Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In dual stack mode, workaround for app listening on IPv6 localhost via Sidecar api fails to route traffic to ::1 #47412

Closed
2 tasks done
jacob-delgado opened this issue Oct 17, 2023 · 2 comments · Fixed by #47440
Closed
2 tasks done

In dual stack mode, workaround for app listening on IPv6 localhost via Sidecar api fails to route traffic to ::1 #47412

jacob-delgado opened this issue Oct 17, 2023 · 2 comments · Fixed by #47440
Assignees
@jacob-delgado
Labels
area/dual-stack area/networking

Comments

@jacob-delgado
Copy link
Contributor

jacob-delgado commented Oct 17, 2023
edited by istio-policy-bot

Is this the right place to submit this?

  • This is not a security vulnerability or a crashing bug
  • This is not a question about how to use Istio

Bug Description

When you install Istio in dual-stack mode and have an application listening on IPv6 localhost (::1) then setting up a sidecar resource with the defaultEndpoint pointing to [::1]:PORT fails to setup the cluster endpoint appropriately.

If you apply the following

apiVersion: v1
kind: Namespace
metadata:
  labels:
    istio-injection: enabled
  name: ipv6-localhost
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: simpleserver
  namespace: ipv6-localhost
---
apiVersion: v1
kind: Service
metadata:
  name: simpleserver
  namespace: ipv6-localhost
  labels:
    app: simpleserver
    service: simpleserver
spec:
  ipFamilyPolicy: SingleStack
  ipFamilies:
  - IPv6
  ports:
  - name: http
    port: 8090
  selector:
    app: simpleserver
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: simpleserver
  namespace: ipv6-localhost
spec:
  replicas: 1
  selector:
    matchLabels:
      app: simpleserver
      version: v1
  template:
    metadata:
      labels:
        app: simpleserver
        version: v1
    spec:
      serviceAccountName: simpleserver
      containers:
      - image: jacodelg/simpleserver:ipv6-localhost
        imagePullPolicy: IfNotPresent
        name: simpleserver
        ports:
        - containerPort: 8090
---
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: simpleserver
  namespace: ipv6-localhost
spec:
  ingress:
  - defaultEndpoint: '[::1]:8090'
    port:
      name: http
      number: 8090
      protocol: HTTP

and try to access it over a sleep pod it fails to communicate

~ $ curl simpleserver.ipv6-localhost:8090
upstream connect error or disconnect/reset before headers. reset reason: remote connection failure, transport failure reason: delayed connect error: 111

This is due to the cluster for the inbound|8090||

setup as follows

[
    {
        "name": "inbound|8090||",
        "type": "STATIC",
        "connectTimeout": "10s",
        "loadAssignment": {
            "clusterName": "inbound|8090||",
            "endpoints": [
                {
                    "lbEndpoints": [
                        {
                            "endpoint": {
                                "address": {
                                    "socketAddress": {
                                        "address": "127.0.0.1",
                                        "portValue": 8090
                                    }
                                }
                            }
                        }
                    ]
                }
            ]
        },
        "circuitBreakers": {
            "thresholds": [
                {
                    "maxConnections": 4294967295,
                    "maxPendingRequests": 4294967295,
                    "maxRequests": 4294967295,
                    "maxRetries": 4294967295,
                    "trackRemaining": true
                }
            ]
        },
        "commonLbConfig": {}
    }
]

instead of pointing to

                    "lbEndpoints": [
                        {
                            "endpoint": {
                                "address": {
                                    "socketAddress": {
                                        "address": "::1",
                                        "portValue": 8090
                                    }
                                }
                            }
                        }
                    ]

Version

On master. Will test earlier versions too

Additional Information

No response
@jacob-delgado jacob-delgado self-assigned this Oct 17, 2023
@jacob-delgado
Copy link
Contributor Author

I will put up a fix for this shortly.

@jacob-delgado jacob-delgado mentioned this issue Oct 18, 2023
Merged
@hzxuzhonghu
Copy link
Member 

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  name: simpleserver
  namespace: ipv6-localhost
spec:
  ingress:
  - defaultEndpoint: '[::1]:8090'
    port:
      name: http
      number: 8090
      protocol: HTTP

Isn't this a port conflict?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jacob-delgado jacob-delgado

Labels
area/dual-stack area/networking
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Sidecar resources using defaultEndpoint can use ::1 in all cases
3 participants
@hzxuzhonghu @jacob-delgado @istio-policy-bot