Shinyproxy Kubernetes Istio?

Hi all,

New to Kubernetes, so please be gentle. Having said that I’ve lost a lot of sleep in the last week trying to configure a GKE cluster (with Istio) to run Shinyproxy (also running within the cluster).

I now have SP working fine with istio proxies injected, mutual TLS enabled & OpenID authentication. Thats a big win, but doesn’t feel like it:

The final part of the puzzle is to successfully launch an app.

The image itself runs fine in a local docker instance, but I get a 500 timeout when I try to launch it via SP on GKE. The sp-pod-* launches and but it can’t communicate.

I’ve noticed no service is created with the application pod when internal-networking=true, and I suspect this is the reason for the failure with Istio enabled. Unfortunately I get equally little success when I try internal-networking=false.

As far as I can work it out, I need to provide a Service to tell istio which port should be used for routing requests to the shiny container. Unless anyone knows another method I need to be able to provide a custom label for all the shiny containers for this service to work - they currently get labelled with sp-pod-[containerID].

Please let me know if I’m missing something obvious here. Another option would be to disable istio-injection for this namespace, but that feels like a backward step. Otherwise I think we need something similar to this commit, but for a custom label instead of a nodeselector:

My Java skills are non-existent. I might try offering a pull request, as it seems very simple to copy this method, though it’d probably be embarrassing…

Thanks for any help/suggestions you can offer.

Regards,

Stuart

OK, after a bit more reading I suspect Shinyproxy can’t currently be run on an istio service mesh - Shinyproxy currently relies on Pod IP addresses to communicate with the child pods, and istio specifically blocks communication via ip, requiring services to be defined instead.

For the record I tried a workaround where shinyproxy was hosted in an istio-injected namespace, but the child pods were opened in a non-injected namespace. I set internal-networking to false (to cause appropriate Services to be created) and defined a ServiceEntry using an IP prefix, but I just can’t get this to work. That felt like I was close, but I’m going to have to call it a failure. Lots of sleep wasted over the last week, but on the plus side I learned a lot and hopefully this record can help others.

Please let me know if anyone managed to get Shinyproxy to work on istio. I suspect there won’t be many changes required to the source code. I’ll try opening this on Github.

Stuart

Final message - this is possible using my ‘external networking’ approach above, but it requires a change in the source code - with external networking SP uses the host IP. I’ll try my own branch of Shinyproxy and offer a pull request if it works.