parca icon indicating copy to clipboard operation
parca copied to clipboard
verified publisher icon parca-dev

Istio support

Open verejoel opened this issue 1 year ago • 1 comments

I have got parca up and running in agent and server mode on my K8s cluster. We use Istio as a service mesh, which presents a set of unique challenges. The biggest challenge I found so far is setting the correct appProtocol for the parca port.

We basically need to do three things with one port:

  • receive gRPC traffic (appProtocol: grpc)
  • allow metrics scraping (appProtocol: http)
  • allow ingress access (appProtocol: http)

I have not (yet) found a configuration that works for all three use cases! E.g. I can get the agents to ship data via gRPC, but the Prometheus scraper is blocked, or I can scrape metrics, but the agents start to be unable to ship data. There are ways to overcome this, by e.g. excluding the agents from the service mesh and configuring a PeerAuthentication policy, but this is technically not compliant for our productive workloads (where mTLS must be enabled for all workloads).

Therefore, while I recognize the efficiency of using one port for everything, I request a new feature where we could optionally enable a separate port for HTTP metrics scraping and the UI, and a separate port for the gRPC traffic from the agent.

I'll also accept anyone who works out how to configure Istio to play nicely with just the one port :)

Cheers!

verejoel avatar Mar 22 '24 13:03 verejoel

Hey @verejoel, have you tried appProtocol: http2? HTTP2 should work for everything, if not, could you share the errors you are seeing, please?

maxbrunet avatar Mar 22 '24 15:03 maxbrunet