Kubernetes with Istio Ingress Not Running on Standard HTTP Ports 443/80

Question

I am attempting to get Istio setup on Kubernetes as an ingress controller. The problem is that my two applications seem to be accessible from the Istio ingress controllers node port (E.g., http://[host]:31380/application1 and http://[host]:31380/application2) but not accessible from 443/80.

I am new to Kubernetes and Istio so I had use the https://istio.io/docs/guides/bookinfo/ guide as a reference. Following the guide was fairly easy and I was able to access the Bookinfo application using the node port as mentioned. I am unable to access it from 443/80 though. I used the helm chart to install Istio. I also don't see anything under Ingresses within the Kubernetes dashboard.

Here is an example of the gateway/virtual service yaml:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: myapp-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp-virtual-service
spec:
  hosts:
  - "*"
  gateways:
  - myapp-gateway
  http:
  - match:
    - uri:
        prefix: /myapp
    route:
    - destination:
        host: myapp-app-service
        port:
          number: 7080
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: kibana
        port:
          number: 5601

Any ideas on what I have to do to get it to listen on 443? Am I missing a component entirely?

Answer 1

The nodeport range can be modifief on the api-server manifest, if you are using kubeadm, edit the '/etc/kubernetes/manifests/kube-apiserver.yaml' file and add the following line:

- --service-node-port-range=80-32767

Then, edit 'istio-ingressgateway' service:

  - name: http2
    nodePort: 80
    port: 80
    protocol: TCP
    targetPort: 8080
  - name: https
    nodePort: 443
    port: 443
    protocol: TCP
    targetPort: 8443

Answer 2

If routing to your application is required to run on 443/80, your Kubernetes cluster must have an external load balancer deployed. If one is not present, the traffic will be routed to the ingress node port.

Refer to - https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports (Determining the ingress IP and ports):

"If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is (or perpetually ), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port."

Example for my bare-metal instance without an external load balancer:

[admin@master1 ~]$ kubectl get svc -n istio-system | grep istio-ingress
istio-ingress              LoadBalancer   10.114.107.196   <pending>     80:32400/TCP,443:31564/TCP                                            5d
istio-ingressgateway       LoadBalancer   10.99.1.148      <pending>     80:31380/TCP,443:31390/TCP,31400:31400/TCP                            5d

If you are deploying to an online cloud provider such as IBM Bluemix (probably AWS/Azure/etc.), you should already have one configured. If your configuration is on bare-metal, you likely don't have a load balancer configured.

Example for my Bluemix instance with an external load balancer:

λ kubectl get svc -n istio-system | grep istio-ingress
istio-ingress              LoadBalancer   172.21.26.25     123.45.67.195   80:32000/TCP,443:31694/TCP                                            6h
istio-ingressgateway       LoadBalancer   172.21.139.142   123.45.67.196   80:31380/TCP,443:31390/TCP,31400:31400/TCP                            6h

I have not yet gone back to deploy a load balancer to bare-metal so would like to hear if anyone has. I have briefly looked at Metal but have not spent much time on it.