Issue communicating via AMQP to RabbitMQ

naphta · June 18, 2019, 11:56am

Hey,

I’m trying to setup an Istio service where it can connect into a standard kubernetes service via AMQP. I can see the traffic getting there but I pretty much always get:

rabbitmq-rabbitmq-ha-1 rabbitmq-ha 2019-06-18 11:43:33.736 [info] <0.6161.41> accepting AMQP connection <0.6161.41> (10.233.122.208:57828 -> 10.233.118.83:5672)
rabbitmq-rabbitmq-ha-1 rabbitmq-ha 2019-06-18 11:43:33.736 [error] <0.6161.41> closing AMQP connection <0.6161.41> (10.233.122.208:57828 -> 10.233.118.83:5672):
rabbitmq-rabbitmq-ha-1 rabbitmq-ha {bad_header,<<22,3,1,0,222,1,0,0>>}

as soon as I turn off istio sidecar injection it starts working as expected again, from some quick searching it suggests that istio is perhaps forcing TLS or something? Could do with some help trying to get this working.

Oleg · April 23, 2020, 12:48pm

Hi Jake

this is a very old post and you probably worked it out by now
but have stumbled on it so would like to add the solution here for others:

if you would be trying to connect to external RabbitMQ resource
you can exclude the relevant ports:

traffic.sidecar.istio.io/excludeOutboundPorts: "5672"

for RabbitMQ HA cluster on k8s
please have a look at this:

stevenbrown · August 21, 2020, 2:03pm

Please explain. Where do you set that excludeOutboundPorts resource?

Oleg · August 21, 2020, 3:57pm

Hi Steven

I used “istioctl generate” command and there you can pass a configuration yaml

And in that yaml you need to set the excludeOutbound Ports

If you simply run istioctl generate without extra config, you will see this variable added as an empty array

So should be relatively easy to try and generate it a few times until you see the port set correctly

stevenbrown · August 21, 2020, 4:50pm

It looks like “istioctl generate” isn’t supported in version 1.1.11. I have been unable to get any later versions to work with OKD 3.11.0.

matthew-daddario · January 20, 2021, 1:51pm

You could just annotate the RabbitMQ pods instead of editing the Istio config directly. Here’s what I did:

```
apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
spec:
  override:
  statefulSet:
    spec:
      template:
        metadata:
          annotations:
            #annotate rabbitMQ pods to only redirect traffic on ports 15672 and 5672 to Envoy proxy sidecars.
            **traffic.sidecar.istio.io/includeInboundPorts: "15672, 5672"          
            traffic.sidecar.istio.io/includeOutboundPorts: "15672, 5672"** 
```

For some reason the exclude port annotations weren’t working so I just flipped it by using include port annotations. In my case, the global Istio config is controlled by another team in the company so perhaps there’s a clash when trying to use the exclude port annotations.

Topic		Replies	Views
RabbitMQ and kiali not working after upgrade from 1.0.6 to 1.1.1	9	2437	April 16, 2019
RabbitMQ AMPQ Istio Traffic Networking	0	1063	May 26, 2022
Problem accessing services without a sidecar from pods with a sidecar	2	3049	July 4, 2019
Unable to connect to rabbitmq through TCP port 5672 hosted in EKS cluster from outside	0	964	January 25, 2022
Kafka or RabbitMQ with Istio	6	8488	August 28, 2020

Issue communicating via AMQP to RabbitMQ

Related topics