Reputation: 51
Can not access https service via istio-ingress
I am new in istio. I try to configure istio ingress in k8s. But I can't access service via istio-ingress. How can I configure istio ingress for service.
Problem # curl https://192.168.4.241 curl: (7) Failed connect to 192.168.4.241:443; Connection refused
My service is deployed as below.(smartapigw-httpd is HTTPS)
# kubectl get po smartapigw-httpd -n smartapigw --show-labels
NAME READY STATUS RESTARTS AGE LABELS
smartapigw-httpd 2/2 Running 0 3h22m app.kubernetes.io/managed-by=Helm,app=smartapigw-httpd,io.kompose.service=smartapigw-httpd,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=smartapigw-httpd,service.istio.io/canonical-revision=latest
$ kubectl get po,svc -n smartapigw
...
pod/smartapigw-httpd 2/2 Running 0 166m
...
service/smartapigw-httpd NodePort 10.101.227.150 <none> 18443:31285/TCP 166m
istio-ingress pod is deployed as below
$ kubectl get po -n istio-system --show-labels
...
istio-ingressgateway-5ff4fb69fc-trmht 1/1 Running 0 28h app=istio-ingressgateway,chart=gateways,heritage=Tiller,install.operator.istio.io/owning-resource=unknown,istio.io/rev=default,istio=ingressgateway,operator.istio.io/component=IngressGateways,pod-template-hash=5ff4fb69fc,release=istio,service.istio.io/canonical-name=istio-ingressgateway,service.istio.io/canonical-revision=latest,sidecar.istio.io/inject=false
istiod-6d79fdc756-lr5zv
...
istio ingressgateway is deployed as below
$ kubectl get svc -n istio-system
istio-ingressgateway LoadBalancer 10.110.145.103 192.168.4.241 15021:32010/TCP,80:31631/TCP,443:30495/TCP 28h
Then I tried configuration as below.
Configuration for Gateway
# cat istio-smartapigw-gateway.yml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: smartagigw-gateway
namespace: smartapigw
spec:
selector:
istio: ingressgateway # istio=ingressgateway in istio-ingressgateway pod's label
servers:
- port:
number: 443
name: https
protocol: HTTPs
hosts:
- "*"
tls:
mode: PASSTHROUGH # smartapigw-httpd service's protocol is already https
# kubectl apply -f istio-smartapigw-gateway.yml
Configuration for VirtualService
# cat istio-smartapigw-virtualservice.yml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: smartapigw
namespace: smartapigw
spec:
hosts:
- "*"
gateways:
- smartagigw-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: smartapigw-httpd # same with label "app=smartapigw-httpd" in pod
port:
number: 18443 # node port
# kubectl apply -f istio-smartapigw-virtualservice.yml
istio gateway and virtual service is applied as below.
# kubectl get gateway -n smartapigw
NAME AGE
smartagigw-gateway 138m
# kubectl get virtualservice -n smartapigw
NAME GATEWAYS HOSTS AGE
smartapigw ["smartagigw-gateway"] ["*"] 131m
Upvotes: 0
Views: 160
Answers (1)
Reputation: 51
I resolve issue based on https://preliminary.istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/
VirtualService definition was changed as below. VirtualService protocol should be changed tls instead of http.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: smartapigw
namespace: smartapigw
spec:
hosts:
- "*"
gateways:
- smartagigw-gateway
tls:
- match:
- port: 443
sniHosts:
- "*"
route:
- destination:
host: smartapigw-httpd.smartapigw.svc.cluster.local
port:
number: 18443
Upvotes: 0
Related Questions
- Accessing HTTPS Istio Ingress Gateway from Pod
- kubernetes-dashboard exposing through istio [1.0.0] ingress --istio-ingressgateway
- You're speaking plain HTTP to an SSL-enabled server port in Kubernetes
- Kubernetes with Istio Ingress Not Running on Standard HTTP Ports 443/80
- Istio ingress not working with headless service
- OpenShift and Istio Gateway traffic configuration in order to access using an external a domain