Moshe Elisha created FLINK-28171:
------------------------------------
Summary: Adjust Job and Task manager port definitions to work with
Istio+mTLS
Key: FLINK-28171
URL: https://issues.apache.org/jira/browse/FLINK-28171
Project: Flink
Issue Type: Improvement
Components: Deployment / Kubernetes
Affects Versions: 1.14.4
Environment: flink-kubernetes-operator 1.0.0
Flink 1.14-java11
Kubernetes v1.19.5
Istio 1.7.6
Reporter: Moshe Elisha
Hello,
We are launching Flink deployments using the [Flink Kubernetes
Operator|https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-stable/]
on a Kubernetes cluster with Istio and mTLS enabled.
We found that the TaskManager is unable to communicate with the JobManager on
the jobmanager-rpc port:
{{2022-06-15 15:25:40,508 WARN akka.remote.ReliableDeliverySupervisor
[] - Association with remote system
[akka.tcp://[flink@amf-events-to-inference-and-central.nwdaf-edge|mailto:flink@amf-events-to-inference-and-central.nwdaf-edge]:6123]
has failed, address is now gated for [50] ms. Reason: [Association failed with
[akka.tcp://[flink@amf-events-to-inference-and-central.nwdaf-edge|mailto:flink@amf-events-to-inference-and-central.nwdaf-edge]:6123]]
Caused by: [The remote system explicitly disassociated (reason unknown).]}}
The reason for the issue is that the JobManager service port definitions are
not following the Istio guidelines
[https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/]
(see example below).
There was also an email discussion around this topic in the users mailing group
under the subject "Flink Kubernetes Operator with K8S + Istio + mTLS - port
definitions".
With the help of the community, we were able to work around the issue but it
was very hard and forced us to skip Istio proxy which is not ideal.
We would like you to consider changing the default port definitions, either
# Rename the ports – I understand it is Istio specific guideline but maybe it
is better to at least be aligned with one (popular) vendor guideline instead of
none at all.
# Add the “appProtocol” property[1] that is not specific to any vendor but
requires Kubernetes >= 1.19 where it was introduced as beta and moved to stable
in >= 1.20. The option to add appProtocol property was added only in
[https://github.com/fabric8io/kubernetes-client/releases/tag/v5.10.0] with
[#3570|https://github.com/fabric8io/kubernetes-client/issues/3570].
# Or allow a way to override the defaults.
[https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol]
{{# k get service inference-results-to-analytics-engine -o yaml}}
{{apiVersion: v1}}
{{kind: Service}}
{{...}}
{{spec:}}
{{ clusterIP: None}}
{{ ports:}}
{{ - name: jobmanager-rpc *# should start with “tcp-“ or add "appProtocol"
property*}}
{{ port: 6123}}
{{ protocol: TCP}}
{{ targetPort: 6123}}
{{ - name: blobserver *# should start with "tcp-" or add "appProtocol"
property*}}
{{ port: 6124}}
{{ protocol: TCP}}
{{ targetPort: 6124}}
{{...}}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
