我希望两个 pod 都没有使用 TLS,因为使用它的那个 pod 失败了。它失败的原因是我的 opentelemetry 不支持 tls。知道如何强制其他 POD 不使用 TLS 吗?
举个例子,这是失败的:
2024-02-16T20:44:27.819178Z debug envoy router external/envoy/source/common/router/router.cc:732 [Tags: "ConnectionId":"0","StreamId":"6709968225738804427"] router decoding headers:
':method', 'POST'
':path', '/opentelemetry.proto.collector.trace.v1.TraceService/Export'
':authority', 'opentelemetry-collector.istio-system.svc.cluster.local'
':scheme', 'http'
'te', 'trailers'
'content-type', 'application/grpc'
'x-envoy-internal', 'true'
'x-forwarded-for', '172.16.105.94'
thread=34
2024-02-16T20:44:27.819204Z debug envoy pool external/envoy/source/common/http/conn_pool_base.cc:78 queueing stream due to no available connections (ready=0 busy=0 connecting=0) thread=34
2024-02-16T20:44:27.819213Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:291 trying to create new connection thread=34
2024-02-16T20:44:27.819217Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:145 creating a new connection (connecting=0) thread=34
2024-02-16T20:44:27.819310Z debug envoy http2 external/envoy/source/common/http/http2/codec_impl.cc:1617 [Tags: "ConnectionId":"3097"] updating connection-level initial window size to 268435456 thread=34
2024-02-16T20:44:27.819322Z debug envoy connection external/envoy/source/common/network/connection_impl.h:98 [Tags: "ConnectionId":"3097"] current connecting state: true thread=34
2024-02-16T20:44:27.819327Z debug envoy client external/envoy/source/common/http/codec_client.cc:57 [Tags: "ConnectionId":"3097"] connecting thread=34
2024-02-16T20:44:27.819332Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:1009 [Tags: "ConnectionId":"3097"] connecting to 172.16.77.76:4317 thread=34
2024-02-16T20:44:27.819413Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:1028 [Tags: "ConnectionId":"3097"] connection in progress thread=34
2024-02-16T20:44:27.820496Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:746 [Tags: "ConnectionId":"3097"] connectedthread=34
2024-02-16T20:44:27.820655Z debug envoy connection external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:241 [Tags: "ConnectionId":"3097"] remote address:172.16.77.76:4317,TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:TLS_error_end thread=34
2024-02-16T20:44:27.820670Z debug envoy connection external/envoy/source/common/network/connection_impl.cc:278 [Tags: "ConnectionId":"3097"] closing socket: 0 thread=34
2024-02-16T20:44:27.820693Z debug envoy connection external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:241 [Tags: "ConnectionId":"3097"] remote address:172.16.77.76:4317,TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:TLS_error_end:TLS_error_end thread=34
2024-02-16T20:44:27.820735Z debug envoy client external/envoy/source/common/http/codec_client.cc:107 [Tags: "ConnectionId":"3097"] disconnect. resetting 0 pending requests thread=34
2024-02-16T20:44:27.820748Z debug envoy pool external/envoy/source/common/conn_pool/conn_pool_base.cc:484 [Tags: "ConnectionId":"3097"] client disconnected, failure reason: TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:TLS_error_end:TLS_error_end thread=34
2024-02-16T20:44:27.820761Z debug envoy router external/envoy/source/common/router/router.cc:1323 [Tags: "ConnectionId":"0","StreamId":"6709968225738804427"] upstream reset: reset reason: remote connection failure, transport failure reason: TLS_error:|268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:TLS_error_end:TLS_error_end thread=34
当我使用 https 执行curl 请求打开遥测时,我收到相同的消息:
istio-proxy@istio-ingressgateway:/$ curl -i https://172.16.77.76:4318/v1/traces
curl: (35) error:0A00010B:SSL routines::wrong version number
istio-proxy@istio-ingressgateway:/$
好的,这里的问题是,在通过 SSL 打开遥测的 pod 的命名空间中,有一个 istio 目标规则,其流量策略如下:
tls: 模式:ISTIO_MUTUAL
我刚刚更改为:
tls: 模式:禁用
此后,pod 不再使用 ssl 前往 opentelemetry 收集器