Nats-Operator incompatible with istio? #88
Comments
|
One more detail: I am running with sidecars enabled, an the NATS pods get properly injected with the istio-proxy container, which is healthy. |
|
NATS protocol requires direct connectivity to peers when trying to establish routes. With Istio, you are introducing a proxy (actually, two!) in between peers. You shouldn't do that! Since I'm not versed in Istio, I don't have a concrete answer for you but I'm thinking that maybe this thread will help. |
|
One way to support Istio would be to create services with manually managed endpoints. The service's name would be the pod name and the selector wouldn't be set, allowing the operator to create an endpoint manually. Deletion of the service as well as the endpoint would be handled by the automatic garbage collection by setting the owner of these to the pod. I'm currently doing that in one of our internal operators and it's quite painless. What I don't know is a) whether it's worth it (🙈) and b) what else would need updating with regards to discovery and the certificate SANs (grasping at straws here as I didn't have time to read the whole source yet). If Istio's configured to do mTLS then the whole TLS handling could be disabled in the operator because it'd be handled transparently by Istio. In that case you'd gain the metrics generation via Istio while still being secure. Would anything stand in the way of taking a stab at implementing that? /cc @pires |
|
@therealmitchconnors take a look at #111 to get it to work for now. |
|
Making use of Istio to monitor NATS traffic would be great! Take note that's I'm currently experimenting NATS on OpenShift + Istio + Kiali (https://www.kiali.io/). |
|
That issue was also raised on the Istio project side: istio/old_issues_repo#338 |
|
Hey all, just wanted to put this here for the record. I just spun up a nats cluster using this operator. I created the istio Here are the virtual service definitions: ---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nats
spec:
hosts:
- nats-cluster.nats.svc.cluster.local
tcp:
- match:
- port: 4222
route:
- destination:
host: nats-cluster.nats.svc.cluster.local
port:
number: 4222
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nats-management
spec:
hosts:
- nats-cluster-mgmt.nats.svc.cluster.local
tcp:
- match:
- port: 8222
route:
- destination:
host: nats-cluster-mgmt.nats.svc.cluster.local
port:
number: 8222
- match:
- port: 6222
route:
- destination:
host: nats-cluster-mgmt.nats.svc.cluster.local
port:
number: 6222 |
|
Hi! @thedodd did you have sidecar injected? I'm struggling currently with the same issue but I have sidecar enabled. |
|
@piotrmsc , struggling with the same issue, client requests failing, tried using tcp protocol for virtualservice and serviceentry but wasn't able to succeed. Any solution that you found? Here are my configurations: |
|
@thedodd I tried your solution, but it did not work for me. Were the istio sidecars injected to your NATS pods? |
|
From a first glance I was noticing that I wasn't getting a response over telnet (with istio-sidecar) Little telnet debug no response Telnet with a PING -> instant response Interesting istio thinks it's HTTP raw_buffer: Istio Explicit Port Selection helped me. Here the service for nats doesn't declare tcp or tls. If they added appProtocol explicity for k8s 1.18+ or named the port tcp-client for example for tcp that would resolve it for Istio. After renaming the port in service and on the pod spec: Seems to have resolved my connectivity issues, but should be noted the same would need to be done for the other tcp ports. |
|
This issue is also mentioned here istio/istio#28623. Are there any plans to support this in the operator? I'm struggling with finding a way to customize port names in an operator-managed service. AppProtocol as mentioned by @lukeweber doesn't seem like a viable option yet because it's not scheduled to make it to GA until 1.21 and cloud providers may or may not allow you to customize your feature gates. |
|
for the last two days i have been facing the same issue of making nats streaming server work in istio then exec into one of the client pod and started adding console logs to the express nodejs app on all the external connections to manually debug from the live cluster , finally figured out that eventually while googling stumbled upon this open issue huge thanks to @lukeweber for a detailed comment , i tried it and it worked . previously, before stumbling to this github open issue page , when i used Kiali dashboard ,it threw now, all the deployments works properly , this explicit mentioning of |
|
thanks @narenarjun will see if can add a page on this, or feel free to make a PR to the docs too that can be found here: https://github.com/nats-io/nats.docs/tree/master/nats-on-kubernetes |
|
sure 😃 , will do it before end of this week. @wallyqs |
|
If anybody ends up coming here after a Google search, here is my TL;DR Your |
Istio-related issues affecting this behaviour: - nats-io/nats-operator#88 - istio/istio#28623 The fix is very simple. I added the related issues to the code comment, let me know if that's undesirable or there's something else to clarify.
Istio-related issues affecting this behaviour: - nats-io/nats-operator#88 - istio/istio#28623 The fix is very simple. I added the related issues to the code comment, let me know if that's undesirable or there's something else to clarify. Signed-off-by: Antonio M. Macías Ojeda <antonio.macias.ojeda@gmail.com>
Istio-related issues affecting this behaviour: - nats-io/nats-operator#88 - istio/istio#28623 The fix is very simple. I added the related issues to the code comment, let me know if that's undesirable or there's something else to clarify. Signed-off-by: Antonio M. Macías Ojeda <antonio.macias.ojeda@gmail.com> Co-authored-by: Derek Wang <whynowy@gmail.com>
Thanks! |
Thanks a lot!! |
…argoproj#1312) Istio-related issues affecting this behaviour: - nats-io/nats-operator#88 - istio/istio#28623 The fix is very simple. I added the related issues to the code comment, let me know if that's undesirable or there's something else to clarify. Signed-off-by: Antonio M. Macías Ojeda <antonio.macias.ojeda@gmail.com> Co-authored-by: Derek Wang <whynowy@gmail.com>
|
hi, sorry for postmortem post, but is this fix needed for tcp/6222 server port as well? |
When I follow the instructions in the project readme to create a nats cluster with 3 members on a gke cluster using istio, all three members immediately show unhealthy and quickly go to crashloopbackoff. Is there something additional I need to do to get nats-operator to play nice with a service mesh?
My Nats Cluster:
Log from one member:
(and the Route connection messages continue 290 times before the container is shut down as unhealthy)
My Istio deployment is the default Isitio App from the GCP marketplace, with three nodes in it.
K8S version info:
istio-pilot version is 1.3
I'd be happy to add more detail if there are follow up questions. I can also cross-post this issue to Istio if the problem appears to be on their side...
The text was updated successfully, but these errors were encountered: