search

istio / old_issues_repo

Deprecated issue-tracking repo, please post new issues or feature requests to istio/istio instead.
37 stars 9 forks source link

Conflict between tcp and https EgressRules with the same port #215

Open sbueringer opened 6 years ago

sbueringer commented 6 years ago

Is this a BUG or FEATURE REQUEST?: BUG

Did you review https://istio.io/help/ and existing issues to identify if this is already solved or being worked on?:

Bug: Y

What Version of Istio and Kubernetes are you using, where did you get Istio from, Installation details

istioctl version
kubectl version

0.5.1 1.9.3

Is Istio Auth enabled or not ? istio-auth.yaml

What happened: I want to enable access to two external services via EgressRules. The first one is accessible via https so that can be achieved with a regular https EgressRule. The second one can only be accessed with mutual TLS, so my application has to access the external service directly. Therefore, I tried to use an EgressRule with protocl tcp. Both listen on port 443. I deployed the following EgressRules:

apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
 name: firstrule
spec:
 destination:
   service: google.com
 ports:
 - port: 443
   protocol: https
---
apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
 name: secondrule
spec:
 destination:
   service: 55.15.87.14
 ports:
 - port: 443
   protocol: tcp

Unfortunately the EgressRules don't work and the following error can be found in the pilot log:

* rule egress-rule/default/firstrule is rejected since it conflicts rules [egress-rule/default/secondrule] on port 443, protocol HTTP vs. protocol TCP

What you expected to happen:

Both EgressRules should work together.

How to reproduce it: Deploy the EgressRules from above and look at the istio-pilot log.

msogrin commented 6 years ago

I think I also saw this issue when trying to work around #211. I saw that https rule stopped working when both https and tcp rules were added, but https rule worked fine when tcp rule was deleted.

If this issue gets fixed, it will probably be a suitable resolution of #211.

vadimeisenbergibm commented 6 years ago

@sbueringer This is the current design of Istio, due to limitations of Envoy - you cannot mix TCP and HTTP protocols on the same port. It is described here - https://github.com/istio/istio/blob/master/pilot/pkg/proxy/envoy/v1/config.go#L698.

The workaround is to specify TCP for the firstrule Egress Rule, or to deploy the second external service to a different port.

msogrin commented 6 years ago

@vadimeisenbergibm please note that the same port here refers to the standard HTTPS port of different external services. It's not for us to deploy those external services at different ports.