Skip to content
This repository has been archived by the owner on Feb 16, 2019. It is now read-only.

EgressRule not working for AMQP (RabbitMQ) #394

Open
sebastian-garofalo opened this issue Jun 25, 2018 · 4 comments
Open

EgressRule not working for AMQP (RabbitMQ) #394

sebastian-garofalo opened this issue Jun 25, 2018 · 4 comments

Comments

@sebastian-garofalo
Copy link

sebastian-garofalo commented Jun 25, 2018
edited
Loading

Hi

we are trying to connect to a RabbitMQ running outside the Istio mesh, but we get connection reset errors constantly.
RabbitMQ logs report the error: {bad_header,<<22,3,1,0,138,1,0,0>>}

The egress rule we are using is:

apiVersion: config.istio.io/v1alpha2
kind: EgressRule
metadata:
name: rabbit-egress
namespace: poc
spec:
destination:
service: "rabbitmq.*"
ports:
- port: 5672
protocol: tcp

Do you know if I'm missing something? I was told in #37 that this should be working already on Istio 0.8.0

Thanks
@vadimeisenbergibm
Copy link

@sebastian-garofalo Do you use TLS for your RabbitMQ? If so, you can specify the protocol as HTTPS, see https://istio.io/docs/tasks/traffic-management/egress/#configuring-the-external-services, the google.com example.

However, note that you can use the wildcard only as a prefix, like *.example.com.

If you do not use TLS for your RabbitMQ, you have to specify IP ranges instead of domain names for a TCP ServiceEntry (the new configuration item in Istio 0.8.0, instead EgressRules). See this example configuration https://github.com/istio/istio/blob/b6fa713dc8356cb49bbc1bda37f2fd9b5bce1e31/tests/e2e/tests/pilot/testdata/v1alpha3/serviceentry-tcp-wikipedia-cidr.yaml

@sebastian-garofalo
Copy link
Author

@vadimeisenbergibm thanks for the suggestions, sadly can't get it working.

We aren´t using TLS, I tried with the following service entry:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: rabbit-se
spec:
  hosts:
  - rabbitmq.poc-ext.svc.cluster.local
  addresses:
  - 10.1.0.189/24
  ports:
    - number: 5672
      protocol: TCP
      name: rabbit-port
  resolution: NONE
  location: MESH_EXTERNAL

And I still get the connections reset constantly.

We have the rabbitMQ running in another kubernetes namespace that is outside the Istio mesh.
I tried a lot of variations of the aforementioned config file and nothing seems to work.
I even completely removed the addresses section to force it forward all the traffic to 5672 port, but that didn't work either.

We tried the app and connecting via telnet to rabbit outside of the Istio mesh and it works.

Any ideas?

Thanks in advance

@vadimeisenbergibm
Copy link

@sebastian-garofalo Sorry, I missed your comment. For Kubernetes services in the same cluster you do not need to create ServiceEntries. Can you paste here the spec of your rabbitmq Kubernetes Service?

Note the requirements for service port names https://istio.io/docs/setup/kubernetes/spec-requirements/, you should call the port of your service something like tcp-rabbitmq.

@dioniseo
Copy link

dioniseo commented Jan 15, 2019
edited
Loading

+1 we have exactly the same case and similar error.

@sebastian-garofalo , did you resolve these issues?

@vadimeisenbergibm in our case we have the following kubernetes service spec:

apiVersion: v1
kind: Service
labels:
app: rabbitmq
name: rabbitmq
namespace: project1
spec:
clusterIP: None
ports:
- name: tcp-rabbitmq
port: 5672
protocol: TCP
targetPort: 5672
selector:
app: rabbitmq

Thank you for your help,
Denis

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dioniseo @sebastian-garofalo @vadimeisenbergibm