All Products
Search
Document Center

Alibaba Cloud Service Mesh:Why does the service authentication fail when business services in an ASM instance can access external databases?

Last Updated:Mar 14, 2024

The service authentication may fail even when business services in a Service Mesh (ASM) instance can access external databases. This topic describes the cause of this issue and provides solutions.

Problem description

You use an ASM instance of V1.10 or earlier. You want to use a business service, such as Service A, to access different external databases, and the authentication information used to log on to the databases is different. After you add Service A to the ASM instance and enable sidecar proxy injection for the pods that host Service A, you receive an error message that indicates an authentication failure when Service A attempts to access an external database.

image

Cause

You may have used a Service of the ExternalName type to add a CNAME record for a Transmission Control Protocol (TCP) network service database that is outside your Container Service for Kubernetes (ACK) cluster. After Service A is added to the ASM instance, requests from Service A to the external database are sent based on the matched port because the IP address of the ACK cluster is not mapped to the domain name of the external database. This may cause issues where requests to the external database are sent to another database. Then, the authentication fails because the two databases require different authentication information for logon.

Solutions

Solution 1: Update the version of the ASM instance

You can update the version of the ASM instance to V1.11 or later to resolve this issue. For more information, see the Procedure section of the Update an ASM instance topic.

Solution 2: Use service entries

You can create service entries in the ASM instance so that services in the instance can access the databases that are identified by the IP addresses specified in the service entries. You can also create service entries in a specific namespace. This way, service entries take effect only in the namespace.

  1. Log on to the ASM console.

  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

  4. On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry). On the page that appears, click Create from YAML.

  5. On the Create page, select istio-system from the Namespace drop-down list, select a template, replace the content in the YAML code editor with the following code, and then click Create:

    apiVersion: networking.istio.io/v1beta1
    kind: ServiceEntry
    metadata:
      name: mysql-demo
    spec:
      addresses:
      - 172.1.xx.xx
      endpoints:
      - address: 172.1.xx.xx
      hosts:
      - test-mysql.com
      location: MESH_EXTERNAL
      ports:
      - name: tcp
        number: 3306
        protocol: TCP
      resolution: STATIC
    • addresses: the IP address of the database to be accessed.

    • number: the port of the database to be accessed.