问题
I have a problem with connecting two services on Kubernetes with Istio. My service makes POST requests to the elasticsearch.
2020-11-18T21:51:53.758079131Z org.elasticsearch.client.ResponseException: method [POST], host [http://elasticsearch:9200], URI [/_bulk?timeout=1m], status line [HTTP/1.1 503 Service Unavailable]
2020-11-18T21:51:53.758087238Z upstream connect error or disconnect/reset before headers. reset reason: connection failure
I read some questions/GitHub issues about that and one of the possible reasons could be mtls, so how can I disable it?
I was trying with this:
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: DISABLE
But with this PeerAuthentication, I'm not able to reach even my service.
Do you have any advice?
回答1:
Disable mtls
This PeerAuthentication is the correct way to disable mtls.
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: DISABLE
There is istio documentation about that.
Elasticsearch issue
According to istio documentation:
There are two Elasticsearch configuration parameters that need to be set appropriately to run Elasticsearch with Istio: network.bind_host and network.publish_host. By default, these parameters are set to the network.host parameter. If network.host is set to 0.0.0.0, Elasticsearch will most likely pick up the pod IP as the publishing address and no further configuration will be needed.
If the default configuration does not work, you can set the network.bind_host to 0.0.0.0 or localhost (127.0.0.1) and network.publish_host to the pod IP. For example:
...
containers:
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
env:
- name: network.bind_host
value: 127.0.0.1
- name: network.publish_host
valueFrom:
fieldRef:
fieldPath: status.podIP
...
Refer to Network Settings for Elasticsearch for more information.
If that won't work there are two github issues:
- https://github.com/istio/istio/issues/14662#issuecomment-723669123
- https://github.com/elastic/cloud-on-k8s/issues/2770
which suggest to use
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: ""
traffic.sidecar.istio.io/excludeInboundPorts: ""
There is elasticsearch documentation about that.
来源:https://stackoverflow.com/questions/64902148/how-to-disable-mtls-on-instio