2

I installed Istio with

gateways.istio-egressgateway.enabled = true

When I try to connect to external database I receive an error. I do not have a domain (only ip and port), so I define the following rules:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-db
spec:
  hosts:
  - external-db.tcp.svc
  addresses:
  - 190.64.31.232/32
  ports:
  - number: 3306
    name: tcp
    protocol: TCP
  location: MESH_EXTERNAL
  resolution: STATIC
  endpoints:
  - address: 190.64.31.232

then I open a Shell in my system (deployed in my service mesh) And it can't resolve the name 

$ ping external-db.tcp.svc
ping: ceip-db.tcp.svc: Name or service not known

But i can connect using the ip address

$ ping 190.64.31.232
PING 190.64.31.232 (190.64.31.232) 56(84) bytes of data.
64 bytes from 190.64.31.232: icmp_seq=1 ttl=249 time=1.35 ms
64 bytes from 190.64.31.232: icmp_seq=2 ttl=249 time=1.42 ms

What is happening? Do I have to connect using the domain or the ip? Can I define a internal domain for my external ip?

user60108
  • 3,270
  • 2
  • 27
  • 43
  • 1
    did you try connecting by IP? Does it work? – Vasili Angapov May 12 '19 at 09:00
  • @VasilyAngapov Yes, with ip works. After I created the ServiceEntry I was able to connect by IP, but it does not resolve the domain name that I defined ("external-db.tcp.svc"). Is this the correct behavior? Can I connect using a name? – user60108 May 12 '19 at 15:29
  • What would be the reason to have a ServiceEntry at all, if you already have the `Service`? It seems like the `Endpoints` doesn't work without a `Service` to go with it (is that correct?), and the Service already creates the hostname you can use (e.g. `external-db.default.svc.cluster.local`)... On the other hand, it seems like there ought to be a way to get this working with just a ServiceEntry and an endpoint of some sort, but I couldn't figure it out. – Matt Browne Oct 22 '21 at 15:42

2 Answers2

7

You can create headless service with hardcoded IP endpoint: 

---
apiVersion: v1
kind: Service
metadata:
  name: external-db
spec:
  clusterIP: None
  ports:
  - protocol: TCP
    port: 3306
---
apiVersion: v1
kind: Endpoints
metadata:
  name: external-db
subsets:
  - addresses:
    - ip: 190.64.31.232
    ports:
    - port: 3306

And then you may add to your ServiceEntry a host external-db.default.svc.cluster.local

Vasili Angapov
  • 8,061
  • 15
  • 31
  • This worked for me, except that i had to use a regular clusterIP service and that the ServiceEntry was ignored by Istio (in a black hole cluser!) – Jens Wurm Dec 10 '20 at 10:41
4

The problem is resolving the DNS which basically relates to the configuration of resolution in your ServiceEntry.

Based on istio's documentation:

Resolution determines how the proxy will resolve the IP addresses of the network endpoints associated with the service, so that it can route to one of them.

Since you have configured it as STATIC, you are telling istio-proxy/envoy to look for an Endpoint for resolving that DNS name; hence you need to define an Endpoint as Vasily suggested.

Another easy way, if that DNS name is defined outside of your mesh, is just changing the resolution to DNS which will force istio-proxy to query DNS server during request processing.

‌‌R‌‌‌.
  • 2,818
  • 26
  • 37