|
| 1 | +# Istio Issues |
| 2 | + |
| 3 | +This KB is here for listing issues where the ClickHouse Operator is installed on a cluster where Istio is used. |
| 4 | + |
| 5 | +## What is Istio? |
| 6 | + |
| 7 | +Per documentation on [Istio Project's website](https://istio.io/latest/docs/overview/what-is-istio/), Istio is "an open source service mesh that layers transparently onto existing distributed applications. Istio’s powerful features provide a uniform and more efficient way to secure, connect, and monitor services. Istio is the path to load balancing, service-to-service authentication, and monitoring – with few or no service code changes." |
| 8 | + |
| 9 | +Istio works quite well at providing this functionality, and does so through controlling service-to-service communication in a Cluster, find-grained control of traffic behavior, routing rules, load-balancing, a policy layer and configuration API supporting access controls, rate limiting, etc. |
| 10 | + |
| 11 | +It also provides metrics about all traffic in a cluster. One can get an amazing amount of metrics from it. Datadog even has a provider that when turned on is a bit like a firehose of information. |
| 12 | + |
| 13 | +Istio essentially uses a proxy to intercapt all network traffic and provides the ability to configured for providing a appliction-aware features. |
| 14 | + |
| 15 | +## ClickHouse and Istio |
| 16 | + |
| 17 | +The implications for ClickHouse need to be taken into consideration however, and this page will attempt to address this from real-life scenarios that Altinity devops, infrastructural, and support engineers have had to solve. |
| 18 | + |
| 19 | +### Operator High Level Description |
| 20 | + |
| 21 | +The Altinity ClickHouse Operator, when installed using a deployment, also creates four custom resources: |
| 22 | + |
| 23 | +- clickhouseinstallations.clickhouse.altinity.com (chi) |
| 24 | +- clickhousekeeperinstallations.clickhouse-keeper.altinity.com (chk) |
| 25 | +- clickhouseinstallationtemplates.clickhouse.altinity.com (chit) |
| 26 | +- clickhouseoperatorconfigurations.clickhouse.altinity.com (chopconf) |
| 27 | + |
| 28 | +For the first two, it uses StatefullSets to run both Keeper and and ClickHouse clusters. For Keeper, it manages how many replicas specified, and for ClickHouse, it manages both how many replicas and shards are specified. |
| 29 | + |
| 30 | +In managing `ClickHouseInstallations`, it requires that the operator can interact with the database running on clusters it creates using a specific `clickhouse_operator` user and needs network access rules that allow connection to the ClickHouse pods. |
| 31 | + |
| 32 | +Many of the issues with Istio can pertain to issues where this can be a problem, particularly in the case where the IP address of the Operator pod changes and no longer is allowed to connect to it's ClickHouse clusters that it manages. |
| 33 | + |
| 34 | +### Issue: Authentication error of clickhouse-operator |
| 35 | + |
| 36 | +This was a ClickHouse cluster running in a Kubernetes setup with Istio. |
| 37 | + |
| 38 | +- The clickhouse operator was unable to query the clickhouse pods because of authentication errors. After a period of time, the operator gave up yet the ClickHouse cluster (ClickHouseInstallation) worked normally. |
| 39 | +- Errors showed `AUTHENTICATION_FAILED` and `connections from :ffff:127.0.0.6 are not allowed` as well as `IP_ADDRESS_NOT_ALLOWED` |
| 40 | +- Also, the `clickhouse_operator` user correctly configured |
| 41 | +- There was a recent issue that on the surface looked similar to a recent issue with https://altinity.com/blog/deepseek-clickhouse-and-the-altinity-kubernetes-operator (disabled network access for default user due to issue with DeepSeek) and one idea seemed as if upgrading the operator (which would fix the issue if it were default user). |
| 42 | +- However, the key to this issue is that the problem was with the `clickhouse_operator` user, not `default` user, hence not due to the aforementioned issue. |
| 43 | +- More consiration was given in light of how Istio effects what services can connect which made it more obvious that it was an issue with using Istio in the operator vs. operator version |
| 44 | +- The suggestion was given to remove istio from the clickhouse operator `ClickHouseInstallation` and references this issue https://github.com/Altinity/clickhouse-operator/issues/1261#issuecomment-1797895080 |
| 45 | +- The change required would be something of the sort: |
| 46 | + |
| 47 | +```yaml |
| 48 | +--- |
| 49 | + |
| 50 | +apiVersion: apps/v1 |
| 51 | +kind: Deployment |
| 52 | +metadata: |
| 53 | + name: clickhouse-operator |
| 54 | +spec: |
| 55 | + template: |
| 56 | + metadata: |
| 57 | + annotations: |
| 58 | + sidecar.istio.io/inject: "false" |
| 59 | + |
| 60 | +--- |
| 61 | + |
| 62 | +apiVersion: [clickouse.altinity.com/v1](http://clickouse.altinity.com/v1) |
| 63 | +kind: ClickHouseInstallation |
| 64 | +metadata: |
| 65 | + name: your-chi |
| 66 | + annotations: |
| 67 | + sidecar.istio.io/inject: "false" |
| 68 | + |
| 69 | +``` |
| 70 | + |
0 commit comments