我有一个分布式数据库(Consul),我想在 Kubernetes 上的 Istio 中运行它。对等点之间的通信使用 mTLS 进行加密和验证。我正在使用无头服务来允许对等点相互联系:
apiVersion: v1
kind: Service
metadata:
name: cluster
namespace: consul
spec:
clusterIP: None
publishNotReadyAddresses: true
selector:
app: consul
ports:
- name: tcp-server
port: 8300
targetPort: 8300
- name: tcp-serflan
protocol: TCP
port: 8301
targetPort: tcp-serflan
- name: udp-serflan
protocol: UDP
port: 8301
targetPort: udp-serflan
但是,当我在无头服务
tcp-servertls-server2020/02/18 08:46:44 [INFO] serf: EventMemberUpdate: consul-0
2020/02/18 08:47:33 [ERR] agent: Coordinate update error: rpc error making call: stream closed
2020/02/18 08:47:38 [WARN] raft: Heartbeat timeout from "10.0.3.146:8300" reached, starting election
2020/02/18 08:47:38 [INFO] raft: Node at 10.0.2.114:8300 [Candidate] entering Candidate state in term 106
2020/02/18 08:47:38 [ERROR] raft: Failed to make RequestVote RPC to {Voter 54224806-ed63-0d1b-ae2c-9c1a09de43c4 10.0.3.146:8300}: EOF
2020/02/18 08:47:38 [ERROR] raft: Failed to make RequestVote RPC to {Voter 5b2e92ce-61d8-032e-dd94-c0d9eb1319a0 10.0.1.209:8300}: read tcp 10.0.2.114:40018->10.0.1.209:8300: read: connection reset by peer
2020/02/18 08:47:47 [WARN] raft: Election timeout reached, restarting election
2020/02/18 08:47:47 [INFO] raft: Node at 10.0.2.114:8300 [Candidate] entering Candidate state in term 107
2020/02/18 08:47:47 [ERROR] raft: Failed to make RequestVote RPC to {Voter 54224806-ed63-0d1b-ae2c-9c1a09de43c4 10.0.3.146:8300}: read tcp 10.0.2.114:40762->10.0.3.146:8300: read: connection reset by peer
2020/02/18 08:47:47 [ERROR] raft: Failed to make RequestVote RPC to {Voter 5b2e92ce-61d8-032e-dd94-c0d9eb1319a0 10.0.1.209:8300}: read tcp 10.0.2.114:40062->10.0.1.209:8300: read: connection reset by peer
Istio/Envoy 如何处理可能导致此问题的 TLS 流量?流量是 TLS 流量(我正在做this),因此似乎有必要假装流量是 TCP。
1.6.21.4.4在尝试在使用相互 TLS 保护的 istio 网格中公开 HTTPS 端口时,我遇到了同样的问题
我最终在我的服务上禁用了 TLS,因为 istio 无论如何都会加密流量