EgressRule not working for AMQP (RabbitMQ)

istio / old_issues_repo

Deprecated issue-tracking repo, please post new issues or feature requests to istio/istio instead.

37 stars 9 forks source link

EgressRule not working for AMQP (RabbitMQ) #394

Open sebastian-garofalo opened 6 years ago

sebastian-garofalo commented 6 years ago

we are trying to connect to a RabbitMQ running outside the Istio mesh, but we get connection reset errors constantly. RabbitMQ logs report the error: {bad_header,<<22,3,1,0,138,1,0,0>>}

The egress rule we are using is:

apiVersion: config.istio.io/v1alpha2 kind: EgressRule metadata: name: rabbit-egress namespace: poc spec: destination: service: "rabbitmq.*" ports:

port: 5672 protocol: tcp

Do you know if I'm missing something? I was told in #37 that this should be working already on Istio 0.8.0

Thanks

vadimeisenbergibm commented 6 years ago

@sebastian-garofalo Do you use TLS for your RabbitMQ? If so, you can specify the protocol as HTTPS, see https://istio.io/docs/tasks/traffic-management/egress/#configuring-the-external-services, the google.com example.

However, note that you can use the wildcard only as a prefix, like *.example.com.

If you do not use TLS for your RabbitMQ, you have to specify IP ranges instead of domain names for a TCP ServiceEntry (the new configuration item in Istio 0.8.0, instead EgressRules). See this example configuration https://github.com/istio/istio/blob/b6fa713dc8356cb49bbc1bda37f2fd9b5bce1e31/tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml

sebastian-garofalo commented 6 years ago

@vadimeisenbergibm thanks for the suggestions, sadly can't get it working.

We aren´t using TLS, I tried with the following service entry:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: rabbit-se
spec:
  hosts:
  - rabbitmq.poc-ext.svc.cluster.local
  addresses:
  - 10.1.0.189/24
  ports:
    - number: 5672
      protocol: TCP
      name: rabbit-port
  resolution: NONE
  location: MESH_EXTERNAL

And I still get the connections reset constantly.

We have the rabbitMQ running in another kubernetes namespace that is outside the Istio mesh. I tried a lot of variations of the aforementioned config file and nothing seems to work. I even completely removed the addresses section to force it forward all the traffic to 5672 port, but that didn't work either.

We tried the app and connecting via telnet to rabbit outside of the Istio mesh and it works.

Any ideas?

Thanks in advance

vadimeisenbergibm commented 5 years ago

@sebastian-garofalo Sorry, I missed your comment. For Kubernetes services in the same cluster you do not need to create ServiceEntries. Can you paste here the spec of your rabbitmq Kubernetes Service?

Note the requirements for service port names https://istio.io/docs/setup/kubernetes/spec-requirements/, you should call the port of your service something like tcp-rabbitmq.

dioniseo commented 5 years ago

+1 we have exactly the same case and similar error.

@sebastian-garofalo , did you resolve these issues?

@vadimeisenbergibm in our case we have the following kubernetes service spec:

apiVersion: v1 kind: Service labels: app: rabbitmq name: rabbitmq namespace: project1 spec: clusterIP: None ports:

name: tcp-rabbitmq port: 5672 protocol: TCP targetPort: 5672 selector: app: rabbitmq

Thank you for your help, Denis