K
Q

Istio - access external DB (TCP) with DNS name

10/5/2020

I want to access external DB which is exposed on some ip: 10.48.100.124 (there is no DNS name associated with this IP) with port 3306 I have create ServiceEntry:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: csd-database
  namespace: testnam-dev
spec:
  hosts:
    - csd-database
  addresses:
    - 10.48.100.124/32
  exportTo:
    - "."
  ports:
    - number: 3306
      name: tcp
      protocol: TCP
  location: MESH_EXTERNAL
  resolution: STATIC
  endpoints:
    - address: 10.48.100.124
      ports:
        tcp: 3306

And it works ok if I try to connect via IP (10.48.100.124) inside cluster. But I want to expose this service (inside k8s/isito cluster) with DNS name so I have create VirtualService:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: csd-database
  namespace: testnam-dev
spec:
  hosts:
    - csd-database
  gateways:
    - ingresgateway
  tcp:
  - route:
    - destination:
       host: csd-database

But I'm not able to connect to host: csd-database Also telnet is unable to connect to csd-database on 3306 port. How I can expose ServiceEntry with DNS name inside cluster ?

DB dosn't have DNS name (externaly) it has only IP address. SO DB is accesible only on 10.48.100.124:3306

-- lukisp
istio
kubernetes

Similar Questions

Access external database resource wrapped in service without selector
Can we create multiple namespaces from command line using kubectl
How to fetch configmap from kubernetes pod
JenkinsX CI CD pipeline fails because user x-0 already exists
make pod resolve external service name via DNS

1 Answer

10/6/2020

TLDR: Your ServiceEntry currently is configured to resolve by static ip address.

Change:

resolution: STATIC

to 

resolution: DNS

According to istio documentation:

ServiceEntry.Resolution

Resolution determines how the proxy will resolve the IP addresses of the network endpoints associated with the service, so that it can route to one of them. The resolution mode specified here has no impact on how the application resolves the IP address associated with the service. The application may still have to use DNS to resolve the service to an IP so that the outbound traffic can be captured by the Proxy. Alternatively, for HTTP services, the application could directly communicate with the proxy (e.g., by setting HTTP_PROXY) to talk to these services.

NONE - Assume that incoming connections have already been resolved (to a specific destination IP address). Such connections are typically routed via the proxy using mechanisms such as IP table REDIRECT/ eBPF. After performing any routing related transformations, the proxy will forward the connection to the IP address to which the connection was bound.

STATIC - Use the static IP addresses specified in endpoints (see below) as the backing instances associated with the service.

DNS - Attempt to resolve the IP address by querying the ambient DNS, during request processing. If no endpoints are specified, the proxy will resolve the DNS address specified in the hosts field, if wildcards are not used. If endpoints are specified, the DNS addresses specified in the endpoints will be resolved to determine the destination IP address. DNS resolution cannot be used with Unix domain socket endpoints.

-- Piotr Malec
Source: StackOverflow