When I specify host in ServiceEntry and DestinationRule as httpbin, DestinationRule doesn't work. But it works, if I added suffix, i.e. httpbin.se.
Example:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin
namespace: default
spec:
hosts:
- httpbin # don't work
# - httpbin.se # work
ports:
- number: 443
name: http-443
protocol: HTTP
- number: 80
name: http-80
protocol: HTTP
location: MESH_EXTERNAL
resolution: STATIC
addresses:
- "34.235.36.14"
endpoints:
- address: "34.235.36.14"
ports:
http-443: 443
http-80: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin
namespace: default
spec:
host: httpbin # don't work.
# host: httpbin.se # work
trafficPolicy:
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
Maybe I missed some documentation, can't be sure.
Related
I have two clusters relevant for this question.
k3s-0 [10.12.9.113]
k3s-2 [10.12.9.115]
Both clusters have traefik 2.4.8 running.
My interal domain k3s.lan points to k3s-0. (My DNS server is pihole)
In k3s-0, I have the following working perfectly.
---
kind: Service
apiVersion: v1
metadata:
name: k2-service
spec:
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
---
kind: Endpoints
apiVersion: v1
metadata:
name: k2-service
subsets:
- addresses:
- ip: 10.12.9.115
ports:
- protocol: TCP
port: 80
name: http
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx2
spec:
entryPoints:
- web
routes:
- match: Host(`k2.k3s.lan`)
kind: Rule
services:
- name: k2-service
port: 80
when I type http://k2.k3s.lan, I see my nginx landing page.
Now I want to access the same landing page using https instead of http. I tried the following, but it does not work.
kind: Service
apiVersion: v1
metadata:
name: k2-service-sec
spec:
ports:
- protocol: TCP
port: 443
targetPort: 80
name: https
---
kind: Endpoints
apiVersion: v1
metadata:
name: k2-service-sec
subsets:
- addresses:
- ip: 10.12.9.115
ports:
- protocol: TCP
port: 80
name: https
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx2-sec
spec:
entryPoints:
- websecure
routes:
- match: Host(`k2sec.k3s.lan`)
kind: Rule
services:
- name: k2-service-sec
port: 443
when I type https://k2sec.k3s.lan, I get an Internal Server Error.
For reference, here are the settings of the ingressroute/service in k3s-2.
The only thing I changed here was to host k2sec.k3s.lan in the route.
apiVersion: v1
kind: Service
metadata:
labels:
run: nginx
name: nginx
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
run: nginx
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx
spec:
entryPoints:
- web
routes:
- match: Host(`k2.k3s.lan`,`k2sec.k3s.lan`)
kind: Rule
services:
- name: nginx
port: 80
I think I solved my own problem, thanks to this
At least it is working right now. As a true beginner, all this feels like magic.
Here is the updated manifest in k3s-0.
Main changes:
Added a middleware to redirect from http to https
Referenced the middleware to the web IngressRoute
Added a ServersTransport to set the insecureSkipVerify flag to true
Referenced the ServersTransport in the websecure IngressRoute
Added scheme to https to the websecure IngressRoute. I have not tried it without it. It may not be necessary
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirectscheme
spec:
redirectScheme:
scheme: https
permanent: true
---
kind: Service
apiVersion: v1
metadata:
name: k2-service
spec:
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
---
kind: Endpoints
apiVersion: v1
metadata:
name: k2-service
subsets:
- addresses:
- ip: 10.12.9.115
ports:
- protocol: TCP
port: 80
name: http
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: k2-service
spec:
entryPoints:
- web
routes:
- match: Host(`k2.k3s.lan`)
kind: Rule
services:
- name: k2-service
port: 80
middlewares:
- name: redirectscheme
---
kind: Service
apiVersion: v1
metadata:
name: k2-service-sec
spec:
ports:
- protocol: TCP
port: 443
targetPort: 443
name: https
---
kind: Endpoints
apiVersion: v1
metadata:
name: k2-service-sec
subsets:
- addresses:
- ip: 10.12.9.115
ports:
- protocol: TCP
port: 443
name: https
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: traefik-servers-transport
spec:
serverName: "test"
insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: k2-service-sec
spec:
entryPoints:
- websecure
routes:
- match: Host(`k2.k3s.lan`)
kind: Rule
services:
- name: k2-service-sec
port: 443
scheme: https
serversTransport: traefik-servers-transport
I also changed the IngressRoute in k3s-2
Added a middleware to redirect from http to https
Referenced the middleware to the web IngressRoute
Create a new websecure IngressRoute
Here it is:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirectscheme
spec:
redirectScheme:
scheme: https
permanent: true
---
apiVersion: v1
kind: Service
metadata:
labels:
run: nginx
name: nginx
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
run: nginx
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx
spec:
entryPoints:
- web
routes:
- match: Host(`k2.k3s.lan`)
kind: Rule
services:
- name: nginx
port: 80
middlewares:
- name: redirectscheme
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx-sec
spec:
entryPoints:
- websecure
routes:
- match: Host(`k2.k3s.lan`)
kind: Rule
services:
- name: nginx
port: 80
I tried with this Gateway, and VirtualService, didn't work.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: stomp
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: stomp
protocol: TCP
hosts:
- rmq-stomp.mycompany.com
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: rmq-stomp
spec:
hosts:
- rmq-stomp.mycompany.com
gateways:
- stomp
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 61613
host: rabbitmq.default.svc.cluster.local
There's no problem with the service, because when I tried to connect from other pod, it's connected.
Use tcp.match, not http.match. Here is the example I have found in istio gateway docs and in istio virtualservice dosc
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-mongo
namespace: bookinfo-namespace
spec:
hosts:
- mongosvr.prod.svc.cluster.local # name of internal Mongo service
gateways:
- some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service.
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.prod.svc.cluster.local
port:
number: 5555
So your would look sth like:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: rmq-stomp
spec:
hosts:
- rmq-stomp.mycompany.com
gateways:
- stomp
tcp:
- match:
- port: 80
route:
- destination:
host: rabbitmq.default.svc.cluster.local
port:
number: 61613
Here is a similar question answered: how-to-configure-istios-virtualservice-for-a-service-which-exposes-multiple-por
I was trying to define multiple external services(redis: AWS ElastiCache) to route through egress gateway. Two gateways were configured with reference to https://github.com/istio/istio/issues/16806#issuecomment-538718737. I applied the following config, but it didn't work correctly and I could find error logs. It seemed that connecting to both of the destinations was forward to only one of them(random?)
Is this a bug or is there any solution?
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-1
namespace: test
spec:
selector:
istio: egressgateway
servers:
- port:
name: redis
number: 6379
protocol: TCP
hosts:
- "aaa.aaa.ng.0001.apne1.cache.amazonaws.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: egress-redis-1
namespace: test
spec:
hosts:
- aaa.aaa.ng.0001.apne1.cache.amazonaws.com
ports:
- name: egress-redis-1
number: 6379
protocol: TCP
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: egress-redis-1
namespace: test
spec:
hosts:
- aaa.aaa.ng.0001.apne1.cache.amazonaws.com
gateways:
- istio-egressgateway-redis-1
- mesh
tcp:
- match:
- gateways:
- mesh
port: 6379
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: egress-redis-1
port:
number: 6379
- match:
- gateways:
- istio-egressgateway-redis-1
port: 6379
route:
- destination:
host: aaa.aaa.ng.0001.apne1.cache.amazonaws.com
port:
number: 6379
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egress-redis-1
namespace: test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: egress-redis-1
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-2
namespace: test
spec:
selector:
istio: egressgateway
servers:
- port:
name: redis
number: 6379
protocol: TCP
hosts:
- "bbb.bbb.clustercfg.apne1.cache.amazonaws.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: egress-redis-2
namespace: test
spec:
hosts:
- bbb.bbb.clustercfg.apne1.cache.amazonaws.com
ports:
- name: egress-redis-2
number: 6379
protocol: TCP
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: egress-redis-2
namespace: test
spec:
hosts:
- bbb.bbb.clustercfg.apne1.cache.amazonaws.com
gateways:
- istio-egressgateway-redis-2
- mesh
tcp:
- match:
- gateways:
- mesh
port: 6379
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: egress-redis-2
port:
number: 6379
- match:
- gateways:
- istio-egressgateway-redis-2
port: 6379
route:
- destination:
host: bbb.bbb.clustercfg.apne1.cache.amazonaws.com
port:
number: 6379
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egress-redis-2
namespace: test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: egress-redis-2
Istio error logs:
2020-07-14T08:24:42.803875Z#011info#011ads#011Push Status: {
"pilot_conflict_outbound_listener_tcp_over_current_tcp": {
"0.0.0.0:6379": {
"proxy": "member-11111-22222.test",
"message": "Listener=0.0.0.0:6379 AcceptedTCP=aaa.aaa.clustercfg.apne1.cache.amazonaws.com RejectedTCP=bbb.bbb.ng.0001.apne1.cache.amazonaws.com TCPServices=1"
}
}
}
Version
Kubernetes: 1.18.5
Istio: 1.6.4
outboundTrafficPolicy
REGISTRY_ONLY
After updated port names of Gateway to unique, it still doesn't work.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-1
namespace: qa2
spec:
selector:
istio: egressgateway
servers:
- port:
name: egress-redis-1
number: 6379
protocol: TCP
hosts:
- "aaa.aaa.ng.0001.apne1.cache.amazonaws.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-2
namespace: qa2
spec:
selector:
istio: egressgateway
servers:
- port:
name: egress-redis-2
number: 6379
protocol: TCP
hosts:
- "bbb.bbb.clustercfg.apne1.cache.amazonaws.com"
Istio allows you to route a http request in a VirtualService to an external host provided a ServiceEntry exists. For example:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- httpbin.domain.co
gateways:
- public-gateway.istio-system.svc.cluster.local
- mesh
http:
- match:
- gateways:
- public-gateway.istio-system.svc.cluster.local
port: 443
host: httpbin.domain.co
route:
- destination:
host: httpbin.org
port:
number: 80
However this only allows for a HTTP endpoint - how do I configure the external endpoint to be TLS/HTTPS?
This took me hours to work out - so worth sharing I feel.
In order to terminate this service as a TLS, a Destination Rule is required. My final config:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-ext
spec:
hosts:
- httpbin.org
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- httpbin.domain.co
gateways:
- public-gateway.istio-system.svc.cluster.local
- mesh
http:
- match:
- gateways:
- public-gateway.istio-system.svc.cluster.local
port: 443
host: httpbin.domain.co
- gateways:
- public-gateway.istio-system.svc.cluster.local
port: 80
host: httpbin.domain.co
route:
- destination:
host: httpbin.org
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-org
spec:
host: httpbin.org
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
I'm new to istio, I have a simple test yaml file which is a little long. What I want to do is to write a custom ingressgateway service for my gateway. And after testing, the incorrect part is the definition of ingressgateway which is at the top. The entire yaml is below:
apiVersion: v1
kind: Service
metadata:
name: batman-ingressgateway
labels:
app: batman-ingressgateway
spec:
type: LoadBalancer
selector:
app: batman-ingressgateway
ports:
- port: 80
targetPort: 80
nodePort: 31389
name: http
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: batman-gateway
spec:
selector:
app: batman-ingressgateway
#istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: batman
spec:
hosts:
- "*"
gateways:
- batman-gateway
http:
- match:
route:
- destination:
host: batman
port:
number: 8000
subset: v1
weight: 80
- destination:
host: batman
port:
number: 8000
subset: v2
weight: 20
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: batman-destination
spec:
host: batman
subsets:
- name: v1
labels:
version: v1
run: batman
- name: v2
labels:
version: v2
run: batman
I want to access my app from browser with the address like: http://my_host_ip:31389/article. The problem now is the ingressgateway doesn't route traffic to my gateway. Is there any one can help me?
Thanks.
Documentation on istio gateway routing is here https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/.
If you look at gateway spec they have
selector:
istio: ingressgateway # use Istio default gateway implementation
While you have
selector:
app: batman-ingressgateway
#istio: ingressgateway
For VirtualService definition you can look here https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service/
You can try with routing requests to /article to your service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: article-route
spec:
hosts:
- *
http:
- match:
- uri:
prefix: "/article"
route:
- destination:
host: <name of your service>