I'm trying to set up a proxy service in the Kubernetes cluster using istio. I have created two different domains. If the domain is foo.com it should be redirected to an external URL else it should be routed to an app server. I have configured this using virtual service and service entry. But when I hit foo.com it is skipping the Authorization header. I need an Authorization header to process the request. Is there any way to fix this issue? Thanks in advance.
VirtualService.yaml
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-https
spec:
hosts:
- foo.com
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS
---
kind: VirtualService
apiVersion: networking.istio.io/v1alpha3
metadata:
name: redirect
namespace: default
labels:
app: foo
env: staging
spec:
hosts:
- foo.com
gateways:
- istio-system/gateway
http:
- match:
- uri:
prefix: /
redirect:
authority: bar.com
if to redirect when foo.com domain get hit
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: github
spec:
hosts:
- "raw.githubusercontent.com"
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS
and
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: webserver
spec:
hosts:
- foo.com
http:
- match:
- uri:
regex: ".*"
rewrite:
uri: "/mcasperson/NodejsProxy/master/externalservice1.txt"
authority: raw.githubusercontent.com
route:
- destination:
host: raw.githubusercontent.com
port:
number: 443
rule
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: github
spec:
host: "raw.githubusercontent.com"
trafficPolicy:
tls:
mode: SIMPLE
read more at : https://octopus.com/blog/istio/istio-serviceentry
Related
I have a digitalocean kubernetes cluster with istio installed on it. I get 404 not found error on accessing the apis on the postman application. Here's my vs-gateway yaml file:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ut-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: utbuild1
spec:
hosts:
- "*"
gateways:
- ut-gateway
http:
- match:
- uri:
prefix: /v3/api/products/search
rewrite:
uri: /api/products/search # or /
route:
- destination:
host: utbuild1 # pods/service created using istio-k8s-single-deployment.yaml (this service has 3 pods)
- match:
- uri:
prefix: /v4admin/api
route:
- destination:
host: utbuild1-admin # pod/service created using istio-k8s-single-deployment.yaml
I have istio configuration on which the docker container runs jasperreports on tomcat(bitnami jasperreports). the application itself could be accessed with context path at http://IP:8080/jasperserver.
I am planning to use istio in my kubernetes configuration, expose the service using http gateway and virtual service. can I add context path of "jasperserver" in addition to destination host and port number in virtual service configuration?
here is my current virtualservice configuration
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: http-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: jasper-virtual-services
spec:
hosts:
- "*"
gateways:
- http-gateway
http:
- match:
- uri:
exact: /report
route:
- destination:
host: jasperserver.reporting.svc.cluster.local
port:
number: 80
You are probably looking for rewrites
Something like
http:
- match:
- uri:
exact: /report
rewrite:
uri: /jasperserver
I have the following scenario:
When the user A enter the address foo.example1.example.com in the
browser, then it should call the service FOO in the namespace
example1.
When the user B enter the address foo.example1.example.com in the
browser, then it should call the service FOO in the namespace
example2.
I am using istio, the question is, how to configure the gateway, that is bind specific to a namespace:
Look at an example of istio gateway configuration:
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ns_example1
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "example1.example.com"
EOF
When I would deploy the gateway, then it will apply to current namespace but I would like to specify a namespace.
How to assign a gateway to specific namespace?
I think this link should answer your question.
There is many things You won't need, but there is idea You want to apply to your istio cluster.
So You need 1 gateway and 2 virtual services.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: foocorp-gateway
namespace: default
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 80
name: http-example1
protocol: HTTP
hosts:
- "example1.example.com"
- port:
number: 80
name: http-example2
protocol: HTTP
hosts:
- "example2.example.com"
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: example1
namespace: ex1
spec:
hosts:
- "example1.example.com"
gateways:
- foocorp-gateway
http:
- match:
- uri:
exact: /
route:
- destination:
host: example1.ex1.svc.cluster.local
port:
number: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: example2
namespace: ex2
spec:
hosts:
- "example2.example.com"
gateways:
- foocorp-gateway
http:
- match:
- uri:
exact: /
route:
- destination:
host: example2.ex2.svc.cluster.local
port:
number: 80
EDIT
You can create gateway in namespace ex1 and ex2, then just change gateway field in virtual service and it should work.
Remember to add namespace/gateway, not only gateway name, like there.
gateways:
- some-config-namespace/gateway-name
Let me know if that help You.
I'm using Istio 1.1.7 and tried the following Gateway and VirtualService to the Kubernetes Dashboard.
But I'm seeing the following:
kubectl -n kube-system logs -f kubernetes-dashboard-7cf9657c74-5fsmq
2019/05/31 15:53:04 http: TLS handshake error from 10.244.3.11:54392: tls: first record does not look like a TLS handshake
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: default-ingressgateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*"
port:
name: http
number: 80
protocol: HTTP
- hosts:
- "*"
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: dashboard-virtualservice
namespace: kube-system
spec:
hosts:
- "*"
gateways:
- default/default-ingressgateway
http:
- match:
- uri:
prefix: "/dashboard"
rewrite:
uri: "/"
route:
- destination:
host: kubernetes-dashboard
port:
number: 443
NOTE: I've also tried change the Gateway Server-TLSOptions-TLSmode from mode: SIMPLE to mode mode: PASSTHROUGH, but PASSTHROUGH I just get We can’t connect to the server in my Browser.
I think PASSTHROUGH should work, if you configure it properly. Here is an example that does something similar. https://istio.io/docs/examples/advanced-gateways/ingress-sni-passthrough/
I am currently trying to configure Control Egress Traffic to be able to access external services in https specifically with hashicorp Vault which runs on port 8200.
Below I attach the detail of my virtual service and service entry
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: vault-se
spec:
hosts:
- vault.x.com
ports:
- number: 8200
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vault-vs
spec:
hosts:
- vault.x.com
tls:
- match:
- port: 8200
sni_hosts:
- vault.x.com
route:
- destination:
host: vault.x.com
port:
number: 8200
weight: 100
Any idea where my fault is?