The ratings-v2 service fails to work for MongoDB

#1

I am following example for TCP authorization for MongoDB https://istio.io/docs/tasks/security/authz-tcp/

I carefully followed each step but even after defining Destination Rules, VS, Service Role and Service Role binding, the productpage still shows Rating service is currently unavailable.

The output from istioctl authn tls-check for ratings-v2 is as follows - which shows OK.

# istioctl authn tls-check ratings-v2-54f78f7c8c-2b22l | grep -i ratings
ratings.istio-lab.svc.cluster.local:9080                            OK           mTLS          mTLS       default/istio-lab                            ratings/istio-lab

But when I try to see ratings-v2 relationship with mongodb.

istioctl authn tls-check ratings-v2-54f78f7c8c-2b22l | grep -i mongodb
mongodb.istio-lab.svc.cluster.local:27017                           CONFLICT     mTLS          HTTP       default/istio-lab                            -

What is the reason that mongodb service is at conflict with ratings-v2 and how could I correct this? This looks like a possible case as why Ratings does not show on the roductpage.

Help is appreciated.

#2

@YangminZhu
could you help take a look?

#3

I just tried the task and didn’t encounter any problems. Could you clarify after which step you find unexpected result?

From your istioctl authn tls-check output, The word HTTP means you didn’t enable mTLS for the MongoDB service, this shouldn’t happen for this task as it requires to enable mTLS in the beginning of the task.

Could you double check whether you have enabled mTLS in the cluster as required in the Before you begin, Thanks.

#4

Hi Yangmin - Thanks for your reply. Actually - istioctl authn tls-check was the clue why it did not work. I noticed that the example did not have mongodb destination rule defined - or if it was there - I might have missed it.

After I defined the destination rule for MongoDB - it then worked fine.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: mongodb
spec:
  host: mongodb.istio-lab.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
#5

Glad it works. The task shouldn’t need the dedicated destination rule for MongoDB as is uses the default destination rule when mTLS is enabled in the cluster, you might need this destination rule when it’s not the default setting.