Closed dustbort closed 3 years ago
I meet this issue ,too.Do you solve it now?
Same here, I replaced Istio Policies with PeerAuthentication
as below but the openfaas gateway
keeps failing.
Istio PeerAuthentication
# Source: openfaas/templates/istio-mtls.yaml
# enforce mTLS to openfaas control plane
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: openfaas
spec:
mtls:
mode: STRICT
---
# Source: openfaas/templates/istio-mtls.yaml
# enforce mTLS to functions
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: openfaas-fn
spec:
mtls:
mode: STRICT
openfaas gateway logs
&{0xc00008d1a0}
2020/11/03 17:55:23 HTTP Read Timeout: 1m5s
2020/11/03 17:55:23 HTTP Write Timeout: 1m5s
2020/11/03 17:55:23 Binding to external function provider: http://127.0.0.1:8081/
2020/11/03 17:55:23 Async enabled: Using NATS Streaming.
2020/11/03 17:55:23 Opening connection to nats://nats.openfaas.svc.cluster.local:4222
2020/11/03 17:55:23 Connect: nats://nats.openfaas.svc.cluster.local:4222
2020/11/03 17:55:25 read tcp 10.10.36.117:58768->10.10.10.145:4222: i/o timeout
openfaas queue-worker logs
Loading basic authentication credentials
Starting queue-worker. Version: 0.11.2 Git Commit: de4adf202a38a031701f0bb698c1ea3b202ca93e
Connect: nats://nats.openfaas.svc.cluster.local:4222
can't connect to nats://nats.openfaas.svc.cluster.local:4222: read tcp 10.10.33.254:59962->10.10.10.145:4222: i/o timeout
panic: can't connect to nats://nats.openfaas.svc.cluster.local:4222: read tcp 10.10.33.254:59962->10.10.10.145:4222: i/o timeout
goroutine 1 [running]:
log.Panic(0xc000111da8, 0x1, 0x1)
/usr/local/go/src/log/log.go:338 +0xac
main.main()
/go/src/github.com/openfaas/nats-queue-worker/main.go:212 +0x6a3
cc: @stefanprodan @alexellis
/lock: inactive. Feel free to raise a new issue if this is still required by anyone.
Expected Behaviour
kubectl apply -f openfaas.yaml
should run without errorsCurrent Behaviour
kubectl apply -f openfaas.yaml
outputs errors:unable to recognize "openfaas.yaml": no matches for kind "Policy" in version "authentication.istio.io/v1alpha1"
Possible Solution
It seems that Istio policy enforcement is deprecated, so this help chart may need to be updated to be compatible with Istio. https://istio.io/docs/tasks/policy-enforcement/
Steps to Reproduce (for bugs)
Context
I want to enable mTLS for mesh security so that I can host functions written by external parties and prevent them from snooping network traffic.
Your Environment
faas-cli version
):CLI: commit: f7c29ea19b5df9d7aa87e9c70aacf4d9315da2cd version: 0.12.4
Client: Version: 19.03.11-ce API version: 1.40 Go version: go1.14.3 Git commit: 42e35e61f3 Built: Tue Jun 2 15:09:26 2020 OS/Arch: linux/amd64 Experimental: false
Server: Engine: Version: 19.03.10-ce API version: 1.40 (minimum version 1.12) Go version: go1.14.3 Git commit: 9424aeaee9 Built: Fri May 29 11:14:15 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: v1.3.4.m GitCommit: d76c121f76a5fc8a462dc64594aea72fe18e1178.m runc: Version: 1.0.0-rc10 GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd docker-init: Version: 0.18.0 GitCommit: fec3683
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"archive", BuildDate:"2020-05-22T20:04:08Z", GoVersion:"go1.14.3", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.5+k3s1", GitCommit:"58ebdb2a2ec5318ca40649eb7bd31679cb679f71", GitTreeState:"clean", BuildDate:"2020-05-06T23:43:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
Kernel : Linux 5.4.43-1-MANJARO (x86_64) Version : #1 SMP PREEMPT Wed May 27 20:25:12 UTC 2020 C Library : GNU C Library / (GNU libc) 2.31 Distribution : Manjaro Linux
istioctl install \ --set addonComponents.grafana.enabled=true \ --set meshConfig.disablePolicyChecks=false \ --set values.pilot.policy.enabled=true