I’m currently struggling a bit and i think i maybe misunderstand how some parts of istio work. i’d appreciate it if someone could help me out or point me in the right direction thanks! Apologies for the lengthy post.
I’m currently running an aks cluster with istio (1.1.8, mtls enabled). everything runs fine, communication between services and so forth. now i’ve created a different namespace which should run services outside of istios service mesh (in my case, as a start, i’ve deployed rabbitmq). the services start and run fine from the outside (e.g. i can connect to rabbitmq, publish and subscribe, from my local machine and other clients).
Now i’d like to also use those services from a pod within the service mesh (with the sidecar injected). I thought that all i’d need todo is to define a destinationrule with tls: disabled for the host dns (..svc.cluster.local). but the service with the sidecar injected can’t connect.
i’ve tried adding a serviceentry, changing the mtls mode to permissive, using the ip directly, no success.
if i run the same pod, without a sidecar (everything else untouched) it connects and works as expected.
as a last step i tried to run the rabbit service from within the mesh (original namespace, sidecar injected, …). this lead to a different issue, the service with k8 peer discovery does not even start because it can’t reach the kubernetes api server (kubernetes.default.svc.cluster.local). i’ve checked with istioctl authn tls-check and it says it would use the default/default auth policy (which just contains the mtls mode strict (or permissive tried both) as well as the destination rule api-server/istio-system (which has the tls mode disable).
So it seams to me, that as soon as i inject the sidecar, that i cant get any traffic to anything that is not within the service mesh. That brought me to my istio setup, which configures the proxies to only include a certain ip range (helm values: global -> proxy -> includeIPRanges). Which gave me the idea that maybe i could exclude the service port (rabbit) of one of my services that tries to connect. i’ve tried adding the annotation traffic.sidecar.istio.io/excludeOutboundPorts to my client service, but unfortunately no luck either.
I’d highly appreciate any tipps