Created Egress config but don't see logs in istio-egressgateway

ramsateesh · December 4, 2020, 5:43pm

Followed link : https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/ .

istio-system namespace:

kubectl -n istio-system get pods,deploy,svc

NAME                                          READY   STATUS    RESTARTS   AGE
pod/grafana-7bbd69fd7b-xwz85                  1/1     Running   0          28m
pod/istio-citadel-56d76cdb6f-9vdk4            1/1     Running   0          28m
pod/istio-egressgateway-85c588bc8c-pzdmj      1/1     Running   0          4m8s
pod/istio-galley-c75bd55bc-hwl67              2/2     Running   0          28m
pod/istio-ingressgateway-5947b45b94-7lzxg     1/1     Running   0          28m
pod/istio-sidecar-injector-799499d766-zfc5n   1/1     Running   0          28m
pod/istio-telemetry-68cbc4db-c46zk            2/2     Running   0          28m
pod/istiod-7f59648c4c-s2ck7                   1/1     Running   0          28m
pod/kiali-74d6bcc94f-9srdv                    1/1     Running   0          28m
pod/prometheus-74bd78dc7b-m7cxg               2/2     Running   0          28m

NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/grafana                  1/1     1            1           28m
deployment.apps/istio-citadel            1/1     1            1           28m
deployment.apps/istio-egressgateway      1/1     1            1           28m
deployment.apps/istio-galley             1/1     1            1           28m
deployment.apps/istio-ingressgateway     1/1     1            1           28m
deployment.apps/istio-sidecar-injector   1/1     1            1           28m
deployment.apps/istio-telemetry          1/1     1            1           28m
deployment.apps/istiod                   1/1     1            1           28m
deployment.apps/kiali                    1/1     1            1           28m
deployment.apps/prometheus               1/1     1            1           28m

NAME                             TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                                                    AGE
service/grafana                  ClusterIP      10.11.146.149   <none>          3000/TCP                                                   28m
service/istio-citadel            ClusterIP      10.11.139.234   <none>          8060/TCP,15014/TCP                                         28m
service/istio-egressgateway      LoadBalancer   10.11.159.157   x.x.x.x   443:32042/TCP                                              28m
service/istio-galley             ClusterIP      10.11.143.213   <none>          443/TCP,15014/TCP,9901/TCP,15019/TCP                       28m
service/istio-ingressgateway     LoadBalancer   10.11.115.25    y.y.y.y    443:32693/TCP                                              28m
service/istio-pilot              ClusterIP      10.11.82.122    <none>          15010/TCP,15011/TCP,15012/TCP,8080/TCP,15014/TCP,443/TCP   28m
service/istio-sidecar-injector   ClusterIP      10.11.112.6     <none>          443/TCP                                                    28m
service/istio-telemetry          ClusterIP      10.11.212.202   <none>          9091/TCP,15004/TCP,15014/TCP,42422/TCP                     28m
service/istiod                   ClusterIP      10.11.31.246    <none>          15012/TCP,443/TCP                                          28m
service/kiali                    ClusterIP      10.11.217.114   <none>          20001/TCP                                                  28m
service/prometheus               ClusterIP      10.11.197.218   <none>          9090/TCP                                                   28m

istio-system: SE,DR,GW,VS

kubectl -n istio-system get se,dr,gw,vs`

NAME                                      HOSTS              LOCATION   RESOLUTION   AGE
serviceentry.networking.istio.io/google   [www.google.com]              DNS          22m

NAME                                                               HOST                                                 AGE
destinationrule.networking.istio.io/google-passthrough-egress-dr   istio-egressgateway.istio-system.svc.cluster.local   22m
destinationrule.networking.istio.io/istio-telemetry                istio-telemetry.istio-system.svc.cluster.local       30m

my-namespace:

kubectl -n my-namespace get pods,deploy,svc -l app=sleep
NAME                         READY   STATUS    RESTARTS   AGE
pod/sleep-6db4c7775f-j9s6b   2/2     Running   0          13m

NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
service/sleep   ClusterIP   10.11.10.185   <none>        80/TCP    17m

kubectl -n my-namespace get se,gw,vs

NAME                                      HOSTS              LOCATION        RESOLUTION   AGE
serviceentry.networking.istio.io/google   [www.google.com]   MESH_EXTERNAL   DNS          22m

NAME                                                   AGE
gateway.networking.istio.io/istio-egressgateway        17m

NAME                                                                      GATEWAYS                     HOSTS                               AGE
virtualservice.networking.istio.io/direct-google-through-egress-gateway   [istio-egressgateway mesh]   [www.google.com]                    17m

Yaml for egress config: GW and VS

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - www.google.com
    tls:
      mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-google-through-egress-gateway
spec:
  hosts:
  - www.google.com
  gateways:
  - istio-egressgateway
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: google
        port:
          number: 443
      weight: 100
  - match:
    - gateways:
      - istio-egressgateway
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: www.google.com
        port:
          number: 443
      weight: 100

Even after this I get NOT SENT in RDS column for istio-egressgateway:

NAME                                                    CDS        LDS        EDS        RDS          PILOT                      

istio-egressgateway-85c588bc8c-pzdmj.istio-system       SYNCED     SYNCED     SYNCED     NOT SENT     istiod-7f59648c4c-s2ck7

Can see the logs is pod’s istio-proxy side car, but not in istio-egressgateway pod of istio-system namespace.

Not sure what exactly is going wrong. I get 200 ok response. But if I put a network policy to allow egress traffic between istio-proxy and istio-system namespace communication breaks.

Can someone please help me find what am I missing here?

ramsateesh · December 7, 2020, 2:14am

Closing this one, pretty clear from my egress virtualservice config. Match should have been on tls rather than http. my bad.

Topic		Replies	Views
Gateway namespace in documentation Networking	2	436	May 10, 2019
ISTIO egress gateway for databases Networking	0	915	April 20, 2022
Istio Egress Gateway without support for k8s egress networking policy Networking	0	547	November 14, 2020
Egress gateway not working as expected, when installed with mesh expansion option. - v1.6.8	0	1710	September 3, 2020
egressGateways showing enabled as "false" when it's up and running	0	306	June 17, 2021

Created Egress config but don't see logs in istio-egressgateway

Related Topics