We Keep Coding

Facing 502 error while implementing Istio-ingress with envoy proxy

Below is the configuration which I am using in my environment.
And I am able to launch the site but some how inbound is getting blocked by Istio/envoy so i am not able to navigate my sites other pages which is called bu ajax getting below attached error
apiVersion: v1
kind: Service
metadata:
name: svc-controlcenter
namespace: ns-test
labels:
app: controlcenter
app.kubernetes.io/managed-by: Helm
env: dev
annotations:
meta.helm.sh/release-name: controlcenter
meta.helm.sh/release-namespace: ns-test
spec:
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8001
selector:
app: controlcenter
env: dev
Istio-Gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: cc-gw-apps
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- "*.<URL>"
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: secret
mode: SIMPLE
Virtual Services
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: vs-cc
namespace: ns-test
spec:
hosts:
- "<FQDN>"
gateways:
- istio-system/cc-gw-apps
http:
- match:
- uri:
prefix: "/"
route:
- destination:
host: <same>.ns-test.svc.cluster.local
port:
number: 80

Route TCP traffic trough Istio egressgateway

I have a deployment running frontier-squid proxy for caching, and I need to route all outbound TCP traffic through an istio-egressgateway in order to exit the mesh always from the same host/ip.
I tried to follow the egress-mongo example but unsuccessfully.
For reference the inbound part is working fine and traffic is also exiting the mesh, from the host where the pod is running (unwanted behavior).
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cvmfs
namespace: lcg
annotations:
co.elastic.logs/enabled: "true"
co.elastic.logs/module: "squid"
labels:
app: cvmfs
spec:
replicas: 1
selector:
matchLabels:
app: cvmfs
template:
metadata:
labels:
app: cvmfs
spec:
containers:
- name: cvmfs
image: opensciencegrid/frontier-squid:stable
env:
## SQUID_IPRANGE: Don't add external ip here. Proxied traffic dosen't have external ip. See below AuthorizationPolicy ingress-policy-cvmfs
- name: "SQUID_IPRANGE"
value: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7 fe80::/10 127.0.0.0/24"
- name: "SQUID_CACHE_DISK"
value: "50000"
- name: "SQUID_CACHE_MEM"
value: "16 GB"
ports:
- containerPort: 3128
resources:
requests:
cpu: 4
memory: 20G
limits:
cpu: 8
memory: 32G
---
apiVersion: v1
kind: Service
metadata:
labels:
app: cvmfs
name: cvmfs
spec:
ports:
- port: 3128
selector:
app: cvmfs
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: lcg-cvmfs-gw
namespace: lcg
spec:
selector:
app: clustername-vlan320-gateway-cvmfs1
istio: ingressgateway
servers:
- port:
number: 3128
name: tcp-squid
protocol: TCP
hosts:
- cvmfs1.sub.domain.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: lcg-cvmfs-vs
namespace: lcg
spec:
hosts:
- cvmfs1.sub.domain.com
gateways:
- lcg-cvmfs-gw
tcp:
- match:
- port: 3128
route:
- destination:
host: cvmfs
port:
number: 3128
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy-cvmfs
namespace: istio-system
spec:
selector:
matchLabels:
app: clustername-vlan320-gateway-cvmfs1
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks:
- aa.aa.aa.aa/19
- bb.bb.bb.bb/25
Here my attempt to setup all steps to exit the mesh from the istio-egressgateway:
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-stratum-1
namespace: lcg
spec:
hosts:
- external.tcp.svc # Not used in TCP mode
addresses:
- xx.xx.xx.xx/32
- xx.xx.xx.xx/32
ports:
- number: 8000
name: tcp-stratum1
protocol: TCP
location: MESH_EXTERNAL
resolution: STATIC
endpoints:
- address: xx.xx.xx.xx/32
- address: xx.xx.xx.xx/32
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
namespace: lcg
spec:
selector:
istio: egressgateway
servers:
- port:
number: 55555
name: tcp-exit1
protocol: TCP
hosts:
- external.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cvmfs-stratum1
namespace: lcg
spec:
host: istio-egressgateway.istio-system.svc.clustername.domain.com
subsets:
- name: external-stratum-1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: external-stratum-1
spec:
host: external.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-stratum1-through-egress-gateway
namespace: lcg
spec:
hosts:
- external.tcp.svc
gateways:
- mesh
- istio-egressgateway
tcp:
- match:
- gateways:
- mesh
destinationSubnets:
- xx.xx.xx.xx/32
- xx.xx.xx.xx/32
port: 8000
route:
- destination:
host: istio-egressgateway.istio-system.svc.clustername.domain.com
subset: external-stratum-1
port:
number: 55555
- match:
- gateways:
- istio-egressgateway
port: 55555
route:
- destination:
host: external.tcp.svc
port:
number: 8000
weight: 100
I'm running vanilla kubernetes version 1.21 and instio version 1.10
Can someone help me setting up this egressgateway or maybe suggest a better istio example?

Kubernetes Istio exposure not working with Virtualservice and Gateway

So we have the following use case running on Istio 1.8.2/Kubernetes 1.18:
Our cluster is exposed via a External Loadbalancer on Azure. When we expose the app the following way, it works:
---
apiVersion: apps/v1
kind: ReplicaSet
metadata:
annotations:
...
name: frontend
namespace: frontend
spec:
replicas: 1
selector:
matchLabels:
app: applicationname
template:
metadata:
labels:
app: appname
name: frontend
customer: customername
spec:
imagePullSecrets:
- name: yadayada
containers:
- name: frontend
image: yadayada
imagePullPolicy: Always
ports:
- name: https
protocol: TCP
containerPort: 80
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
---
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
namespace: frontend
labels:
name: frontend-svc
customer: customername
spec:
type: LoadBalancer
ports:
- name: http
port: 80
targetPort: 80
selector:
name: frontend
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: frontend
annotations:
kubernetes.io/ingress.class: istio
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: "customer.domain.com"
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: frontend-svc
servicePort: 80
tls:
- hosts:
- "customer.domain.com"
secretName: certificate
When we start using a Virtualservice and Gateway, we fail to make it work for some reason. We wanna use VSVC and Gateways cause they offer more flexibility and options (like url rewriting). Other apps dont have this issue running on istio (much simpler as well), we dont have networkpolicy in place (yet). We simply cannot reach the webpage. Anyone has an idea? Virtualservice and Gateway down below. with the other 2 replicasets not mentioned cause they are not the problem:
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
creationTimestamp: null
name: virtualservice-name
namespace: frontend
spec:
gateways:
- frontend
hosts:
- customer.domain.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: frontend
port:
number: 80
weight: 100
- match:
- uri:
prefix: /api/
route:
- destination:
host: backend
port:
number: 8080
weight: 100
- match:
- uri:
prefix: /auth/
route:
- destination:
host: keycloak
port:
number: 8080
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: frontend
namespace: frontend
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http2
protocol: HTTP
tls:
httpsRedirect: True
hosts:
- "customer.domain.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
credentialName: customer-cert
hosts:
- "customer.domain.com"

Your Gateway specifies PASSTHROUGH, however your VirtualService provides an HttpRoute. This means the TLS connection is not terminated by the Gateway, but the VirtualService expects terminated TLS. See also this somewhat similar question.
How do I properly HTTPS secure an application when using Istio?

#user140547 Correct, we changed that now. But we still couldn't access the application.
We found out that one of the important services was not receiving gateway traffic, since that one wasn't setup correctly. It is our first time having an istio deployment with multiple services. So we thought each of them needed their own Gateway. Little did we know that 1 gateway was more then enough...

Egress gateway does't work correctly when adding multiple external services

I was trying to define multiple external services(redis: AWS ElastiCache) to route through egress gateway. Two gateways were configured with reference to https://github.com/istio/istio/issues/16806#issuecomment-538718737. I applied the following config, but it didn't work correctly and I could find error logs. It seemed that connecting to both of the destinations was forward to only one of them(random?)
Is this a bug or is there any solution?
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-1
namespace: test
spec:
selector:
istio: egressgateway
servers:
- port:
name: redis
number: 6379
protocol: TCP
hosts:
- "aaa.aaa.ng.0001.apne1.cache.amazonaws.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: egress-redis-1
namespace: test
spec:
hosts:
- aaa.aaa.ng.0001.apne1.cache.amazonaws.com
ports:
- name: egress-redis-1
number: 6379
protocol: TCP
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: egress-redis-1
namespace: test
spec:
hosts:
- aaa.aaa.ng.0001.apne1.cache.amazonaws.com
gateways:
- istio-egressgateway-redis-1
- mesh
tcp:
- match:
- gateways:
- mesh
port: 6379
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: egress-redis-1
port:
number: 6379
- match:
- gateways:
- istio-egressgateway-redis-1
port: 6379
route:
- destination:
host: aaa.aaa.ng.0001.apne1.cache.amazonaws.com
port:
number: 6379
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egress-redis-1
namespace: test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: egress-redis-1
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-2
namespace: test
spec:
selector:
istio: egressgateway
servers:
- port:
name: redis
number: 6379
protocol: TCP
hosts:
- "bbb.bbb.clustercfg.apne1.cache.amazonaws.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: egress-redis-2
namespace: test
spec:
hosts:
- bbb.bbb.clustercfg.apne1.cache.amazonaws.com
ports:
- name: egress-redis-2
number: 6379
protocol: TCP
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: egress-redis-2
namespace: test
spec:
hosts:
- bbb.bbb.clustercfg.apne1.cache.amazonaws.com
gateways:
- istio-egressgateway-redis-2
- mesh
tcp:
- match:
- gateways:
- mesh
port: 6379
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: egress-redis-2
port:
number: 6379
- match:
- gateways:
- istio-egressgateway-redis-2
port: 6379
route:
- destination:
host: bbb.bbb.clustercfg.apne1.cache.amazonaws.com
port:
number: 6379
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egress-redis-2
namespace: test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: egress-redis-2
Istio error logs:
2020-07-14T08:24:42.803875Z#011info#011ads#011Push Status: {
"pilot_conflict_outbound_listener_tcp_over_current_tcp": {
"0.0.0.0:6379": {
"proxy": "member-11111-22222.test",
"message": "Listener=0.0.0.0:6379 AcceptedTCP=aaa.aaa.clustercfg.apne1.cache.amazonaws.com RejectedTCP=bbb.bbb.ng.0001.apne1.cache.amazonaws.com TCPServices=1"
}
}
}
Version
Kubernetes: 1.18.5
Istio: 1.6.4
outboundTrafficPolicy
REGISTRY_ONLY
After updated port names of Gateway to unique, it still doesn't work.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-1
namespace: qa2
spec:
selector:
istio: egressgateway
servers:
- port:
name: egress-redis-1
number: 6379
protocol: TCP
hosts:
- "aaa.aaa.ng.0001.apne1.cache.amazonaws.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-2
namespace: qa2
spec:
selector:
istio: egressgateway
servers:
- port:
name: egress-redis-2
number: 6379
protocol: TCP
hosts:
- "bbb.bbb.clustercfg.apne1.cache.amazonaws.com"

Istio Origin Authentication Using JWT does not work

I’ve been applying Authentication Policy to my testing service using JWT. I have followed this guide and it did work as expected. But, when I tried to using a different pod image, it did not work even though almost everything is the same.
Is there anyone facing this issue? or know the reason why it did not work in my case?
Thank you very much!
These are my configuration files:
Deployment
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: hostname
spec:
replicas: 1
selector:
matchLabels:
app: hostname
version: v1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: hostname
version: v1
spec:
containers:
- image: rstarmer/hostname:v1
imagePullPolicy: Always
name: hostname
resources: {}
restartPolicy: Always
Service
---
apiVersion: v1
kind: Service
metadata:
labels:
app: hostname
name: hostname
spec:
ports:
- name: http
port: 8001
targetPort: 80
selector:
app: hostname
Gateway
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: hostname-gateway
namespace: foo
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
VirtualService
---
piVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: hostname-vs
namespace: foo
spec:
hosts:
- "*"
gateways:
- hostname-gateway
http:
- route:
- destination:
port:
number: 8001
host: hostname.foo.svc.cluster.local
Policy
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "jwt-example"
namespace: foo
spec:
targets:
- name: hostname
origins:
- jwt:
issuer: "testing#secure.istio.io"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.0/security/tools/jwt/samples/jwks.json"
principalBinding: USE_ORIGIN

As stated by OP on the Istio forums you need to respect the naming convention for the port name of your service.
It can either be "http" or "http2".
For instance this is valid
apiVersion: v1
kind: Service
metadata:
name: somename
namespace: auth
spec:
selector:
app: someapp
ports:
- port: 80
targetPort: 3000
name: http
And this is not
apiVersion: v1
kind: Service
metadata:
name: somename
namespace: auth
spec:
selector:
app: someapp
ports:
- port: 80
targetPort: 3000
Not specifying a name for the port is not valid.