0

I am trying to implement service mesh using istio and envoy for a service which requires connecting to external mongodB server but for some reasons, my service is unable to reach the external mongodB server from istio proxy

Below is the gateway and virtual service configuration for my service

    apiVersion: networking.istio.io/v1alpha3
    kind: Gateway
    metadata:
      name: gtreviews
    spec:
      selector:
        istio: ingressgateway
      servers:
      - port:
          number: 7890
          name: http
          protocol: GRPC
        hosts:
        - "*"
---
    apiVersion: networking.istio.io/v1alpha3
    kind: VirtualService
    metadata:
      name: reviews
    spec:
      hosts:
      - "*"
      gateways:
      - gtreviews
      http:
      - match:
        - uri:
            prefix: "/reviews"
        route:
        - destination:
            port:
              number: 8080
            host: reviews.istio-system.svc.cluster.local

I added egress service entry but still doesn't work 

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-mongocluster
spec:
  hosts:
  - xxx.xx.com
  ports:
  - name: mongo
    number: 27017
    protocol: tcp
  location: MESH_EXTERNAL  

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: external-svc-mongocluster
spec:
  hosts:
  - xxx.xx.com
  tcp:
  - match:    
    route:
    - destination:
        host: xxx.xx.com
        port:
          number: 27017
      weight: 100
DoIt
  • 3,270
  • 9
  • 51
  • 103

1 Answers1

2

Try to specify the port in the ServiceEntry as TLS (the name and the protocol).

I am working on a task regarding MongoDB right now, check the "Egress control for TLS" section in this PR https://github.com/istio/istio.io/pull/2347/, it is a bit raw yet.

Vadim Eisenberg
  • 3,337
  • 1
  • 18
  • 14
  • Are you sure you connect to your MongoDB over TLS? https://docs.mongodb.com/manual/tutorial/configure-ssl/ – Vadim Eisenberg Oct 17 '18 at 17:39
  • Actually, my mongodb server doesn't need any certificates of TLS/SSL. I just use username and password to connect to it. I am new to istio and not sure how everything is exactly working – DoIt Oct 17 '18 at 18:09
  • can you try to connect to it using: `openssl s_client -connect mymongo.xx.com:27017 -servername mymongo.xx.com`, from outside Istio and from a pod inside Istio? – Vadim Eisenberg Oct 17 '18 at 18:32
  • Actually when I connect using the above I get a handshake failure even from outside istio – DoIt Oct 17 '18 at 19:33
  • And you do not get the certificate of the MongoDB host? So it is not configured with TLS? In such a case, you can use TCP (not TLS) egress control, see https://istio.io/blog/2018/egress-tcp/. – Vadim Eisenberg Oct 18 '18 at 02:32
  • Yes, its not configured with tlc and I updated my config in the question to use tcp and deployment config which still is not able to reach the mongodb servers – DoIt Oct 18 '18 at 19:07
  • Not an issue with the configuration. the issue is because the istio-proxy is being started a few milliseconds after the service has started and I was trying to create a mongo session at a time when istio-proxy is has not made the service entries available to the service – DoIt Oct 19 '18 at 14:09
  • I am still figuring it out. I added a sleep of 5 seconds in my service but I dont think its a good idea – DoIt Oct 22 '18 at 14:08
  • Is there a better way that I can do it? – DoIt Oct 22 '18 at 15:19
  • I do not know, sorry :( Maybe it should be another stack overflow question :) – Vadim Eisenberg Oct 22 '18 at 17:26
  • Can any plese highlight : How to communicate with the in-cluster instance of MongoDB which is istio serivce mesh injected. The istio enabled service is trying to call istio enabled MongoDB. And it throws error Caused by: com.mongodb.MongoTimeoutException: Timed out after 30000 ms while waiting to connect. Client view of cluster state is {type=UNKNOWN, servers=[{address=myapp-mongo-wrapper.e-dev-apon1.svc:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoInterna lException: The reply message length 1347703880 is greater than the maximum message length 33554432}}] Thank you – Sanjeev Jun 14 '21 at 11:48