Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP request failed after ISTIO_META_DNS_AUTO_ALLOCATE enabled #39080

Closed
fatedier opened this issue May 22, 2022 · 7 comments
Closed

HTTP request failed after ISTIO_META_DNS_AUTO_ALLOCATE enabled #39080

fatedier opened this issue May 22, 2022 · 7 comments

Comments

@fatedier
Copy link
Contributor

fatedier commented May 22, 2022

Bug Description

There is a ServiceEntry for example.com, port 9444 as TCP protocol.

HTTP requests to example.com:80 will also succeed.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-auto
spec:
  hosts:
  - example.com
  ports:
  - name: tcp
    number: 9444
    protocol: TCP
  resolution: DNS

After I enable ISTIO_META_DNS_AUTO_ALLOCATE, HTTP requests to example.com:80 always failed. Got 503 connection failure

Istio allocs a new IP for example.com. Destination of connections to this host will be changed to this IP and passthrough cluster will use ORIGIN DST to connect and fail.

Version

client version: 1.12.6
control plane version: 1.12.6
data plane version: 1.12.6

Additional Information

No response

@hzxuzhonghu
Copy link
Member

same as #29224

@fatedier
Copy link
Contributor Author

fatedier commented May 23, 2022

@hzxuzhonghu Hi,there maybe a little difference with #29224.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-auto
spec:
  hosts:
  - example.com
  ports:
  - name: tcp
    number: 9444
    protocol: TCP
  resolution: DNS

I define a TCP port in this ServiceEntry. Resolve example.com to an IP auto alloced by istio is expected since I will add VirtualService to this host and port. It needs to dstinguish the different host by IP.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: auto-tls
spec:
  hosts:
  - "example.com"
  gateways:
  - mesh
  tcp:
  - match:
    - port: 9444
    route:
    - destination:
        host: sni-proxy
        subset: example-com-9444
        port:
          number: 443

It works well.

But curl example.com:80 failed. I'm not sure if we can route traffics to the alloced IP and ports except 9444 to a STRICT_DNS type cluster.

@howardjohn
Copy link
Member

This is expected IMO. Original_dst will not work with this mode, as noted. When you define your svc entry for 9444, you are saying its ONLY on port 9444 (not 80). So you hit passthrough which ends up breaking.

Its not possible for us to somehow only return the fake IP for port 9444 since DNS is not port-aware.

ISTIO_META_DNS_AUTO_ALLOCATE is not something that can ever be 100% reliable

@fatedier
Copy link
Contributor Author

This is expected IMO. Original_dst will not work with this mode, as noted. When you define your svc entry for 9444, you are saying its ONLY on port 9444 (not 80). So you hit passthrough which ends up breaking.

Its not possible for us to somehow only return the fake IP for port 9444 since DNS is not port-aware.

ISTIO_META_DNS_AUTO_ALLOCATE is not something that can ever be 100% reliable

@howardjohn Alright.

Another question. ISTIO_META_DNS_AUTO_ALLOCATE is global. Can I only enable it for specified serviceentries? So it will not affect existing serviceentries.

@hzxuzhonghu
Copy link
Member

There is no such way now

@howardjohn
Copy link
Member

If you want the opposite (opt-in to allocate) you can basically DIY it by just setting a random IP in the ServiceEntry.address YAML. That is basically what the feature does.

@fatedier
Copy link
Contributor Author

@howardjohn Great. Thank you for your reminding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants