What happens when a service’s port is named “grpc” under Istio?
I discovered that meshed pods could not talk to CockroachDB because of port naming. I installed CockroachDB outside the mesh, in a namespace that Istio does not inject, using
helm install --namespace non-istio --name my-release stable/cockroachdb.
I discovered the non-meshed clients could talk to this instance, but meshed pods cannot. I traced this to the Service created by the helm chart:
apiVersion: v1 kind: Service metadata: name: my-release-cockroachdb-public namespace: non-istio spec: ports: - name: grpc port: 26257 protocol: TCP targetPort: 26257 - name: http port: 8080 protocol: TCP targetPort: 8080 selector: component: my-release-cockroachdb type: ClusterIP
If I changed “grpc” to “plain” it worked.
What does it mean when a Service port is named “grpc”? The Istio docs just say the name is needed to take advantage of routing features. What I noticed was that the CockroachDB helm chart author’s choice to name the port “grpc” caused Envoy to lack a listener.
Anyone wishing to experiment can test the same way I did. I did
kubectl -n <ns> run -it cockroach-client --image=cockroachdb/cockroach --restart=Never --command bash and ran the command
./cockroach sql --insecure --host my-release-cockroachdb-public.test --execute "SHOW DATABASES". This works from non-injected namespaces, and from injected namespaces if the K8s Service Port is not named “grpc”.