问题
i have created PostgreSQL cluster using crunchydata pgo operator in a namespace with istio-injection enabled.but now getting api server connection refused.
level=error msg="Get https://100.xx.xx.xx:443/apis/batch/v1/namespaces/project/jobs?labelSelector=pg-cluster%3Dmilkr7%2Cpgdump%3Dtrue: dial tcp 100.xx.xx.xx:443: connect: connection refused".
api server log:
W0603 03:04:21.373083 1 dispatcher.go:180] Failed calling webhook, failing closed sidecar-injector.istio.io: failed calling webhook "sidecar-injector.istio.io": Post https://istio-sidecar-injector.istio-system.svc:443/inject?timeout=30s: dial tcp 100.65.xx.xx:443: connect: connection refused
I0603 03:18:59.654964 1 log.go:172] http: TLS handshake error from 172.20.xx.xx:44638: remote error: tls: bad certificate
回答1:
To add Your Database to istio service mesh You can use ServiceEntry object.
ServiceEntryenables adding additional entries into Istio’s internal service registry, so that auto-discovered services in the mesh can access/route to these manually specified services. A service entry describes the properties of a service (DNS name, VIPs, ports, protocols, endpoints). These services could be external to the mesh (e.g., web APIs) or mesh-internal services that are not part of the platform’s service registry (e.g., a set of VMs talking to services in Kubernetes). In addition, the endpoints of a service entry can also be dynamically selected by using theworkloadSelectorfield. These endpoints can be VM workloads declared using theWorkloadEntryobject or Kubernetes pods. The ability to select both pods and VMs under a single service allows for migration of services from VMs to Kubernetes without having to change the existing DNS names associated with the services.
Example of ServiceEntry yaml manifest for database:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: db-service
namespace: databasens
spec:
exportTo:
- "."
hosts:
- db-service.xxx.com
ports:
- number: 5443
name: tcp
protocol: tcp
resolution: DNS
location: MESH_EXTERNAL
If You have mTLS enforcement enabled You will also need DestinationRule that will define how to communicate with the external service.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mtls-db-service
spec:
host: db-service.xxx.com
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
For more information and more examples visit istio documentation page for ServiceEntry.
Hope it helps.
来源:https://stackoverflow.com/questions/62165493/why-i-am-getting-connection-refused-by-istio-side-car-injector