I'm working on a side project to learn Istio in my spare time, part of which is getting my hands dirty with Istio routing.
I'm trying to setup a Virtual Service such that any traffic on "/" gets routed to google.com. I can get Virtual Services to work with any in-cluster pods/services, but I can't seem to configure Istio to route to anything outside the cluster.
Any guidance would be much appreciated, cheers
You have to create a Service Entry for google.com and then create a Virtual Service, referencing google.com in the same way as in-mesh services. Note the issue of the protocols - do you want to access google.com by HTTP or HTTPS? You may want to let Istio perform TLS origination for you.
Configure a service entry for google.com. Refer this documentation overall, and precisely this.
Related
I have set up an EKS cluster in that I have 3 apps deployed I right now its working fine with SSL certificate and I just only want it to force redirect user's HTTP requests to HTTPS I have tried many ways doing it with different services and ingress controller but none of them is working. Please help me out on this if you know of any solutions for this.
Thank you in advance...
here is the link to the service.yaml. I am using right now.
https://gist.github.com/vyasishanatc194/a01c2bda288c908e4c5c7c45f98ecb41
I am using ISTIO for service mesh in Azure kubernetes. I have configured private DNS to setup the FQDN. Currently the application is accessible over http protocol(eg: http://myapp.contoso.com) and I would like to be secured with https protocol(eg: https://myapp.contoso.com).
I know I have to change the service port to 443 to support https protocol however how/where do I install the SSL certificate for the application (eg: https://myapp.contoso.com)? Is there anything else to be done as well?
That will depend on where do you want the SSL termination to happen, if you want that to happen inside the Azure kubernetes network, then you can do SSL termination at ingress layer.
Or otherwise you can also do the termination at application gateway layer of Azure ( if you want to avail this service from azure, the redirection from http to https, basic firewall features and adding the pfx certificates at the listeners can be done), ingress can also take care of these things although.
You can install the let's encrypt certificates by using this helm chart and for further steps you can follow this stack overflow link, it shall help you in creating configurations for Istio, ppl have used this solution for Istio as well before
I found the answer here Securing Your Istio Ingress Gateway with HTTPS
There is istio documentation about that.
I'm pretty new to kubernetes, I hope to explain myself in a good way, and if anyone has any resources/suggestions to read for my problem it would be really much appreciated.
Let's get straight to the point.
The web app I'm trying to expose accepts only https connection on the service. So basically I would like to ask the ingress to communicate with my service through https
Following some tutorial I tried to expose a simple web app(that accept http connection) through https, craeting a certificate and a secret and adding the following line to the ingress.yml:
tls:
- secretName: testexample.com
hosts:
- testexample.com
and executing a curl -k https://testexample.com or through browser I can see my webpage.
The troubles pops out when my webapp accept only https connection, and the webapp we are moving to kubernetes does.
I always receive "404 default backend" message.
I tried to look for some resources/tutorial/previous questions,
Secure communication between Ingress Controller (Traefik) and backend service on Kubernetes
Securing connections from ingress to services in Kubernetes with TLS
but I didnt figure out how to get out of the problem.
Any suggestions as mentioned before would be much appreciated.
Error source can are probably your Ingress rule. It's their not pointing to the correct service & port or it is not in the same namespace as the service.
My backend and frontend is deployed on Google Kubernetes Engine (GKE). And lets consider these steps -
User opens up browser and points to yyy.yyy.yyy:8080.
Browser loads the login page.
User enters username/password and presses "login" button.
Browser (ReactJS App) sends request to REST backend xxx.xxx.xxx:7070 to do the validation.
Now my question is, how can we inject the backend (in this case xxx.xxx.xxx) ip frontend pod? Because this ip is not static (i dont want to make it static), and will be provided by GKE. I don't want to proxy my backend call through frontend either. Neither I want to use nginx, the reason is, one more POD, and config to maintain. Just don't want to have nginx for only this reason.
Should I create ingress? I mean something like-
`/` <-- serves ReactJS app
`/api` <--- serves REST api
Or there is a way to inject the ip of backend POD?
What is the best approach?
Thanks in advance.
You can't access the pods directly from the outside. The only way in is through a service of type LoadBalancer. External IP you get for such a service is static for GKE (AWS gives a DNS name instead)
For every service of type LoadBalancer the cloud provider will spin up a load balancer that you have to pay for. You can funnel all http traffic through a single ingress service that would fan out your requests based on host DNS or URI path and other options. Which is what pretty much everyone does. If you want to setup something like that google for ingress
I want to remove Host header at ingress controller before sending the request to backend service. Will appreciate your insight.
My backend service is NOT expecting any Host header.
Thank you !
Google Cloud Platform is working on richer routing and transforms with HTTP(s) Load Balancer, used by Kubernetes Engine Ingress. No ETA is available.
In the meantime, you can use a proxy service in front of the application. See this answer on how to remove a header with nginx.