Remote cluster - TCP connection is not happened with Istio ingress

rmssath · April 23, 2021, 5:59am

Hi Team,

We have followed the below step to configure remote cluster.

In remote cluster, we have create istio ingress gateway/virtualservice with TCP to expose the service.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: es-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 9500
      name: hello1
      protocol: TCP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: es-vs
spec:
  hosts:
  - "*"
  gateways:
  - es-gateway
  tcp:
  - match:
    - port: 9500
    route:
    - destination:
        port:
          number: 9300
        host: quickstart-es-transport.default.svc.cluster.local

After configure remote cluster, we are getting request in remote cluster (istio logs) like below which is failed to connect.

Note: x.x.x.x is remote cluster

[2021-04-22T13:02:59.554Z] "- - -" 0 UH "-" "-" 0 0 0 - "-" "-" "-" "-" "-" - - x.x.x.x:9500 y.y.y.y:46395 - -
[2021-04-22T13:02:59.554Z] "- - -" 0 UH "-" "-" 0 0 0 - "-" "-" "-" "-" "-" - - x.x.x.x:9500 y.y.y.y:29463 - -
[2021-04-22T13:02:59.554Z] "- - -" 0 UH "-" "-" 0 0 0 - "-" "-" "-" "-" "-" - - x.x.x.x:9500 y.y.y.y:9801 - -
[2021-04-22T13:02:59.554Z] "- - -" 0 UH "-" "-" 0 0 0 - "-" "-" "-" "-" "-" - - x.x.x.x:9500 y.y.y.y:53429 - -
[2021-04-22T13:02:59.554Z] "- - -" 0 UH "-" "-" 0 0 0 - "-" "-" "-" "-" "-" - - x.x.x.x:9500 y.y.y.y:35396 - -

Thibault_Richard · April 28, 2021, 4:27pm

Hello,

I wonder if the issue comes from the remote cluster setup or the Istio setup. Could you first try without Istio to better isolate the problem?

rmssath · May 4, 2021, 6:47am

Thanks Richard..

We are able to access the remote cluster with nodeport. Above issue is occur only on configuring with istio.

Is any changes or additional config required in above virtualservice?

Thibault_Richard · May 4, 2021, 8:57am

You have to exclude the transport port (port 9300) from being proxied. Currently ECK does not support switching off X-Pack security and TLS for the Elasticsearch transport port. If Istio is allowed to proxy the transport port, the traffic is encrypted twice and communication between Elasticsearch nodes is disrupted.

See the documentation: Istio | Elastic Cloud on Kubernetes [1.5] | Elastic.
Check the recipes directory in the ECK source repository for a complete example.

system · June 1, 2021, 8:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ECK not working with ISTIO Elastic Cloud on Kubernetes (ECK)	2	584	November 4, 2022
Unable to connect remote cluster Elastic Cloud on Kubernetes (ECK)	3	739	May 31, 2021
How to setup external remote cluster? Elastic Cloud on Kubernetes (ECK)	9	1505	November 4, 2022
Expose Elastic Search externally with istio ingress controller Elastic Cloud on Kubernetes (ECK) docker	1	665	November 25, 2022
Service Entry for TCP URL's Elasticsearch elastic-stack-security	1	278	April 18, 2022

Remote cluster - TCP connection is not happened with Istio ingress

Related Topics