I created two sample application(tcp-server and tcp-client) for checking TCP connection in istio environment. Used the below link to create server and client in g0
https://www.linode.com/docs/guides/developing-udp-and-tcp-clients-and-servers-in-go/
Deployed the application in kubernetes cluster and tested without istio, it is working fine.
But after installing istio(demo configuration, followed this url to install istio: https://istio.io/latest/docs/setup/getting-started/),
and redeploying the apps to fill with envoy-proxy, the client is not connecting to server
Also using below command makes the server connect success
sh -c "echo world | nc 10.244.1.29 1234" is
What am I doing wrong?
Posting the solution I found.
Issue: I was trying to connect to server using ip address and nodePort, which some how not working in istio environment
Solution: From Client instead of providing ip address and nodePort of server node, give service name and container port of server app.
Extra Info: For using client from outside cluster, create gateway and virtual service for server. In your external client provide nodePort and ip address of istio-ingress pod as server destination
Related
I had EC2 server where I was running my existing application. The EC2 instance was on private subnet and ELB was created in public subnet with access to particular VPN IP. So whenever I was on VPN, I was able to access my application and if I am outside that VPN IP then I wasn't able to access the application.
Now I have created EKS cluster and I am deploying my application using kubectl with docker image of the application. Weird thing is the application works fine whenever I am NOT on VPN (I tweaked security group to allow all traffic from all IPs) and whenever I am on VPN, I receive "ERR_CONNECTION_RESET" in chrome and curl shows - empty response received from server.
Till now I have tried below things. As I am relatively new with EKS, I am not able to find much.
1. Same security group applied - Not resolving
2. Checked logs of all pods - whichever pods I received from "kubectl get po --all-namespaces" - No issues showing up
3. Checked /var/log/messages
4. Tried to change application port
5. kubectl get events not showing anything on why server is sending back empty response.
6. Tried to SSH to node and tried to curl localhost:30080 and it works fine, but when tried to curl from my machine (which is on VPN), it fails with empty response.
Please again note that, the application runs totally fine when I am outside VPN. Further my old application (that is on EC2) runs fine with VPN.
Thanks in advance!
Finally found the issue was with the corporate VPN which was blocking all ports other than 80 and 443. When I was creating the service, I wanted to have ELB to expose port 5000. So I was thinking elb-host:5000 will point to dev service nodeport which was 30080. This was perfectly working when I was NOT on the VPN. But when I was connecting the site using VPN, corporate traffic was blocking port 5000 on ELB. After I changed the port to 80, it started working as expected.
While using nginx, it was creating ELB with port 80 instead of my intended port 5000. I didn't notice that port change and thought that this is happening due to IP blocking.
I deployed a RabbitMQ server on my kubernetes cluster and i am able to access the management UI from the browser. But my spring boot app cannot connect to port 5672 and i get connection refused error. The same code works , if i replace my application.yml properties from kuberntes host to localhost and run a docker image on my machine.I am not sure what i am doing wrong?
Has anyone tried this kind of setup.
Please help. Thanks!
Let's say the dns is named rabbitmq. If you want to reach it, then you have to make sure that rabbitmq's deployment has a service attached with the correct ports for exposure. So you would target http://rabbitmq:5672.
To make sure this or something alike exists you can debug k8s services. Run kubectl get services | grep rabbitmq to make sure the service exists. If it does, then get the service yaml by running 'kubectl get service rabbitmq-service-name -o yaml'. Finally, check spec.ports[] for the ports that allow you to connect to the pod. Search for '5672' in spec.ports[].port for amqp. In some cases, the port might have been changed. This means spec.ports[].port might be 3030 for instance, but spec.ports[].targetPort be 5672.
Do you are exposing TCP port of rabbitMQ to outside of cluster?
Maybe only management port has exposed.
If you can connect to management UI, but not on port 5672, maybe indicate that your 5672 port is not exposed outside of cluster.
Obs: if I not understand correctly your question, please let me know.
Good luck
When I run consul on my local machine and spring boot client with following properties in bootstrap.properties, I can see that it connects, discovers services and able to connect from one service to other using service discovery.
Bootstrap.properties:
spring.cloud.consul.host=localhost
spring.cloud.consul.port=8500
spring.cloud.consul.discovery.instance-id=consul-service2
spring.application.name=consul-service2
server.port=8083
But now, I installed consul on openshift provided route to it. I can browse to consul UI and see that consul service has registered itself. But when I try to connect client running on localhost to consul running on openshift i get error.
com.ecwid.consul.transport.TransportException: org.apache.http.conn.ConnectTimeoutException: Connect to consul-uservices-template.f-az.uk.paas.intranet.db.com:8500 [consul-uservices-template.hju-azh.uk.paas.intranet.sdf.com/10.248.36.85] failed: connect timed out
at com.ecwid.consul.transport.AbstractHttpTransport.executeRequest(AbstractHttpTransport.java:77) ~[consul-api-1.4.1.jar:na]
at com.ecwid.consul.transport.AbstractHttpTransport.makePutRequest(AbstractHttpTransport.java:41) ~[consul-api-1.4.1.jar:na]
at com.ecwid.consul.v1.ConsulRawClient.makePutRequest(ConsulRawClient.java:135) ~[consul-api-1.4.1.jar:na]
at com.ecwid.consul.v1.agent.AgentConsulClient.agentServiceRegister(AgentConsulClient.java:273) ~[consul-api-1.4.1.jar:na]
at com.ecwid.consul.v1.ConsulClient.agentServiceRegister(ConsulClient.java:309) ~[consul-api-1.4.1.jar:na]
My bootstrap.properties:
spring.cloud.consul.host=consul-uservices-template.hju-azh.uk.paas.intranet.sdf.com
spring.cloud.consul.port=8500
spring.cloud.consul.discovery.instance-id consul-service2
spring.application.name=consul-service2
server.port=8083
What i am doing is providing route path as host, am I wrong here ? I can see that it tries to connect to consul-uservices-template.hju-azh.uk.paas.intranet.sdf.com:8500 and it times out. I get 404 even on browser when i try to hit this url. It should not be accessing with port number. How can i do that ?
It should not be accessing with port number.
As the route is provided via OpenShift (and you can access it the web UI too), I assume it is accessible through port 80.
If that is the case, you can specify spring boot to access consul via port 80 by change the following properties
spring.cloud.consul.port=80
I am running solr inside minikube for a POC. I am trying to figure out how to access the solr inside the minikube. As per my knowledge I cant access solr using my host IP, it is only accessible using the minikube IP - 192.168.99.100:8983/solr. My objective is to hit the solr server when accessing it from a remote box.
One of my team mates suggested that I can maybe use something that will forward incoming request to a local IP.
Any suggestions??
Thanks
You would need to expose the solr service using the kubectl expose command for external access.
There are four ways to expose a service for external access in k8s:
LoadBalancer service type which sets the ExternalIP automatically. This is used when there is an external non-k8s, cloud-provider's load-balancer like CGE, AWS or Azure, and this external load-balancer would provide the ExternalIP for the nginx ingress service per https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services---service-types.
ExternalIPs per https://kubernetes.io/docs/concepts/services-networking/service/#external-ips.
NodePort: In this approach, the service can be hit from outside the cluster using NodeIP:NodePort/url/of/the/service.
Ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/
First you need to get URL of your Service for solr.
$ minikube service <service-name> --url
http://192.168.99.100:30000
Here, 30000 is your solr Service NodePort.
Now you need to create SSH tunnel.
For that try this
$ ssh -i ~/.minikube/machines/minikube/id_rsa docker#$(minikube ip) -L \*:30000:0.0.0.0:30000
Note: To keep SSH tunneling in Background, add & at the end of (ssh -i .....) &
Now you can access this solr Service using your Host IP address
I'm writing an application in Ruby/RoR that will be hosted on Heroku.
One of its requirements is that it connects to an (Active Directory) authentication server which is behind a Sonicwall VPN.
How can I establish this VPN authentication using Ruby to access this server?
Heroku is just a service built on top of EC2 that manages deployment using a linux env. You don't have root access on on which means you can connect out to any service using any TCP protocol. But you can only listen for HTTP connections. Unfortunately this rules out setting up VPNs and SSH tunnels. You can do this on Amazon EC2.