Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

excludeOutboundPorts to facilitate headless data stores #9632

Closed
Stono opened this issue Oct 30, 2018 · 5 comments
Closed

excludeOutboundPorts to facilitate headless data stores #9632

Stono opened this issue Oct 30, 2018 · 5 comments

Comments

@Stono
Copy link
Contributor

Stono commented Oct 30, 2018

Hey,
So we are still trying to fight istio to manage to use headless services within our cluster, and I know this causes pain for many other people (see the numerous issues).

The latest example is kafka, in which clients need to be able to connect to:

  • kafka-0.headless-service.namespace.svc.cluster.local:9092
  • kafka-1.headless-service.namespace.svc.cluster.local:9092
  • kafka-2.headless-service.namespace.svc.cluster.local:9092

All of the options we've talk about in the past aren't great, and are largely cluster wide and quite clumsy.

I'm wondering if it would be able to add an excludeOutboundPorts option to proxy_init, this would just resolve the problems of talking to headless services on specific ports, eg redis, mongo, kafka, etc etc for specific clients.

It seems like a decent addition as we already have:

  • traffic.sidecar.istio.io/includeOutboundIPRanges
  • traffic.sidecar.istio.io/excludeOutboundIPRanges
  • traffic.sidecar.istio.io/includeInboundPorts
  • traffic.sidecar.istio.io/excludeInboundPorts
@Stono Stono changed the title excludeOutboundPorts excludeOutboundPorts to facilitate headless data stores Oct 30, 2018
@Stono
Copy link
Contributor Author

Stono commented Oct 30, 2018
edited

Hmm,
I don't know if this is a side effect or not, but creating a destinationrule for the headless service

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: disable-mtls-to-kafka-headless
spec:
  host: kafka-headless.kafka.svc.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE

Successfully allows me to connect to kafka-0.kafka-headless.kafka.svc.cluster.local:9092 from pods which have an istio-proxy container. I swear, this used to throw 404s.

Has anything changed in recent istio versions which now registers headless services with istio? (issues such as #8883, #7563, #7558)

@Stono
Copy link
Contributor Author

Stono commented Oct 30, 2018
edited

Ah so interesting this only works when you're not using a http service, a tcp service with the above destinationrule works fine, a http service does not.

inserts usual feedback about headless services, tcp ports and http services being extremely confusing and unclear

@Stono
Copy link
Contributor Author

Stono commented Nov 5, 2018

Another use case: I don't want istio-proxy to intercept DNS requests at all.

It'd be nice to be able to do excludeOutboundPorts: 53

@Stono Stono mentioned this issue Nov 7, 2018
Closed
@Stono Stono mentioned this issue Nov 26, 2018
Closed
@stale
Copy link

stale bot commented Feb 7, 2019

This issue has been automatically marked as stale because it has not had activity in the last 90 days. It will be closed in the next 30 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Feb 7, 2019
@stale
Copy link

stale bot commented Mar 9, 2019

This issue has been automatically closed because it has not had activity in the last month and a half. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

@stale stale bot closed this as completed Mar 9, 2019
@Stono Stono mentioned this issue May 10, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Stono