fissile icon indicating copy to clipboard operation
fissile copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry-incubator

Services generated by fissile make Istio malfunction

Open giner opened this issue 5 years ago • 2 comments

When Istio is in use on a Kubenrnetes cluster, port names of all Services have to follow the naming convention required by Istio. This is also true when the components generated by fissile are not using Istio themselves. While this can be considered a design flaw and might be fixed in future we have to deal with it somehow in the meanwhile.

Here are a couple of things that could be done to mitigate the issue:

  • Add networking.istio.io/exportTo= . annotation to the Services generated by fissile which are not supposed to be accessed through Istio - helps to work around https://github.com/istio/istio/issues/9784 and https://github.com/istio/istio/issues/14520
  • Rename ports to comply with the naming conventions required by Istio https://istio.io/docs/setup/kubernetes/additional-setup/requirements keeping in mind that a certain port number must have the same name prefix over the whole cluster unless the service is scoped to a single namespace by networking.istio.io/exportTo= ., e.g. for port 443 the name must always start from https - helps with https://github.com/istio/istio/issues/14520

cc: @iandyh @viovanov

Update:

  • I looks like I'm mixing two problems here (https://github.com/istio/istio/issues/9784 and https://github.com/istio/istio/issues/14520) though it's fine as they are similar in a way they affect the rest of the cluster and the approaches towards solving the issues are likely to be connected

giner avatar Aug 06 '19 11:08 giner

Another problem related to the port definition is some role in scf have conflict port number with Istio component, which should be avoided. https://istio.io/docs/setup/kubernetes/additional-setup/requirements/#ports-used-by-istio

For e.g.,

  • cc-uploader
        ports:
        - name: cc-up-listen
          protocol: TCP
          internal: 9091
        - name: cc-up-dbg
          protocol: TCP
          internal: 17018

Which is conflicting with Istio Mixer

9090 HTTP Prometheus Prometheus
9091 HTTP Mixer Policy/Telemetry

zhanggbj avatar Aug 08 '19 14:08 zhanggbj

@zhanggbj, exportTo should help to avoid the conflict as I understand it now.

giner avatar Aug 08 '19 15:08 giner