How to make Redis work with mTLS enabled Istio cluster?

1
votes

Summary

I have a simple Istio enabled k8s cluster consists of only:

  • A Java web server.
  • A Redis master instance.

Normally, the web server can read and write from Redis. However, Kiali shows a disconnected graph similar to (https://kiali.io/documentation/latest/faq/#disconnected-tcp). As a result, I tried to explicitly turn on mTLS by using STRICT mode. However, Kiali seems to continue to show disconnected graph

Set up:

  • Kubernetes version 1.18.0
  • Minikube version 1.18.0
  • Istio version 1.9 
$ istioctl install --set profile=demo -y
$ kubectl apply -f samples/addons
  • Java Server code snippet (redis.clients.jedis.Jedis)
Jedis redis = new Jedis("redis-master");
redis.set(key, value);
  • mTLS
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
spec:
  mtls:
    mode: STRICT

Questions

  • My understanding is that by default, mTLS should have been turned on by default. Is this not the case for non-HTTP TCP traffic?
  • Is there anything special I need to do to enable mTLS for non-HTTP TCP traffic? (e.g. change the port on the Service to 443 from 6379? Set up a VirtualService?).
1
kubernetesredisistiomtls
Have you configured redis as mentioned in the istio documentation?Jakub

1 Answers

0
votes

According to istio documentation you have to configure redis to make it work with istio.

Similar to other services deployed in an Istio service mesh, Redis instances need to listen on 0.0.0.0. However, each Redis slave instance should announce an address that can be used by master to reach it, which cannot also be 0.0.0.0.

Use the Redis configuration parameter replica-announce-ip to announce the correct address. For example, set replica-announce-ip to the IP address of each Redis slave instance using these steps:

Pass the pod IP address through an environment variable in the env subsection of the slave StatefulSet definition:

- name: "POD_IP"
  valueFrom:
    fieldRef:
      fieldPath: status.podIP

Also, add the following under the command subsection:

echo "" >> /opt/bitnami/redis/etc/replica.conf
echo "replica-announce-ip $POD_IP" >> /opt/bitnami/redis/etc/replica.conf