I am new to Istio and I am trying to communicate 2 spring boot applications with Istio: component with requirement.
I have installed Istio 1.13.2 on a GKE cluster with the demo profile:
istioctl install --set profile=demo -y
I have automatically injected the sidecar proxy to the default namespace with:
kubectl label namespace default istio-injection=enabled
I have defined istio ingress gateway as entry point and a virtual service that points to the component service.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-gateway-vs
spec:
hosts:
- "*"
gateways:
- my-gateway
http:
- match:
- uri:
prefix: /component
route:
- destination:
host: component
port:
number: 8080
---
component app only has an enpoint: /component that returns a string, So far everything works fine.
The flow is as follows
my-gateway----->component
My question is how I can communicate component with requirement directly without going through istio-ingress-gateway.
my-gateway----->component ---->requirement
Is it possible?
Note: I have tried adding requirements in the virtual service but it seems to go through the istio-ingress-gateway and not directly from component to requirement.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-gateway-vs
spec:
hosts:
- "*"
gateways:
- my-gateway
http:
- match:
- uri:
prefix: /component
route:
- destination:
host: component
port:
number: 8080
- match:
- uri:
prefix: /requirement
route:
- destination:
host: requirement
port:
number: 8080
---
i am not sure why istio ingress controller coming inbetween for you.
You should checkout this nice simple example : https://istio.io/latest/docs/examples/bookinfo/#deploying-the-application
In istio example, you can see review service sending the request to rating service.
So for connection or service to service communication, you can use the just service name.
So if you check the review service source you will get an idea of how services calling other services.
Java example :
https://github.com/istio/istio/blob/master/samples/bookinfo/src/reviews/reviews-application/src/main/java/application/rest/LibertyRestEndpoint.java#L42
Python example :
https://github.com/istio/istio/blob/master/samples/bookinfo/src/productpage/productpage.py#L61
So for you end flow will be something like
istio-ingress-gateway----->service-1----->service-2
Related
I am trying to create an ingress file to route urls into the inside services. but after calling in postman, it just returns 503 error.
this is my ingress file config:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-srv
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
rules:
- host: posts.com
http:
paths:
- path: /posts/create
pathType: Prefix
backend:
service:
name: posts-clusterip-srv
port:
number: 7000
this is my posts deployment file and cluster ip:
apiVersion: apps/v1
kind: Deployment
metadata:
name: posts-depl
spec:
replicas: 1
selector:
matchLabels:
app: posts
template:
metadata:
labels:
app: posts
spec:
containers:
- name: posts
image: 4765/posts
---
apiVersion: v1
kind: Service
metadata:
name: posts-clusterip-srv
spec:
selector:
app: posts
ports:
- name: posts
protocol: TCP
port: 7000
targetPort: 7000
when in postman I send this request http://posts.com/posts/create just returns 503 service unavailable. I try to curl the cluster Ip curl http://posts-clusterip-srv:7000 but it responses Could not resolve host: posts-clusterip-srv
I don't know what to do?
Does your app server accept request on /?
As path: /posts/create will forward the request to your server which will receive a request on /.
Concerning the curl http://posts-clusterip-srv:7000 it depends of the set up of your cluster:
If you are using a local cluster on your computer you should modify your /etc/hosts add your local IP as posts.com then you should be able to curl it.
If your cluster is on a server it seems that it is a DNS problem, same way as above you can add the server IP to your hosts file to avoid using the DNS.
I'm trying to set at my GKE a deployment which works with HTTPS load balancer on istio.
I installed istio when the istio-ingresss is defined as NodePort and created an Ingress on gke with following:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: istio-ingress
namespace: istio-system
annotations:
# If the class annotation is not specified it defaults to "gce".
# kubernetes.io/ingress.class: "gce"
networking.gke.io/v1beta1.FrontendConfig: "ingress-frontend-config"
ingress.kubernetes.io/default-backend: istio-ingressgateway
nginx.ingress.kubernetes.io/default-backend: istio-ingressgateway
# Enable use of manually pre-defined global static IP
kubernetes.io/ingress.global-static-ip-name: test-ip-address # A gcp ip address constantly set
kubernetes.io/ingress.allow-http: "true"
# Enable use of a GCP-managed certificate through a ManagedCertificate resource
networking.gke.io/managed-certificates: global-test-dev-cert # A gcp manged certificate for the host
spec:
rules:
- http:
paths:
- path: /*
backend:
# In this case we don't go directly to app-specific services,
# but first to the Istio ingress-gateway
# We use port 80 because it is the "ingress-like" port of the ingress-gateway
serviceName: istio-ingressgateway
servicePort: 80
After deploying the basic httpbin of istio I try to acces it with the following gateway and virtual service
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
namespace: svc
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "httpbin.test.com" # DNS set to the Ingress IP
# - "*"
- hosts:
- "httpbin.test.com" # DNS set to the Ingress IP
# - "*"
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-vs
namespace: svc
spec:
hosts:
- "httpbin.test.com" # DNS set to the Ingress IP
gateways:
- httpbin-gateway
http:
- route:
- destination:
host: httpbin
port:
number: 8000
And when I access it through the browser I get a 502 Error. In the istio-ingressgateway logs I get a 404 error route not found.
But when I switch the hosts to
hosts:
- "*"
The wildcards gives me access to the httpbin app.
I also tried changings the virtual service to
tls:
- match:
- port: 443
sniHosts:
- httpbin.test.com
route:
- destination:
host: httpbin
port:
number: 8000
The same problem occurs.
I have an application running in kubernetes pod (on my local docker desktop, with kubernetes enabled), listening on port 8080. I then have the following kubernetes configuration
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: myrelease-foobar-app-gw
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: default-foobar-local-credential
hosts:
- test.foobar.local
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: myrelease-foobar-app-vs
namespace: default
spec:
hosts:
- test.foobar.local
gateways:
- myrelease-foobar-app-gw
http:
- match:
- port: 443
route:
- destination:
host: myrelease-foobar-app.default.svc.cluster.local
subset: foobarAppDestination
port:
number: 8081
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: myrelease-foobar-app-destrule
namespace: default
spec:
host: myrelease-foobar-app.default.svc.cluster.local
subsets:
- name: foobarAppDestination
labels:
app.kubernetes.io/instance: myrelease
app.kubernetes.io/name: foobar-app
---
apiVersion: v1
kind: Service
metadata:
name: myrelease-foobar-app
namespace: default
labels:
helm.sh/chart: foobar-app-0.1.0
app.kubernetes.io/name: foobar-app
app.kubernetes.io/instance: myrelease
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- port: 8081
targetPort: 8080
protocol: TCP
name: http
selector:
app.kubernetes.io/name: foobar-app
app.kubernetes.io/instance: myrelease
This works fine. But I'd like to change that port 443 into something else, say 8443 (because I will have multiple Gateway). When I have this, I cant access the application anymore. Is there some configuration that I'm missing? I'm guessing I need to configure Istio to accept port 8443 too? I installed istio using the following command:
istioctl install --set profile=default -y
Edit:
I've done a bit more reading (https://www.dangtrinh.com/2019/09/how-to-open-custom-port-on-istio.html), and I've done the following:
kubectl -n istio-system get service istio-ingressgateway -o yaml > istio_ingressgateway.yaml
edit istio_ingressgateway.yaml, and add the following:
- name: foobarhttps
nodePort: 32700
port: 445
protocol: TCP
targetPort: 8445
kubectl apply -f istio_ingressgateway.yaml
Change within my Gateway above:
- port:
number: 445
name: foobarhttps
protocol: HTTPS
Change within my VirtualService above:
http:
- match:
- port: 445
But I still cant access it from my browser (https://foobar.test.local:445)
I suppose that port has to be mapped on the Istio Ingress Gateway. So if you want to use a custom port, you might have to customize that.
But usually it should not be a problem if multiple Gateways use the same port, it does not cause a clash. So for that use case it should not be necessary to do that.
Fixed it. What i've done wrong in my edit above is this:
- name: foobarhttps
nodePort: 32700
port: 445
protocol: TCP
targetPort: 8443
(notice that targetPort is still 8443). I'm guessing there is an istio component listening on port 8443, which handles all this https stuff. Thanks user140547 for the help!
Jenkins installed through helm chart with a custom installation path.
helm install argo-jenkins -f jenkins-volume.yaml jenkinsci/jenkins -n jenkins --set controller.jenkinsUriPrefix='/jenkinsargo'
We have a front-end Istio-ingress gateway from all the browser requests.
GW.Yaml:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: jenkins-gw
namespace: jenkins
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
VS.Yaml:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: jenkins-vs
namespace: jenkins
spec:
gateways:
- jenkins-gw.jenkins
hosts:
- '*'
http:
- match:
- uri:
prefix: /jenkinsargo
route:
- destination:
host: argojenkins.jenkins.svc.cluster.local
port:
number: 8080
Able to access jenkins home page, when trying to configure the jenkins security seeing above error.
PFA for the initial home page and error page.
Error page after redirecting
Jenkins home page
This error means that an HTTPS request reaches to a HTTP (plaintext) listener. Check the listeners, some of your services may have an incorrect name (i.e. http) which is not following the naming convention: https://istio.io/latest/docs/reference/config/analysis/ist0118/
I suggest to use $ istioctl pc listeners --address
#Arnau Senserrich,
If it's a http naming issue, in the place it shouldn't even open jenkins login page.
If you see the above image when accessed jenkins through LB, I'm able to enter credentails and able to login. But when I clicked manage jenkins-> Configure Security
I'm seeing above error.
Also tried GW with both http and https:
GW.yaml:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: jenkins-gw
namespace: jenkins
spec:
selector:
custom: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
hosts:
- "*"
VS1.yaml:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: jenkins-vs
namespace: jenkins
spec:
gateways:
- jenkins-gw.jenkins
hosts:
- '*'
http:
- match:
- uri:
prefix: /jenkinsargo
route:
- destination:
host: argojenkins.jenkins.svc.cluster.local
port:
number: 8080
VS2.yaml:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: jenkins-vs1
namespace: jenkins
spec:
gateways:
- jenkins-gw.jenkins
hosts:
- '*'
tls:
- match:
- port: 443
sniHosts:
- "oitat.xyz.com"
route:
- destination:
host: argojenkins.jenkins.svc.cluster.local
port:
number: 8080
No luck, same issue.
Following the instructions on the Keycloak docs site below, I'm trying to set up Keycloak to run in a Kubernetes cluster. I have an Ingress Controller set up which successfully works for a simple test page. Cloudflare points the domain to the ingress controllers IP.
Keycloak deploys successfully (Admin console listening on http://127.0.0.1:9990), but when going to the domain I get a message from NGINX: 503 Service Temporarily Unavailable.
https://www.keycloak.org/getting-started/getting-started-kube
Here's the Kubernetes config:
apiVersion: v1
kind: Service
metadata:
name: keycloak-cip
spec:
type: ClusterIP
ports:
- port: 80
targetPort: 8080
selector:
name: keycloak
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
kubernetes.io/ingress.class: nginx
service.beta.kubernetes.io/linode-loadbalancer-default-protocol: https
service.beta.kubernetes.io/linode-loadbalancer-port-443: '{ "tls-secret-name": "my-secret", "protocol": "https" }'
spec:
rules:
- host: my.domain.com
http:
paths:
- backend:
serviceName: keycloak-cip
servicePort: 8080
tls:
- hosts:
- my.domain.com
secretName: my-secret
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: default
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:12.0.3
env:
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
value: "admin"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
readinessProbe:
httpGet:
path: /auth/realms/master
port: 8080
initialDelaySeconds: 90
periodSeconds: 5
failureThreshold: 30
successThreshold: 1
revisionHistoryLimit: 1
Edit:
TLS should be handled by the ingress controller.
--
Edit 2:
If I go into the controller using kubectl exec, I can do curl -L http://127.0.0.1:8080/auth which successfully retrieves the page:
<title>Welcome to Keycloak</title>. So I'm sure that keycloak is running. It's just that either traffic doesn't reach the pod, or keycloak doesn't respond.
If I use the ClusterIP instead but otherwise keep the call above the same, I get a Connection timed out. I tried both ports 80 and 8080 with the same result.
The following configuration is required to run keycloak behind ingress controller:
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: KEYCLOAK_HOSTNAME
value: "my.domain.com"
So I think adding correct KEYCLOAK_HOSTNAME value should solve your issue.
I had a similar issue with Traefik Ingress Controller:
Can't expose Keycloak Server on AWS with Traefik Ingress Controller and AWS HTTPS Load Balancer
You can find the full code of my configuration here:
https://github.com/skyglass-examples/user-management-keycloak
Hello Have you tried to add this line :
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
it looks like it is missing from your config file which result in 503 error, check this for more input on the config of K8s.