Istio Ingress Gateway not working in Anthos - kubernetes

I created a cluster in GKE - (Google Kubernetes Engine)
Folowed the instructions here https://cloud.google.com/service-mesh/docs/quickstart-asm
but used my own deployment files.
I deployed these service and gateway file.
Partial Service
---
apiVersion: v1
kind: Service
metadata:
name: node-microservice-service
spec:
selector:
app: node-microservice
# type: LoadBalancer
ports:
- name: tcp-node
protocol: TCP
port: 8080
targetPort: 8080
# nodePort: 30000
---
Gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: backend-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "backend.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: backend-ingress
spec:
hosts:
- "backend.com"
gateways:
- backend-gateway
http:
- match:
- uri:
prefix: "/node"
route:
- destination:
port:
number: 8080
host: node-microservice-service
- match:
- uri:
prefix: "/java"
route:
- destination:
port:
number: 8080
host: java-microservice-service
- match:
- uri:
prefix: "/golang"
route:
- destination:
port:
number: 8080
host: golang-microservice-service
- match:
- uri:
prefix: "/python"
route:
- destination:
port:
number: 8080
host: python-microservice-service
- route:
- destination:
port:
number: 8080
host: python-microservice-service
I am using the proper IP address and host together still unable to reach the microservices through the istio ingress gateway service.

Related

How to use Istio Ingress to forward STOMP protocol of RabbitMQ in Kubernetes?

I tried with this Gateway, and VirtualService, didn't work.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: stomp
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: stomp
protocol: TCP
hosts:
- rmq-stomp.mycompany.com
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: rmq-stomp
spec:
hosts:
- rmq-stomp.mycompany.com
gateways:
- stomp
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 61613
host: rabbitmq.default.svc.cluster.local
There's no problem with the service, because when I tried to connect from other pod, it's connected.
Use tcp.match, not http.match. Here is the example I have found in istio gateway docs and in istio virtualservice dosc
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-mongo
namespace: bookinfo-namespace
spec:
hosts:
- mongosvr.prod.svc.cluster.local # name of internal Mongo service
gateways:
- some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service.
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.prod.svc.cluster.local
port:
number: 5555
So your would look sth like:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: rmq-stomp
spec:
hosts:
- rmq-stomp.mycompany.com
gateways:
- stomp
tcp:
- match:
- port: 80
route:
- destination:
host: rabbitmq.default.svc.cluster.local
port:
number: 61613
Here is a similar question answered: how-to-configure-istios-virtualservice-for-a-service-which-exposes-multiple-por

Istio ingress gateway subdomainrouting based

I have three service that I need to expose via istio ingress gateway, i have setup those services dns records to point to the ingress gateway load balancer but i have not succeded to make it work.
The gateway and virtual service config file :
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: test-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.mywebsite.io"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: virtualservice
spec:
hosts:
- "*.mywebsite.io"
gateways:
- test-gateway
http:
- name: "api-gateway"
match:
- uri:
exact: "gateway.mywebsite.io"
route:
- destination:
host: gateway.default.svc.cluster.local
port:
number: 8080
- name: "visitor-service"
match:
- uri:
exact: "visitor-service.mywebsite.io"
route:
- destination:
host: visitor-service.default.svc.cluster.local
port:
number: 8000
- name: "auth-service"
match:
- uri:
exact: "auth-service.mywebsite.io"
route:
- destination:
host: auth-service.default.svc.cluster.local
port:
number: 3004
I guess the URI part of the HttpMatchRequest does not work that way. Try to add VirtualServices for each subdomain, i.e. something like.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: gateway-virtualservice
spec:
hosts:
- "gateway.mywebsite.io"
gateways:
- test-gateway
http:
- name: "api-gateway"
match:
- uri:
exact: "/" #or prefix
route:
- destination:
host: gateway.default.svc.cluster.local
port:
number: 8080
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: visitor-virtualservice
spec:
hosts:
- "visitor-service.mywebsite.io"
gateways:
- test-gateway
http:
- name: "visitor-service"
match:
- uri:
exact: "/"
route:
- destination:
host: visitor-service.default.svc.cluster.local
port:
number: 8000

Connect to external Kafka brokers via istio egress gateway

My app deployed in openshift cluster needs to connect to 2 external kafka brokers. Since the application is on the istio mesh, all outbound traffic must go through the egress gateway. The connection to kafka is via the log4j2 appender over SSL.
I made the following istio config:
kind: ServiceEntry
metadata:
name: se-kafka
spec:
hosts:
- kafka1.host.com
- kafka2.host.com
addresses:
- 10.200.200.1
- 10.200.200.2
ports:
- name: kafka-port
number: 9093
protocol: TCP
location: MESH_EXTERNAL
resolution: NONE
exportTo:
- .
=====================
kind: DestinationRule
metadata:
name: dr-kafka
spec:
host: egressgateway #name egressgateway deployment
subnets:
- name: se-kafka
=====================
kind: Gateway
metadata:
name: gw-kafka
spec:
servers:
- hosts:
- kafka1.host.com
port:
name: kafka1-egress-port
number: 16001
protocol: TCP
- hosts:
- kafka2.host.com
port:
name: kafka2-egress-port
number: 16002
protocol: TCP
selector:
istio: egressgateway
=======================
kind: VirtualService
metadata:
name: vs-kafka
spec:
hosts:
- kafka1.host.com
- kafka2.host.com
gateways:
- mesh
- gw-kafka
tls:
- match:
- gateways:
- mesh
port: 9093
sniHosts:
- kafka1.host.com
route:
- destination:
host: egressgateway
port:
number: 16001
- match:
- gateways:
- mesh
port: 9093
sniHosts:
- kafka2.host.com
route:
- destination:
host: egressgateway
port:
number: 16002
- match:
- gateways:
- gw-kafka
port: 16001
sniHosts:
- kafka1.host.com
route:
- destination:
host: kafka1.host.com
port:
number: 9093
- match:
- gateways:
- gw-kafka
port: 16002
sniHosts:
- kafka2.host.com
route:
- destination:
host: kafka2.host.com
port:
number: 9093
========================
It works. But I think that traffic bypasses the istio egressgateway. There is no connection in kiali between ServiceEntry and Egressgateway. And if you look at the egressgateway logs, you can see the following warning:
gRPC config for envoy.api.v2.ClusterLoadAssigment rejected: malformed IP address: kafka1.host.com. Consider setting resolver_name or setting cluster type to 'STRICT_DNS' or 'LOGICAL_DNS'
What is the problem and how to properly configure the egress gateway?

How to open custom port in Kubernetes

I deploy rabbit mq on cluster, so far running well on port 15672 : http://test.website.com/
but there need open some other ports (25672, 15672, 15674). I has defined in yaml like this :
apiVersion: v1
kind: Service
metadata:
name: rabbitmq
spec:
selector:
name: rabbitmq
ports:
- port: 80
name: http
targetPort: 15672
protocol: TCP
- port: 443
name: https
targetPort: 15672
protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: rabbitmq
spec:
selector:
matchLabels:
app: rabbitmq
strategy:
type: RollingUpdate
template:
metadata:
name: rabbitmq
spec:
containers:
- name: rabbitmq
image: rabbitmq:latest
ports:
- containerPort: 15672
name: http
protocol: TCP
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: rabbitmq
spec:
hosts:
- “test.website.com”
gateways:
- gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 80
host: rabbitmq
How do I setup in yaml file to open some other ports ?
Assuming that Istio Gateway is serving TCP network connections, you might be able to combine one Gateway configuration for two external ports.
Here is an example:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: port1
protocol: TCP
hosts:
- example.myhost.com
- port:
number: 443
name: port2
protocol: TCP
hosts:
- example.myhost.com
Field hosts identifies here a list of target addresses that have to be exposed by this Gateway.
In order to make appropriate network routing to the nested Pods specify VirtualService with the matching set for the ports:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: rabbitmq-virtual-service
spec:
hosts:
- example.myhost.com
gateways:
- gateway
tcp:
- match:
- port: 80
route:
- destination:
host: app.example.svc.cluster.local
port:
number: 15672
- match:
- port: 443
route:
- destination:
host: app.example.svc.cluster.local
port:
number: 15674
Above VirtualService defines the rules to route network traffic coming on 80 and 443 ports for test.website.com to the rabbitmq service ports 15672, 15674 respectively.
You can adjust these files to your needs to open some other ports.
Take a look: virtualservice-for-a-service-which-exposes-multiple-ports.

Using istio as an reverse proxy for external TLS services

Istio allows you to route a http request in a VirtualService to an external host provided a ServiceEntry exists. For example:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- httpbin.domain.co
gateways:
- public-gateway.istio-system.svc.cluster.local
- mesh
http:
- match:
- gateways:
- public-gateway.istio-system.svc.cluster.local
port: 443
host: httpbin.domain.co
route:
- destination:
host: httpbin.org
port:
number: 80
However this only allows for a HTTP endpoint - how do I configure the external endpoint to be TLS/HTTPS?
This took me hours to work out - so worth sharing I feel.
In order to terminate this service as a TLS, a Destination Rule is required. My final config:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- httpbin.domain.co
gateways:
- public-gateway.istio-system.svc.cluster.local
- mesh
http:
- match:
- gateways:
- public-gateway.istio-system.svc.cluster.local
port: 443
host: httpbin.domain.co
- gateways:
- public-gateway.istio-system.svc.cluster.local
port: 80
host: httpbin.domain.co
route:
- destination:
host: httpbin.org
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-org
spec:
host: httpbin.org
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE