Issue communicating via AMQP to RabbitMQ

Config
1

Hey,

I’m trying to setup an Istio service where it can connect into a standard kubernetes service via AMQP. I can see the traffic getting there but I pretty much always get:

rabbitmq-rabbitmq-ha-1 rabbitmq-ha 2019-06-18 11:43:33.736 [info] <0.6161.41> accepting AMQP connection <0.6161.41> (10.233.122.208:57828 -> 10.233.118.83:5672)
rabbitmq-rabbitmq-ha-1 rabbitmq-ha 2019-06-18 11:43:33.736 [error] <0.6161.41> closing AMQP connection <0.6161.41> (10.233.122.208:57828 -> 10.233.118.83:5672):
rabbitmq-rabbitmq-ha-1 rabbitmq-ha {bad_header,<<22,3,1,0,222,1,0,0>>}

as soon as I turn off istio sidecar injection it starts working as expected again, from some quick searching it suggests that istio is perhaps forcing TLS or something? Could do with some help trying to get this working.

2

Hi Jake

this is a very old post and you probably worked it out by now
but have stumbled on it so would like to add the solution here for others:

if you would be trying to connect to external RabbitMQ resource
you can exclude the relevant ports:

traffic.sidecar.istio.io/excludeOutboundPorts: "5672"

for RabbitMQ HA cluster on k8s
please have a look at this:

3

Please explain. Where do you set that excludeOutboundPorts resource?

4

Hi Steven

I used “istioctl generate” command and there you can pass a configuration yaml

And in that yaml you need to set the excludeOutbound Ports

If you simply run istioctl generate without extra config, you will see this variable added as an empty array

So should be relatively easy to try and generate it a few times until you see the port set correctly

5

It looks like “istioctl generate” isn’t supported in version 1.1.11. I have been unable to get any later versions to work with OKD 3.11.0.

6

You could just annotate the RabbitMQ pods instead of editing the Istio config directly. Here’s what I did:

```
apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
spec:
  override:
  statefulSet:
    spec:
      template:
        metadata:
          annotations:
            #annotate rabbitMQ pods to only redirect traffic on ports 15672 and 5672 to Envoy proxy sidecars.
            **traffic.sidecar.istio.io/includeInboundPorts: "15672, 5672"          
            traffic.sidecar.istio.io/includeOutboundPorts: "15672, 5672"** 
```

For some reason the exclude port annotations weren’t working so I just flipped it by using include port annotations. In my case, the global Istio config is controlled by another team in the company so perhaps there’s a clash when trying to use the exclude port annotations.