Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rmq pods do not form cluster with istio 1.6.8 mtls #3

Open
satishmane opened this issue Aug 28, 2020 · 1 comment
Open

rmq pods do not form cluster with istio 1.6.8 mtls #3

satishmane opened this issue Aug 28, 2020 · 1 comment

Comments

@satishmane
Copy link

satishmane commented Aug 28, 2020
edited
Loading

Hi @arielb135

Your example was quite good to understand. I setup accordingly. but still 3 pod rmq cluster does not form. I can see only one pod in cluster. Am I missing something?

`apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: dp-rabbitmq
namespace: dp
spec:
selector:
matchLabels:
app: rabbitmq
mtls:
mode: STRICT
portLevelMtls: #{}
4369:
mode: DISABLE

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
labels:
app: rabbitmq
release: dp-rabbitmq
name: rabbitmq
namespace: dp
spec:
hosts:

  • dp-rabbitmq-0.dp-rabbitmq-discovery.dp.svc.cluster.local
  • dp-rabbitmq-1.dp-rabbitmq-discovery.dp.svc.cluster.local
  • dp-rabbitmq-2.dp-rabbitmq-discovery.dp.svc.cluster.local
    location: MESH_INTERNAL
    ports:
  • name: http
    number: 15672
    protocol: TCP
  • name: amqp
    number: 5672
    protocol: TCP
  • name: epmd
    number: 4369
    protocol: TCP
  • name: mqtt
    number: 1883
    protocol: TCP
  • name: mqtt-ssl
    number: 8883
    protocol: TCP
    resolution: NONE

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
app: dp-rabbitmq
release: rabbitmq
name: rabbitmq-pod-level-mtls
namespace: dp
spec:
host: '.dp-rabbitmq-discovery.dp.svc.cluster.local'
exportTo:
- ""
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
app: dp-rabbitmq
release: rabbitmq
name: rabbitmq-service-level-mtls
namespace: dp
spec:
host: 'dp-rabbitmq.dp.svc.cluster.local'
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
labels:
app: dp-rabbitmq
release: rabbitmq
name: rabbitmq-headless-service-level-mtls
namespace: dp
spec:
host: 'dp-rabbitmq-discovery.dp.svc.cluster.local'
trafficPolicy:
portLevelSettings:
- port:
number: 4369
tls:
mode: DISABLE
tls:
mode: ISTIO_MUTUAL `
@matthewd98
Copy link

matthewd98 commented Jan 20, 2021
edited
Loading

The only thing I needed to do to get RabbitMQ clusters to work within Istio is to annotate the RabbitMQ pods as such:

apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
spec:
  override:
  statefulSet:
    spec:
      template:
        metadata:
          annotations:
            #annotate rabbitMQ pods to only redirect traffic on ports 15672 and 5672 to Envoy proxy sidecars.
            **traffic.sidecar.istio.io/includeInboundPorts: "15672, 5672"          
            traffic.sidecar.istio.io/includeOutboundPorts: "15672, 5672"**

For some reason the exclude port annotations weren't working so I just flipped it by using include port annotations. In my case, the global Istio config is controlled by another team in the company so perhaps there's a clash when trying to use the exclude port annotations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@satishmane @matthewd98