service in a pod(envoy proxy enabled) cannot connect to redis pod

Question

Step 1. I deployed redis without envoy sidecar. https://github.com/kubernetes/charts/tree/master/stable/redis

When running a regis-cli in another pod which does not have envoy, redis connection working ok. => Proved redis itself functions.

Step 2. Deployed a service in another pod which has envoy sidecar inject.

When trying to connect from the service to redis, the connection is not able to set up.

spec: destination: service: "*" ports: - port: 6379 protocol: redis

Does anyone have suggestions/ideas?

Answer 1

you ll have to create service entry to connect redis from your envoy enabled service as shown below

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-redis
spec:
  hosts:
    - "REDIS_ENDPOINT"
location: MESH_EXTERNAL
ports:
  - number: 6379
    name: http
    protocol: REDIS
resolution: NONE

$ kubectl apply -f external-svc-redis.yaml

Answer 2

If you use Istio 0.3.0, the problem you are experiencing was fixed by this PR https://github.com/istio/istio/pull/1915 . In Istio 0.4.0, this problem does not exist.

Alternatively, clone https://github.com/kubernetes/charts/tree/master/stable/redis and edit https://github.com/kubernetes/charts/blob/master/stable/redis/templates/svc.yaml#L24 - change the name of the port to be "tcp" instead of "redis".

Answer 3

Did you maybe set up istio with mutual TLS enabled?
That could explain why you are not able to connect to the redis pod (not part of the mesh) from a pod that is in the mesh. This is because the sidecar on the pod that is trying to connect to redis would expect TLS communication which is not given.