How to assign a static IP address for service in ServiceEntry of Service Mesh

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4

Issue

  • How to assign a static IP address for service in ServiceEntry of Service Mesh
  • How to test if the static IP address is set successful

Resolution

  • Setup resolution(STATIC), hosts , and endpoints in ServiceEntry can help to solve the issue.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin.org
spec:
  endpoints:
  - address: xx.xxx.xxx.xxx   <=== IP address for hosts
  hosts:
  - xxxxxxx.org   <=== Hostname for external service
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  - number: 80
    name: http
    protocol: HTTP
  resolution: STATIC  <=== STATIC in resolution
  location: MESH_EXTERNAL
  • To test the setting, see Diagnostic Steps

Root Cause

Diagnostic Steps

  • Using a service mesh application to test ServiceEntry

    • Change outboundTrafficPolicy to REGISTRY_ONLY in ServiceMesh

    • Check the application pod name

      $ oc get pods
  NAME                          READY   STATUS    RESTARTS   AGE
  backend-v1-989b77d99-9rwsg    2/2     Running   0          109m
  frontend-v1-f5cfbdbfb-7v2sg   2/2     Running   0          102m

    • Execute curl to httpbin.org inside the pod to show outbound traffic to the external system is blocked(response 503)

          $ oc exec -it backend-v1-989b77d99-9rwsg  -- /bin/bash
    Defaulted container "backend" out of: backend, istio-proxy
    [1001170000@backend-v1-989b77d99-9rwsg ~]$ curl -k -v httpbin.org
     * Rebuilt URL to: httpbin.org/
     *   Trying 44.205.81.225...
     * TCP_NODELAY set
     * Connected to httpbin.org (44.205.81.225) port 80 (#0)
       > GET / HTTP/1.1
       > Host: httpbin.org
       > User-Agent: curl/7.61.1
       > Accept: */*
       > 
       < HTTP/1.1 503 Service Unavailable
       < content-length: 91
       < content-type: text/plain
       < date: Sun, 11 Jun 2023 10:12:29 GMT
       < server: envoy
       < 
        * Connection #0 to host httpbin.org left intact

    • Create the ServiceEntry towards service mesh

        apiVersion: networking.istio.io/v1alpha3
  kind: ServiceEntry
  metadata:
    name: httpbin.org
  spec:
    endpoints:
    - address: 18.210.207.182  <====Get by using curl -k -v httpbin.org from a PC that has internet access 
    hosts:
    - httpbin.org
    ports:
    - number: 443
      name: https
      protocol: HTTPS
    - number: 80
      name: HTTP
      protocol: HTTP
    resolution: STATIC 
    location: MESH_EXTERNAL

    • Check again using curl to httpbin.org inside the pod to show outbound traffic to the external system is connected(response 200)

        $ oc exec -it backend-v1-989b77d99-9rwsg  -- /bin/bash
  Defaulted container "backend" out of: backend, istio-proxy
  [1001170000@backend-v1-989b77d99-9rwsg ~]$ curl -k -v httpbin.org
  * Rebuilt URL to: httpbin.org/
  *   Trying 18.210.207.182...
  * TCP_NODELAY set
  * Connected to httpbin.org (18.210.207.182) port 80 (#0)
  > GET / HTTP/1.1
  > Host: httpbin.org
  > User-Agent: curl/7.61.1
  > Accept: */*
  > 
  < HTTP/1.1 200 OK

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments