Getting empty reply when accessing a pod IP which has consul sidecar containers

magr90900 · November 24, 2021, 2:58pm

Hello all, I have deployed the sample and counting example in my k8’s cluster where consul is also being deployed. When I exec into any pod and then try a curl request to the counting pod IP with the port it is giving me empty reply from server message. Is this expected and if yes then how can access my application with pod IP or another way from a another application.

k get pod -o wide -n consul-k8s

counting-d9d58c4cb-fr5cr                                      2/2     Running   0              33h   10.288.0.157    <none>           <none>


Now if do curl as below with Pod IP

k exec network-toolspod-f64c586f4-7nzrd -- curl 10.288.0.157:9001/counting
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (52) Empty reply from server
command terminated with exit code 52

The same curl command works as expected giving response if there are no consul sidecar containers present along with the deployment by using annotation ‘consul.hashicorp.com/connect-inject’: ‘true’ . Can someone throw some light on this and help me understand this please

magr90900 · November 25, 2021, 6:20am

Can someone can community throw some light on this and clear this understanding for me please ?

blake · January 4, 2022, 9:18am

Hi @magr90900,

Have you configured the consul.hashicorp.com/connect-inject: 'true' annotation on both the downstream and upstream pods? You will need a proxy on the downstream host in order to connect to the upstream once it is in the service mesh.

Also, are ACLs enabled in your cluster? If so, have you created an Intention to allow access between these two services?

BTW, I see you’re debugging a similar issue in the thread How to access the services registered in the consul catalog. I’d be happy to continue this discussion there if you would prefer to consolidate the conversations.

magr90900 · January 5, 2022, 4:27am

Hello @blake thanks for the response. I have realised that to access the services running inside a consul service mesh we need to have a ingress gateway to do it. Is there any other way to do it without ingress gateway, for eg. in istio the service inside the mesh can be reached without a ingress gateway. Can you pour some insights on this please.

blake · January 5, 2022, 6:08am

@magr90900, Ingress gateways are required if a service outside the mesh wants to communicate with a service inside the mesh.

Services that are intended to be in the mesh can communicate other mesh-enabled destinations through their respective sidecar proxy.

Are you referring to when permissive TLS mode is enabled throughout the cluster, or some other method?

If the former, Consul does not support a similar permissive TLS mode. It only operates in a mode similar to Istio’s strict mTLS mode, and an ingress must be used for services which cannot initiate a mTLS connection to a destination proxy (i.e., services outside the mesh).