Service Entry Not Working

[infinitydon]

Is this a BUG or FEATURE REQUEST?:

Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?:

Bug:
Not sure

What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details

istioctl version
Version: 0.8.0
GitRevision: 6f9f420f0c7119ff4fa6a1966a6f6d89b1b4db84
User: root@48d5ddfd72da
Hub: docker.io/istio
GolangVersion: go1.10.1
BuildStatus: Clean


kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.7", GitCommit:"dd5e1a2978fd0b97d9b78e1564398aeea7e7fe92", GitTreeState:"clean", BuildDate:"2018-04-19T00:05:56Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.1", GitCommit:"3a1c9449a956b6026f075fa3134ff92f7d55f812", GitTreeState:"clean", BuildDate:"2018-01-04T11:40:06Z", GoVersion:"go1.9.2", Compiler

Is Istio Auth enabled or not ?
Auth is not enabled, I used istio-demo.yaml to install istio

What happened:
I tried to use the external example (ServiceEntry):

cat <<EOF | istioctl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin-ext
spec:
  hosts:
  - httpbin.org
  ports:
  - number: 80
    name: http
    protocol: HTTP
EOF

cat <<EOF | istioctl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google-ext
spec:
  hosts:
  - www.google.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
EOF

I keep getting errors when I try to curl from the sleep pod:

root@sleep-6ccf857cc6-b9jh4:/#  curl http://httpbin.org/headers -I
HTTP/1.1 503 Service Unavailable
content-length: 19
content-type: text/plain
date: Thu, 14 Jun 2018 10:40:20 GMT
server: envoy

root@sleep-6ccf857cc6-b9jh4:/# curl -I https://www.google.com
curl: (35) Unknown SSL protocol error in connection to www.google.com:443

Some log output from the istio proxy sidecar of the sleep pod:

[2018-06-14 11:00:39.419][14][info][upstream] external/envoy/source/server/lds_api.cc:60] lds: add/update listener 'tcp_0.0.0.0_443'
[2018-06-14T11:00:37.373Z] "HEAD /headers HTTP/1.1" 503 UH 0 19 0 - "-" "curl/7.35.0" "d06828ed-7fd6-9383-adad-170177b00427" "httpbin.org" "-"
[2018-06-14 11:01:40.298][14][info][upstream] external/envoy/source/common/upstream/cluster_manager_impl.cc:388] add/update cluster out.www.google.com|https starting warming
[2018-06-14 11:01:40.299][14][info][upstream] external/envoy/source/common/upstream/cluster_manager_impl.cc:395] warming cluster out.www.google.com|https complete

How to reproduce it:
I did a fresh install and followed the example guides.

[GregHanson]

@infinitydon Can you try explicitly setting the resolution type to DNS in your Service Entries?

cat <<EOF | istioctl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin-ext
spec:
  hosts:
  - httpbin.org
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
EOF

cat <<EOF | istioctl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google-ext
spec:
  hosts:
  - www.google.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
EOF

[infinitydon]

@GregHanson -- Thanks, it works now..

How do I know when to use the resolution:DNS ?

Because I followed the example exactly in the docs

[vadimeisenbergibm]

It works for me without resoulution: DNS, with istio-demo.yaml. Strange.

[GregHanson]

It's possible that there is a bug in the default resolution type NONE or how we are generating the envoy config in this case. In this case resolution type DNS just tells envoy to direct traffic to the host in hosts

[infinitydon]

Cool.. the other thing that comes to my mind is that am running this on AWS and I really doubt if this should affect the deployment..
Thanks for the effort!.. Will go ahead and close this.

[roopagowda]

Hi,

I am trying to connect to AWS RDS from istio environment.
Our application is JAVA Application.

My mysql ServiceEntry file is as follows:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: mysql-external
spec:
  hosts:
  - xxxxxxxxxxxxxxxxxxx.rds.amazonaws.com
  addresses:
  - XX.XX.XX.XX/32
  ports:
  - name: jdbc
    number: 3306
    protocol: tcp
  location: MESH_EXTERNAL

We are using the config file in application as follows:

...
....

sql_db_conn_url : "jdbc:mysql://rds_endpoint/inventory_management?autoReconnect=true&useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC&failOverReadOnly=false&maxReconnects=10&rewriteBatchedStatements=true"
-- | --
sql_db_user :  "username"
sql_db_passwd : "password"
...
.....

I have created a service using a Service file as below:

apiVersion: v1
kind: Service
metadata:
  name: abc
  labels:
    app: abc
spec:
  ports:
  - port: 8080
    name: http
  selector:
    app: abc
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: abc
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: abc
        version: v1
    spec:
      containers:
      - name: abc
        image: 5550XXXXXXXXXXXXXXXXXXXXXXXXxx/test:mysql
        imagePullPolicy: IfNotPresent
        env:
          - name: DB_TYPE
            value: "mysql"
          - name: MYSQL_DB_HOST
            value: xxxxxxxxxxxxxxxxxxx.rds.amazonaws.com
          - name: MYSQL_DB_PORT
            value: 3306
          - name: MYSQL_DB_USER
            value: user
          - name: MYSQL_DB_PASSWORD
            value: password
        ports:
        - containerPort: 8080

When I try to connect to database getting the below error:

{"@timestamp":"2018-10-15T11:04:25.381+0000","@message":"com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@3f24bdc4 -- Acquisition Attempt Failed!!! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (30). Last acquisition attempt exception: ","@source":"com.mchange.v2.resourcepool.BasicResourcePool","@source_host":"pqinventory-v1-795965f574-h9lnc","@fields":{"timestamp":1539601465381,"level":"WARNING","line_number":315,"class":"com.mchange.v2.resourcepool.BasicResourcePool","method":"","exception_class":"java.sql.SQLException","exception_message":"No suitable driver","stacktrace":"java.sql.SQLException: No suitable driver\n\tat java.sql.DriverManager.getDriver(DriverManager.java:315)\n\tat com.mchange.v2.c3p0.DriverManagerDataSource.driver(DriverManagerDataSource.java:285)\n\tat com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175)\n\tat com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220)\n\tat com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206)\n\tat com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203)\n\tat com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1138)\n\tat com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1125)\n\tat com.mchange.v2.resourcepool.BasicResourcePool.access$700(BasicResourcePool.java:44)\n\tat com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1870)\n\tat com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696)\n"}

Please let me know how to resolve the RDS and how to connect to RDS

[vadimeisenbergibm]

Can you try to call the port something like tcp-jdbc?

[roopagowda]

Thanks for the quick response Sir.

I have changed like this:

ports:
  - name: tcp-jdbc
    number: 3306
    protocol: tcp

even then I am ending up with the error. Sir.

[vadimeisenbergibm]

@roopagowda

Here is an example of connecting to external MySQL instance https://preliminary.istio.io/blog/2018/egress-tcp/ .

Can you try to connect by using mysql command line or telnet?