Problem with Service with MetalLB loadbalancerIP

Networking
1

Hello all,

We activated istio in our lab in PERMISSIVE mode and a few services broke. One of them is a loadbalancer for mariadb servers that live outside of kubernetes. The loadbalancer live in pods and the service fronting them is using a LoadbalancerIP obtained through MetalLB.

In schema that follow, the Mariadb servers live in vms. Before injection with with the side car, everything worked just fine. Connexion path 1,2, 3 and 4 worked juste fine.

Once side-car injection has happened, a few connexions stoped working.

With Istio
With Istio617×630 50.3 KB

That is, connexion 1 and 3 that try to talk to the LoadBalancerIP (which is obviously not a clusterIP) do not work. It obviously has to do with the server side protocol that is mysql. I have modified the service in the infra-lb namespace to tag correctly the service with either or both appProtocol field or to make sure the name respects name: <protocol>[-<suffix>] syntax.

To no avail. The behaviour is still different between the two IPs. By the ways, CentOS-tools is simply a centos image with lots of tools that we have in each of our kubernetes clusters so we can comfortably tests things.

Notice that the CentOS-tools pod can talk directly to mariadb through connexion without any issues.

I can fix the problem for the CentOS tools image which belong to the mesh by publishing a ServiceEntry and VirtualService (in infra-lb) for the LoadBlancerIP. Yes, not for the mariadb Server, but for the service.

piVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: mariadb-metalllb-lab-istio
spec:
  hosts:
  - mariadb-metalllb-lab-istio.interne.lab.montreal.ca # not used
  addresses:
  - 10.224.3.102 # LoadBlancer VIPs obtained through MetallLB
  ports:
  - number: 3306
    #name: tcp-maria
    name: maria
    protocol: TCP
  location: MESH_EXTERNAL
  resolution: NONE

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: routetcp-maria-mettallb
spec:
  hosts:
  - mariadb-metalllb-lab-istio.interne.lab.montreal.ca
  tcp:
  - match:
    - port: 3306
    route:
    - destination:
        host: haproxy-mariadb-srv
        port:
          number: 3306

This will correct connexion 3. That is, the centOS pod that belongs to the mesh will now be able to connect to mariadb using the LoadBalancerIP. But, external connexion still do not work, connexion one for instance.

I have being able to make it work by adding a PeerAuthentication object that deactivates mTLS altogether :

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    mode: DISABLE
  # portLevelMtls:
  #   3306:
  #     mode: DISABLE

Notice that I cannot have mtls to PERMISSIVE and portLevelMtls to DISABLE. It’s just ignored for some reason.

Can anyone shed light on this behaviour ? Why are there differences for cluster-ip and loadbalancer ip when coming in from the mesh. And differences between mesh clients and outside-of-kubernetes clients on the loadbalancer-ip ? Is it possible to have my cake and eat it too ? That is have mTLS for mesh clients and no TLS for external clients ?

2

Anyone has an idea ?

3

Hello all,

Here is a small follow up. I have given some more time out to this problem. My last question, about the portLevelMtls not working has a simple solution. To do this, one has to use a workload selector, it’s in the documentation, right at the end.

Here is the yaml just for the sake of documentation :slight_smile:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  selector:
    matchLabels:
      app: haproxy-mariadb
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    3306:
      mode: DISABLE

As for the access from outside kubernetes, I can confirm that envoy seems to be the culprit. If I publish the PeerAuthentication mentioned above, communication works and reaches mariadb and HAProxy will log the connexion. But if I remove the PeerAuthentication, then, a tcpdump on mariadb will not show any packet. HAproxy will not log anything. Only Envoy, in the side car, logs anything. Here is a log output using stern.

[Ananke:: 15:37:13] [~/.ssh] > bat /tmp/mysqllslap

**With PeerAuthentication active**


   1   │ haproxy-mariadb-7787cfb847-cfrbw istio-proxy 2023-02-17T15:26:29.786851672-05:00 [2023-02-17T20:26:28.625Z] "- - -" 0 - - - "-" 2318 121017 225 - "-" "-" "-" "-" "10.224.0.80:3306" PassthroughCluster 172.21.30.13:37352 10.224.0.80:3306 172.21.30.13:37344 - -
   2   │ haproxy-mariadb-7787cfb847-cfrbw istio-proxy 2023-02-17T15:26:29.786879364-05:00 [2023-02-17T20:26:28.625Z] "- - -" 0 - - - "-" 2318 121017 226 - "-" "-" "-" "-" "172.21.30.13:3306" inbound|3306|| 127.0.0.6:58993 172.21.30.13:3306 10.224.0.86:7486 - -
   3   │ haproxy-mariadb-7787cfb847-pfglf istio-proxy 2023-02-17T15:26:29.241653923-05:00 [2023-02-17T20:26:28.626Z] "- - -" 0 - - - "-" 2318 121017 242 - "-" "-" "-" "-" "10.224.0.80:3306" PassthroughCluster 172.21.232.152:49154 10.224.0.80:3306 172.21.232.152:49146 - -
   4   │ haproxy-mariadb-7787cfb847-pfglf istio-proxy 2023-02-17T15:26:29.241660505-05:00 [2023-02-17T20:26:28.625Z] "- - -" 0 - - - "-" 2318 121017 243 - "-" "-" "-" "-" "172.21.232.152:3306" inbound|3306|| 127.0.0.6:43023 172.21.232.152:3306 172.21.30.0:21286 - -
   5   │ haproxy-mariadb-7787cfb847-pfglf istio-proxy 2023-02-17T15:26:29.241669518-05:00 [2023-02-17T20:26:25.111Z] "- - -" 0 - - - "-" 62019 1271 3798 - "-" "-" "-" "-" "10.224.0.80:3306" PassthroughCluster 172.21.232.152:49142 10.224.0.80:3306 172.21.232.152:49136 - -
   6   │ haproxy-mariadb-7787cfb847-pfglf istio-proxy 2023-02-17T15:26:29.241700156-05:00 [2023-02-17T20:26:25.110Z] "- - -" 0 - - - "-" 62019 1271 3798 - "-" "-" "-" "-" "172.21.232.152:3306" inbound|3306|| 127.0.0.6:51855 172.21.232.152:3306 172.21.30.0:37297 - -
  
**Without the PeerAuthentication yaml.**

 7   │ haproxy-mariadb-7787cfb847-cfrbw istio-proxy 2023-02-17T15:33:27.246018662-05:00 [2023-02-17T20:33:26.791Z] "- - -" 0 - - - "-" 2318 120430 267 - "-" "-" "-" "-" "10.224.0.80:3306" PassthroughCluster 172.21.30.13:34590 10.224.0.80:3306 172.21.30.13:34576 - -
   8   │ haproxy-mariadb-7787cfb847-cfrbw istio-proxy 2023-02-17T15:33:27.246025512-05:00 [2023-02-17T20:33:26.790Z] "- - -" 0 - - - "-" 2318 120430 268 - "-" "-" "-" "-" "172.21.30.13:3306" inbound|3306|| 127.0.0.6:37151 172.21.30.13:3306 10.224.0.86:22758 - -
   9   │ haproxy-mariadb-7787cfb847-cfrbw istio-proxy 2023-02-17T15:33:27.246031368-05:00 [2023-02-17T20:33:23.889Z] "- - -" 0 - - - "-" 62019 1271 3233 - "-" "-" "-" "-" "10.224.0.80:3306" PassthroughCluster 172.21.30.13:46306 10.224.0.80:3306 172.21.30.13:46302 - -
  10   │ haproxy-mariadb-7787cfb847-cfrbw istio-proxy 2023-02-17T15:33:27.246036292-05:00 [2023-02-17T20:33:23.882Z] "- - -" 0 - - - "-" 62019 1271 3240 - "-" "-" "-" "-" "172.21.30.13:3306" inbound|3306|| 127.0.0.6:50027 172.21.30.13:3306 10.224.0.86:26980 - -

According to envoy, it received the request and forwared it in both cases. But, obviously, the result is different. And we can se that there are two lines fewer when it does not work. But I cannot extract anything meaningful from this. I hope someone can.