istio: SSL Error Between Sidecar Service and Kafka

This is my scenario :

Aws Kubernetes 1.7.2 Istio 0.6 Kafka Stream Application Kafka Cluster (with SSL and SASL Enabled)

I installed Istio Auth in istio-system namespace and so far is ok. I Deployed a Kafka Cluster (3 brokers) in another namespace (test) with the configuration for SSL and SASL without a sidecar. I Deployed a Kafka Stream Application with a Sidecar in the same kafka’s namespace (test) with istio kube-inject, the installation is ok, the sidecar is attached correctly but when the kafka producer trying to connect with Kafka Cluster got this error :

[kafka-admin-client-thread | adminclient-1] WARN org.apache.kafka.clients.NetworkClient - [AdminClient clientId=adminclient-1] Connection to node 0 terminated during authentication. This may indicate that authentication failed due to invalid credentials. [kafka-admin-client-thread | adminclient-1] WARN org.apache.kafka.common.network.SslTransportLayer - Failed to send SSL Close message java.io.IOException: Broken pipe at sun.nio.ch.FileDispatcherImpl.write0(Native Method) at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47) at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93) at sun.nio.ch.IOUtil.write(IOUtil.java:65) at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471) at org.apache.kafka.common.network.SslTransportLayer.flush(SslTransportLayer.java:212) at org.apache.kafka.common.network.SslTransportLayer.close(SslTransportLayer.java:170) at org.apache.kafka.common.utils.Utils.closeAll(Utils.java:703) at org.apache.kafka.common.network.KafkaChannel.close(KafkaChannel.java:61) at org.apache.kafka.common.network.Selector.doClose(Selector.java:717) at org.apache.kafka.common.network.Selector.close(Selector.java:708) at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:500) at org.apache.kafka.common.network.Selector.poll(Selector.java:398) at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:460) at org.apache.kafka.clients.admin.KafkaAdminClient$AdminClientRunnable.run(KafkaAdminClient.java:1006)

I tryed to exclude kafka service in the istio config-map :

# Edit this list to avoid using mTLS to connect to these services. # Typically, these are control services (e.g kubernetes API server) that don't have Istio sidecar # to transparently terminate mTLS authentication. mtlsExcludedServices: ["kubernetes.default.svc.cluster.local","kafka-csvc.dev.svc.cluster.local"]

Without Sidecar it work well. I would like to exclude kafka cluster from the envoy proxy or something like that. Any help is appreciated. Thanks

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 20 (8 by maintainers)

Most upvoted comments

Ah, mTLS does not work well with stateful / headless service yet.

+1
diemtvu on Apr 20, 2018
Read more comments on GitHub
← istio: Sporadic 503 errors
istio: Stale endpoints may cause istio-pilot to be stuck →