Preflight checklist
Ory Network Project
No response
Describe the bug
Ory Hydra v25.x (and any version built with Go 1.24+) fails to respond to HTTP requests on OpenShift clusters, returning "connection reset by peer" errors. This is caused by Go 1.24 enabling MPTCP
(Multipath TCP) by default for TCP listeners, which is incompatible with certain Kubernetes network configurations.
Environment
- Hydra version: v25.4.0 (also affects any version built with Go 1.24+)
- Go version in image: Go 1.25.2
- Platform: OpenShift 4.x (OKD)
- Kernel: 6.1.18-200.fc37.x86_64
- Helm chart: hydra-0.60.1
Symptoms
- Startup/readiness probes fail with connection reset by peer
- Pod stays in 0/1 Running state with constant restarts
- Hydra logs show server starting normally, but HTTP requests never reach handlers
- Works fine on Docker Desktop, fails on OpenShift
Root Cause
Go 1.24 introduced MPTCP (Multipath TCP) enabled by default for TCP listeners (https://go.dev/doc/go1.24). Some Kubernetes CNI plugins and network configurations don't properly support MPTCP, causing
connections to be reset.
Workaround
Add GODEBUG=multipathtcp=0 environment variable to disable MPTCP:
deployment:
extraEnv:
- name: GODEBUG
value: "multipathtcp=0"Suggested Fix
Consider adding GODEBUG=multipathtcp=0 as a default environment variable in the Hydra Helm chart for Kubernetes deployments, or document this requirement for OpenShift/Kubernetes environments.
References
Reproducing the bug
On an Openshift 4 cluster :
Go 1.23 - WORKS
kubectl run go123-test --image=golang:1.23-alpine --restart=Never -- sh -c '
cd /tmp && cat > server.go << "EOF"
package main
import ("fmt";"net/http")
func main() {
http.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "OK") })
http.ListenAndServe(":8080", nil)
}
EOF
go build -o server server.go && ./server
'
Test:
kubectl exec go123-test -- wget -qO- http://127.0.0.1:8080/health
Result: OK
Go 1.24+ - FAILS
kubectl run go124-test --image=golang:1.24-alpine --restart=Never -- sh -c '
cd /tmp && cat > server.go << "EOF"
package main
import ("fmt";"net/http")
func main() {
http.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "OK") })
http.ListenAndServe(":8080", nil)
}
EOF
go build -o server server.go && ./server
'
Test:
kubectl exec go124-test -- wget -qO- http://127.0.0.1:8080/health
Result:
wget: error getting response: Connection reset by peer
Relevant log output
Relevant configuration
Version
v25.4
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response
Preflight checklist
Ory Network Project
No response
Describe the bug
Ory Hydra v25.x (and any version built with Go 1.24+) fails to respond to HTTP requests on OpenShift clusters, returning "connection reset by peer" errors. This is caused by Go 1.24 enabling MPTCP
(Multipath TCP) by default for TCP listeners, which is incompatible with certain Kubernetes network configurations.
Environment
Symptoms
Root Cause
Go 1.24 introduced MPTCP (Multipath TCP) enabled by default for TCP listeners (https://go.dev/doc/go1.24). Some Kubernetes CNI plugins and network configurations don't properly support MPTCP, causing
connections to be reset.
Workaround
Add GODEBUG=multipathtcp=0 environment variable to disable MPTCP:
Suggested Fix
Consider adding GODEBUG=multipathtcp=0 as a default environment variable in the Hydra Helm chart for Kubernetes deployments, or document this requirement for OpenShift/Kubernetes environments.
References
Reproducing the bug
On an Openshift 4 cluster :
Go 1.23 - WORKS
Test:
Result: OK
Go 1.24+ - FAILS
Test:
Result:
wget: error getting response: Connection reset by peer
Relevant log output
Relevant configuration
Version
v25.4
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response