, &goslack.WebhookMessage{Text: msg})

	if err != nil {
		log.Warn().Err(err).Msg(ErrPostWebhookMessage)
		return errors.New(ErrPostWebhookMessage)
	}

	return nil
}

The Slack Bot - responsible for sending the message through the Webhook - is configured with the necessary authorizations:

Incoming Webhooks activated with the generated Webhook URL for my Slack workspace ✅
Scopes > Bot Token Scopes > incoming-webhook ✅

Because my app runs in my company's internal network pool (for Tsuru) and cluster (for Kubernetes),

I added the Slack DNS *.slack.com on port 443 to my app's ACL service on the Tsuru pool:

Service: acl
Instance: gitlab-reminder-acl
Jobs: gitlab-reminder-job
Rules:
	Rule ID: xxxxxxxxxx - Destination: DNS: .slack.com, Ports: tcp:443

And when I tried to use the Kubernetes Job service instead of Tsuru, I liberated the IPs used by the Slack API:

- 18.230.171.141 443 tcp
- 54.94.183.148 443 tcp

However, I still got the same timeout error for both cases.

8:58PM ERR failed to send request error="Post \"https://hooks.slack.com/services/private-webhook-url\": dial tcp 54.94.183.148:443: i/o timeout"
8:58PM ERR failed to run gitlab reminder error="error in call to slack api"

What I find weird, is that I gave the same ACL permission to another external API service my app uses (Gitlab REST API - go-gitlab), and there was no timeout issue with them. The access was liberated as expected and no timeout issue occurred. This is just happening with the Slack API. Are the ACL permissions I gave not correct? Do I need to add another DNS or IP? Or is this timeout related to something else?

Thank you!

Versions

Go: 1.21.1
slack-go/slack: v0.12.3

Answer 1 · 2023-10-16T16:25:50.000Z

Turns out I had to give ACL permission to the entire Slack DNS domain on Tsuru. Simply using the subdomain rule *.slack.com does not work:

Service: acl
Instance: gitlab-reminder-acl
Jobs: gitlab-reminder-job
Rules:
Rule ID: xxxxxxx - Destination: DNS: .slack.com, Ports: tcp:443
Rule ID: xxxxxxx - Destination: DNS: hooks.slack.com, Ports: tcp:443
Rule ID: xxxxxxx - Destination: DNS: api.slack.com, Ports: tcp:443

Once I did that, the app executed perfectly on the Tsuru framework:

4:13PM INF reminder/reminder.go:55 > reminder sent about merge requests!
4:13PM INF reminder/reminder.go:62 > reminder sent about recently failed jobs!

Also, while thinking about why it probably didn't work with Kubernetes, my pod had only pinged on two of MANY possible IP addresses the Slack API DNS could respond to. Therefore, I had only created the ACL permission for them:

- 18.230.171.141 443 tcp
- 54.94.183.148 443 tcp

But here's the full list of possible IPs the Slack API can respond to:

IPv4 Address for https://hooks.slack.com/
Domain Server IP: 34.225.62.185
Domain Server IP: 3.95.117.96
Domain Server IP: 54.225.153.205
Domain Server IP: 34.193.255.5
Domain Server IP: 34.204.109.226
Domain Server IP: 34.231.24.224
Domain Server IP: 54.163.235.119
Domain Server IP: 54.92.199.186
Domain Server IP: 34.203.97.10
Domain Server IP: 34.196.46.202
Domain Server IP: 3.210.88.6
Domain Server IP: 34.202.253.6
Domain Server IP: 54.147.59.169
Domain Server IP: 34.205.195.66
Domain Server IP: 52.73.140.59

Issue resolved!