Consul in a Kubernetes Istio Mesh
I'm trying to create a mTLS mesh inside GKE with the Istio beta but can't communicate with the service discovery setup we currently use without the mesh.
We use Consul for service discovery as well as a keystore and package the consul executable inside our microservices to register with the main consul service in the GKE cluster. The microservices can then use the local consul client to gather items from the keystore easily. After setting up the istio mesh in a brand new cluster, and enabling auto sidecar injection, I was seeing the microservice having issues with communication. My understanding is that a k8s service needs to point to the pod for the Istio mesh to work, but we also use the service for microservices to find our main consul pod anyway (we actually use a cluster of 3, but for this test I'm only running a single pod). Here is the service yaml:
apiVersion: v1
kind: Service
metadata:
labels:
name: consul
name: consul
spec:
ports:
- name: consul-8400
port: 8400
targetPort: 8400
- name: consul-8500
port: 8500
targetPort: 8500
- name: consul-8600
port: 8600
targetPort: 8600
- name: consul-8300
port: 8300
targetPort: 8300
- name: consul-8301
port: 8301
targetPort: 8301
- name: consul-8301-udp
port: 8301
targetPort: 8301
protocol: UDP
- name: consul-8302
port: 8302
targetPort: 8302
selector:
name: consul
type: NodePort
I also tested creating a similar service with the same ports pointing back to the microservice as well. I don't know what I'm missing because it's still not getting through to consul...
kubernetes google-kubernetes-engine istio
asked Dec 28 '18 at 19:28
Alex LiffickAlex Liffick
595
add a comment |
I'm trying to create a mTLS mesh inside GKE with the Istio beta but can't communicate with the service discovery setup we currently use without the mesh.
We use Consul for service discovery as well as a keystore and package the consul executable inside our microservices to register with the main consul service in the GKE cluster. The microservices can then use the local consul client to gather items from the keystore easily. After setting up the istio mesh in a brand new cluster, and enabling auto sidecar injection, I was seeing the microservice having issues with communication. My understanding is that a k8s service needs to point to the pod for the Istio mesh to work, but we also use the service for microservices to find our main consul pod anyway (we actually use a cluster of 3, but for this test I'm only running a single pod). Here is the service yaml:
apiVersion: v1
kind: Service
metadata:
labels:
name: consul
name: consul
spec:
ports:
- name: consul-8400
port: 8400
targetPort: 8400
- name: consul-8500
port: 8500
targetPort: 8500
- name: consul-8600
port: 8600
targetPort: 8600
- name: consul-8300
port: 8300
targetPort: 8300
- name: consul-8301
port: 8301
targetPort: 8301
- name: consul-8301-udp
port: 8301
targetPort: 8301
protocol: UDP
- name: consul-8302
port: 8302
targetPort: 8302
selector:
name: consul
type: NodePort
I also tested creating a similar service with the same ports pointing back to the microservice as well. I don't know what I'm missing because it's still not getting through to consul...
kubernetes google-kubernetes-engine istio
asked Dec 28 '18 at 19:28
Alex LiffickAlex Liffick
595
add a comment |
I'm trying to create a mTLS mesh inside GKE with the Istio beta but can't communicate with the service discovery setup we currently use without the mesh.
We use Consul for service discovery as well as a keystore and package the consul executable inside our microservices to register with the main consul service in the GKE cluster. The microservices can then use the local consul client to gather items from the keystore easily. After setting up the istio mesh in a brand new cluster, and enabling auto sidecar injection, I was seeing the microservice having issues with communication. My understanding is that a k8s service needs to point to the pod for the Istio mesh to work, but we also use the service for microservices to find our main consul pod anyway (we actually use a cluster of 3, but for this test I'm only running a single pod). Here is the service yaml:
apiVersion: v1
kind: Service
metadata:
labels:
name: consul
name: consul
spec:
ports:
- name: consul-8400
port: 8400
targetPort: 8400
- name: consul-8500
port: 8500
targetPort: 8500
- name: consul-8600
port: 8600
targetPort: 8600
- name: consul-8300
port: 8300
targetPort: 8300
- name: consul-8301
port: 8301
targetPort: 8301
- name: consul-8301-udp
port: 8301
targetPort: 8301
protocol: UDP
- name: consul-8302
port: 8302
targetPort: 8302
selector:
name: consul
type: NodePort
I also tested creating a similar service with the same ports pointing back to the microservice as well. I don't know what I'm missing because it's still not getting through to consul...
kubernetes google-kubernetes-engine istio
asked Dec 28 '18 at 19:28
Alex LiffickAlex Liffick
595
I'm trying to create a mTLS mesh inside GKE with the Istio beta but can't communicate with the service discovery setup we currently use without the mesh.
We use Consul for service discovery as well as a keystore and package the consul executable inside our microservices to register with the main consul service in the GKE cluster. The microservices can then use the local consul client to gather items from the keystore easily. After setting up the istio mesh in a brand new cluster, and enabling auto sidecar injection, I was seeing the microservice having issues with communication. My understanding is that a k8s service needs to point to the pod for the Istio mesh to work, but we also use the service for microservices to find our main consul pod anyway (we actually use a cluster of 3, but for this test I'm only running a single pod). Here is the service yaml:
apiVersion: v1
kind: Service
metadata:
labels:
name: consul
name: consul
spec:
ports:
- name: consul-8400
port: 8400
targetPort: 8400
- name: consul-8500
port: 8500
targetPort: 8500
- name: consul-8600
port: 8600
targetPort: 8600
- name: consul-8300
port: 8300
targetPort: 8300
- name: consul-8301
port: 8301
targetPort: 8301
- name: consul-8301-udp
port: 8301
targetPort: 8301
protocol: UDP
- name: consul-8302
port: 8302
targetPort: 8302
selector:
name: consul
type: NodePort
I also tested creating a similar service with the same ports pointing back to the microservice as well. I don't know what I'm missing because it's still not getting through to consul...
kubernetes google-kubernetes-engine istio
kubernetes google-kubernetes-engine istio
asked Dec 28 '18 at 19:28
Alex LiffickAlex Liffick
595
asked Dec 28 '18 at 19:28
Alex LiffickAlex Liffick
595
edited Dec 28 '18 at 22:56
Alex Liffick
asked Dec 28 '18 at 19:28
Alex LiffickAlex Liffick
595
asked Dec 28 '18 at 19:28
Alex LiffickAlex Liffick
595
asked Dec 28 '18 at 19:28
Alex LiffickAlex Liffick
595
595
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53963422%2fconsul-in-a-kubernetes-istio-mesh%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53963422%2fconsul-in-a-kubernetes-istio-mesh%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
