0

I am new in istio. I try to configure istio ingress in k8s. But I can't access service via istio-ingress. How can I configure istio ingress for service.

Problem # curl https://192.168.4.241 curl: (7) Failed connect to 192.168.4.241:443; Connection refused

My service is deployed as below.(smartapigw-httpd is HTTPS)

# kubectl get po smartapigw-httpd -n smartapigw --show-labels
NAME               READY   STATUS    RESTARTS   AGE     LABELS
smartapigw-httpd   2/2     Running   0          3h22m   app.kubernetes.io/managed-by=Helm,app=smartapigw-httpd,io.kompose.service=smartapigw-httpd,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=smartapigw-httpd,service.istio.io/canonical-revision=latest

$ kubectl get po,svc -n smartapigw 
... 
pod/smartapigw-httpd          2/2     Running            0                166m 
...
service/smartapigw-httpd           NodePort    10.101.227.150   <none> 18443:31285/TCP   166m

istio-ingress pod is deployed as below

$ kubectl get po -n istio-system --show-labels
...
istio-ingressgateway-5ff4fb69fc-trmht   1/1     Running            0                 28h   app=istio-ingressgateway,chart=gateways,heritage=Tiller,install.operator.istio.io/owning-resource=unknown,istio.io/rev=default,istio=ingressgateway,operator.istio.io/component=IngressGateways,pod-template-hash=5ff4fb69fc,release=istio,service.istio.io/canonical-name=istio-ingressgateway,service.istio.io/canonical-revision=latest,sidecar.istio.io/inject=false
istiod-6d79fdc756-lr5zv
...

istio ingressgateway is deployed as below

$ kubectl get svc -n istio-system
istio-ingressgateway   LoadBalancer   10.110.145.103   192.168.4.241   15021:32010/TCP,80:31631/TCP,443:30495/TCP       28h

Then I tried configuration as below.

Configuration for Gateway

# cat istio-smartapigw-gateway.yml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: smartagigw-gateway
  namespace: smartapigw
spec:
  selector:
    istio: ingressgateway  # istio=ingressgateway in istio-ingressgateway pod's label
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPs
hosts:
- "*"
tls:
  mode: PASSTHROUGH  # smartapigw-httpd service's protocol is already https

# kubectl apply -f istio-smartapigw-gateway.yml

Configuration for VirtualService

# cat istio-smartapigw-virtualservice.yml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: smartapigw
  namespace: smartapigw
spec:
  hosts:
  - "*"
  gateways:
  - smartagigw-gateway
  http:
  - match:
    - uri:
       prefix: /
    route:
    - destination:
        host: smartapigw-httpd  # same with label "app=smartapigw-httpd" in pod
        port:
          number: 18443         # node port 

# kubectl apply -f istio-smartapigw-virtualservice.yml

istio gateway and virtual service is applied as below.

# kubectl get gateway -n smartapigw
NAME                 AGE
smartagigw-gateway   138m

# kubectl get virtualservice -n smartapigw
NAME         GATEWAYS                 HOSTS   AGE
smartapigw   ["smartagigw-gateway"]   ["*"]   131m
Improve this question
2
  • The error message "Failed connect to 192.168.4.241:443; connection refused" suggests that there might be an issue with the Network connectivity or service is running and accessible on the specified IP and port. Commented Apr 19, 2024 at 12:47
  • Thanks for reply. But I have another example namely ngnix service(HTTP protocol). It works fine. Command "curl 192.168.4.241 " is reached to nginx service. Problem is happened pod service protocol is HTTPS. Commented Apr 20, 2024 at 5:40

1 Answer 1

Reset to default
0

I resolve issue based on https://preliminary.istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/

VirtualService definition was changed as below. VirtualService protocol should be changed tls instead of http.

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService
metadata:
  name: smartapigw
  namespace: smartapigw
spec:
  hosts:
  - "*"
  gateways:
  - smartagigw-gateway
  tls:
  - match:
    - port: 443
      sniHosts:
      - "*"
    route:
    - destination:
        host: smartapigw-httpd.smartapigw.svc.cluster.local
        port:
          number: 18443
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.