What happens when a service’s port is named “grpc” under Istio?
I discovered that meshed pods could not talk to CockroachDB because of port naming. I installed CockroachDB outside the mesh, in a namespace that Istio does not inject, using helm install --namespace non-istio --name my-release stable/cockroachdb
.
I discovered the non-meshed clients could talk to this instance, but meshed pods cannot. I traced this to the Service created by the helm chart:
apiVersion: v1
kind: Service
metadata:
name: my-release-cockroachdb-public
namespace: non-istio
spec:
ports:
- name: grpc
port: 26257
protocol: TCP
targetPort: 26257
- name: http
port: 8080
protocol: TCP
targetPort: 8080
selector:
component: my-release-cockroachdb
type: ClusterIP
If I changed “grpc” to “plain” it worked.
What does it mean when a Service port is named “grpc”? The Istio docs just say the name is needed to take advantage of routing features. What I noticed was that the CockroachDB helm chart author’s choice to name the port “grpc” caused Envoy to lack a listener.
Anyone wishing to experiment can test the same way I did. I did kubectl -n <ns> run -it cockroach-client --image=cockroachdb/cockroach --restart=Never --command bash
and ran the command ./cockroach sql --insecure --host my-release-cockroachdb-public.test --execute "SHOW DATABASES"
. This works from non-injected namespaces, and from injected namespaces if the K8s Service Port is not named “grpc”.