Kubernetes（Istio）Mongodb 企业集群：HostUnreachable：对等方重置连接

Question

I have Istio1.6 running in my k8 cluster.我在我的 k8 集群中运行了 Istio1.6。 In the cluster I have also deployed sharded mongodb cluster with istio-injection disabled .在集群中，我还部署了禁用 istio-injection 的分片 mongodb 集群。

And I have a different namespace for my app with istio-injection enabled .而且我的应用程序有一个不同的命名空间，启用了 istio-injection 。 And from the pod if I try to connect to the mongo I get this connection reset by peer error :如果我尝试从 pod 连接到 mongo，我会通过对等错误重置此连接：

root@mongo:/# mongo "mongodb://mongo-sharded-cluster-mongos-0.mongo-service.mongodb.svc.cluster.local:27017,mongo-sharded-cluster-mongos-1.mongo-service.mongodb.svc.cluster.local:27017/?ssl=false"
MongoDB shell version v4.2.8
connecting to: mongodb://mongo-sharded-cluster-mongos-0.mongo-service.mongodb.svc.cluster.local:27017,mongo-sharded-cluster-mongos-1.mongo-service.mongodb.svc.cluster.local:27017/?compressors=disabled&gssapiServiceName=mongodb&ssl=false
2020-06-18T19:59:14.342+0000 I  NETWORK  [js] DBClientConnection failed to receive message from mongo-sharded-cluster-mongos-0.mongo-service.mongodb.svc.cluster.local:27017 - HostUnreachable: Connection reset by peer
2020-06-18T19:59:14.358+0000 I  NETWORK  [js] DBClientConnection failed to receive message from mongo-sharded-cluster-mongos-1.mongo-service.mongodb.svc.cluster.local:27017 - HostUnreachable: Connection reset by peer
2020-06-18T19:59:14.358+0000 E  QUERY    [js] Error: network error while attempting to run command 'isMaster' on host 'mongo-sharded-cluster-mongos-1.mongo-service.mongodb.svc.cluster.local:27017'  :
connect@src/mongo/shell/mongo.js:341:17
@(connect):2:6
2020-06-18T19:59:14.362+0000 F  -        [main] exception: connect failed
2020-06-18T19:59:14.362+0000 E  -        [main] exiting with code 1

But if I disable the istio-injection to my app(pod) then I can successfully connect and use mongo as expected.但是，如果我禁用对我的应用程序（pod）的 istio 注入，那么我可以成功连接并按预期使用 mongo。

Is there a work around for this, I would like to have istio-proxy injected to my app/pod and use mongodb?有没有办法解决这个问题，我想将 istio-proxy 注入我的应用程序/pod 并使用 mongodb？

Answer 1

Injecting Databases with istio is complicated.使用 istio 注入数据库很复杂。

I would start with checking your mtls, if it´s STRICT, I would change it to permissive and check if it works.我将从检查您的 mtls 开始，如果它是严格的，我会将其更改为允许并检查它是否有效。 It´s well described here . 这里描述得很好。

You see requests still succeed, except for those from the client that doesn't have proxy, sleep.legacy, to the server with a proxy, httpbin.foo or httpbin.bar.您会看到请求仍然成功，除了那些从没有代理的客户端 sleep.legacy 到有代理的服务器 httpbin.foo 或 httpbin.bar 的请求。 This is expected because mutual TLS is now strictly required , but the workload without sidecar cannot comply.这是意料之中的，因为现在严格要求双向 TLS ，但是没有 sidecar 的工作负载无法遵守。

Is there a work around for this, I would like to have istio-proxy injected to my app/pod and use mongodb?有没有办法解决这个问题，我想将 istio-proxy 注入我的应用程序/pod 并使用 mongodb？

If changing mtls won´t work, then in istio You can set up database without injecting and then add it to istio registry using ServiceEntry object so it would be able to communicate with the rest of istio services.如果更改 mtls 不起作用，那么在 istio 中您可以在不注入的情况下设置数据库，然后使用 ServiceEntry object 将其添加到 istio 注册表，以便它能够与 istio 服务的 rest 通信。

To add your mongodb database to istio you can use ServiceEntry .要将 mongodb 数据库添加到 istio，您可以使用ServiceEntry 。

ServiceEntry enables adding additional entries into Istio's internal service registry, so that auto-discovered services in the mesh can access/route to these manually specified services. ServiceEntry 允许将其他条目添加到 Istio 的内部服务注册表中，以便网格中自动发现的服务可以访问/路由到这些手动指定的服务。 A service entry describes the properties of a service (DNS name, VIPs, ports, protocols, endpoints).服务条目描述了服务的属性（DNS 名称、VIP、端口、协议、端点）。 These services could be external to the mesh (eg, web APIs) or mesh-internal services that are not part of the platform's service registry (eg, a set of VMs talking to services in Kubernetes).这些服务可以在网格外部（例如，web API）或不属于平台服务注册表一部分的网格内部服务（例如，一组与 Kubernetes 中的服务通信的 VM）。 In addition, the endpoints of a service entry can also be dynamically selected by using the workloadSelector field.此外，还可以使用workloadSelector 字段动态选择服务条目的端点。 These endpoints can be VM workloads declared using the WorkloadEntry object or Kubernetes pods.这些端点可以是使用 WorkloadEntry object 或 Kubernetes pod 声明的 VM 工作负载。 The ability to select both pods and VMs under a single service allows for migration of services from VMs to Kubernetes without having to change the existing DNS names associated with the services. select 在单个服务下的 Pod 和 VM 的能力允许将服务从 VM 迁移到 Kubernetes，而无需更改与服务关联的现有 DNS 名称。

Example of ServiceEntry服务入口示例

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-mongocluster
spec:
  hosts:
  - mymongodb.somedomain # not used
  addresses:
  - 192.192.192.192/24 # VIPs
  ports:
  - number: 27018
    name: mongodb
    protocol: MONGO
  location: MESH_INTERNAL
  resolution: STATIC
  endpoints:
  - address: 2.2.2.2
  - address: 3.3.3.3

If You have mtls enabled You will also need DestinationRule that will define how to communicate with the external service.如果您启用了 mtls，您还需要 DestinationRule 来定义如何与外部服务通信。

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: mtls-mongocluster
spec:
  host: mymongodb.somedomain
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/client_private_key.pem
      caCertificates: /etc/certs/rootcacerts.pem

Additionally take a look at this documentation另外看看这个文档

Kubernetes（Istio）Mongodb 企业集群：HostUnreachable：对等方重置连接

问题描述

1 个解决方案

解决方案1
1 2020-06-19 09:31:24

Kubernetes（Istio）Mongodb 企业集群：HostUnreachable：对等方重置连接

问题描述

1 个解决方案

解决方案1 1 2020-06-19 09:31:24

解决方案1
1 2020-06-19 09:31:24