时间戳

首页 > 解决方案 > 无法使用 Istio 连接到在 Minikube 中运行的 OpenLDAP

istio - 无法使用 Istio 连接到在 Minikube 中运行的 OpenLDAP

问题描述

我们正在移动我们的服务以使用 Istio 服务网格 v1.9.3 运行。我的 OpenLDAP 实例有问题。无法从其他 pod 访问它们。我们启用了 Istio 双向 tls,并且自动注入了 sidecar。此外,当我们为 OpenLDAP 部署禁用 sidecar 时,它能够连接。

这是服务和部署清单:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: openldap
  namespace: [REDACTED]
  labels:
    app: openldap
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: openldap
  template:
    metadata:
      labels:
        app: openldap
        version: v1
    spec:
      imagePullSecrets:
      - name: [REDACTED]
      containers:
      - name: openldap
        image: [REDACTED]
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 1636
        env:
        - name: DOMAIN
          value: [REDACTED]
        - name: PASSWORD
          value: [REDACTED]
---
apiVersion: v1
kind: Service
metadata:
  name: openldap
  namespace: [REDACTED]
spec:
  selector:
    app: openldap
  ports:
    - name: tcp
      protocol: TCP
      port: 1636

如果我做了两个部署,一个有边车,一个没有,我会得到以下结果: 有边车 -> 没有边车 = 没有边车的成功 -> 有边车 = 失败

服务信息:

[REDACTED]   openldap     ClusterIP   10.110.0.44   <none>   1636/TCP
[REDACTED]   openldap-1   ClusterIP   10.96.190.47  <none>   1636/TCP

有边车 -> 没有边车详细输出

ldapsearch -h openldap-1 -p 1636 -b "[REDACTED]" -D "[REDACTED]" -w "[REDACTED]" -d1
ldap_create
ldap_url_parse_ext(ldap://openldap-1:1636)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP openldap-1:1636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.96.190.47:1636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 54 bytes to sd 3
ldap_result ld 0x7fc75cc54700 msgid 1
wait4msg ld 0x7fc75cc54700 msgid 1 (infinite timeout)
wait4msg continue ld 0x7fc75cc54700 msgid 1 all 1
** ld 0x7fc75cc54700 Connections:
* host: openldap-1  port: 1636  (default)
  refcnt: 2  status: Connected
  last used: Fri Apr 23 15:49:31 2021


** ld 0x7fc75cc54700 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fc75cc54700 request count 1 (abandoned 0)
** ld 0x7fc75cc54700 Response Queue:
   Empty
  ld 0x7fc75cc54700 response count 0
ldap_chkResponseList ld 0x7fc75cc54700 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fc75cc54700 NULL
ldap_int_select
read1msg: ld 0x7fc75cc54700 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x7fc75cc54700 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7fc75cc54700 0 new referrals
read1msg:  mark request completed, ld 0x7fc75cc54700 msgid 1
request done: ld 0x7fc75cc54700 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
... Results ...

没有边车 -> 有边车详细输出

ldapsearch -h openldap-1 -p 1636 -b "[REDACTED]" -D "[REDACTED]" -w "[REDACTED]" -d1
ldap_create
ldap_url_parse_ext(ldap://openldap:1636)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP openldap:1636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.110.0.44:1636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 54 bytes to sd 3
ldap_result ld 0x7ff6d7921700 msgid 1
wait4msg ld 0x7ff6d7921700 msgid 1 (infinite timeout)
wait4msg continue ld 0x7ff6d7921700 msgid 1 all 1
** ld 0x7ff6d7921700 Connections:
* host: openldap  port: 1636  (default)
  refcnt: 2  status: Connected
  last used: Fri Apr 23 15:47:27 2021


** ld 0x7ff6d7921700 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7ff6d7921700 request count 1 (abandoned 0)
** ld 0x7ff6d7921700 Response Queue:
   Empty
  ld 0x7ff6d7921700 response count 0
ldap_chkResponseList ld 0x7ff6d7921700 msgid 1 all 1
ldap_chkResponseList returns ld 0x7ff6d7921700 NULL
ldap_int_select
read1msg: ld 0x7ff6d7921700 msgid 1 all 1
ber_get_next
ldap_err2string
ldap_result: Can't contact LDAP server (-1)
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed

基于此,似乎通过 sidecar 传入的请求存在导致问题的问题。

有谁知道是什么原因造成的?

标签: istiominikubeopenldap

解决方案

推荐阅读