Created Egress config but don't see logs in istio-egressgateway

ramsateesh · December 4, 2020, 5:43pm

Followed link : https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/ .

istio-system namespace:

kubectl -n istio-system get pods,deploy,svc

NAME                                          READY   STATUS    RESTARTS   AGE
pod/grafana-7bbd69fd7b-xwz85                  1/1     Running   0          28m
pod/istio-citadel-56d76cdb6f-9vdk4            1/1     Running   0          28m
pod/istio-egressgateway-85c588bc8c-pzdmj      1/1     Running   0          4m8s
pod/istio-galley-c75bd55bc-hwl67              2/2     Running   0          28m
pod/istio-ingressgateway-5947b45b94-7lzxg     1/1     Running   0          28m
pod/istio-sidecar-injector-799499d766-zfc5n   1/1     Running   0          28m
pod/istio-telemetry-68cbc4db-c46zk            2/2     Running   0          28m
pod/istiod-7f59648c4c-s2ck7                   1/1     Running   0          28m
pod/kiali-74d6bcc94f-9srdv                    1/1     Running   0          28m
pod/prometheus-74bd78dc7b-m7cxg               2/2     Running   0          28m

NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/grafana                  1/1     1            1           28m
deployment.apps/istio-citadel            1/1     1            1           28m
deployment.apps/istio-egressgateway      1/1     1            1           28m
deployment.apps/istio-galley             1/1     1            1           28m
deployment.apps/istio-ingressgateway     1/1     1            1           28m
deployment.apps/istio-sidecar-injector   1/1     1            1           28m
deployment.apps/istio-telemetry          1/1     1            1           28m
deployment.apps/istiod                   1/1     1            1           28m
deployment.apps/kiali                    1/1     1            1           28m
deployment.apps/prometheus               1/1     1            1           28m

NAME                             TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                                                    AGE
service/grafana                  ClusterIP      10.11.146.149   <none>          3000/TCP                                                   28m
service/istio-citadel            ClusterIP      10.11.139.234   <none>          8060/TCP,15014/TCP                                         28m
service/istio-egressgateway      LoadBalancer   10.11.159.157   x.x.x.x   443:32042/TCP                                              28m
service/istio-galley             ClusterIP      10.11.143.213   <none>          443/TCP,15014/TCP,9901/TCP,15019/TCP                       28m
service/istio-ingressgateway     LoadBalancer   10.11.115.25    y.y.y.y    443:32693/TCP                                              28m
service/istio-pilot              ClusterIP      10.11.82.122    <none>          15010/TCP,15011/TCP,15012/TCP,8080/TCP,15014/TCP,443/TCP   28m
service/istio-sidecar-injector   ClusterIP      10.11.112.6     <none>          443/TCP                                                    28m
service/istio-telemetry          ClusterIP      10.11.212.202   <none>          9091/TCP,15004/TCP,15014/TCP,42422/TCP                     28m
service/istiod                   ClusterIP      10.11.31.246    <none>          15012/TCP,443/TCP                                          28m
service/kiali                    ClusterIP      10.11.217.114   <none>          20001/TCP                                                  28m
service/prometheus               ClusterIP      10.11.197.218   <none>          9090/TCP                                                   28m

istio-system: SE,DR,GW,VS

kubectl -n istio-system get se,dr,gw,vs`

NAME                                      HOSTS              LOCATION   RESOLUTION   AGE
serviceentry.networking.istio.io/google   [www.google.com]              DNS          22m

NAME                                                               HOST                                                 AGE
destinationrule.networking.istio.io/google-passthrough-egress-dr   istio-egressgateway.istio-system.svc.cluster.local   22m
destinationrule.networking.istio.io/istio-telemetry                istio-telemetry.istio-system.svc.cluster.local       30m

my-namespace:

kubectl -n my-namespace get pods,deploy,svc -l app=sleep
NAME                         READY   STATUS    RESTARTS   AGE
pod/sleep-6db4c7775f-j9s6b   2/2     Running   0          13m

NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
service/sleep   ClusterIP   10.11.10.185   <none>        80/TCP    17m

kubectl -n my-namespace get se,gw,vs

NAME                                      HOSTS              LOCATION        RESOLUTION   AGE
serviceentry.networking.istio.io/google   [www.google.com]   MESH_EXTERNAL   DNS          22m

NAME                                                   AGE
gateway.networking.istio.io/istio-egressgateway        17m

NAME                                                                      GATEWAYS                     HOSTS                               AGE
virtualservice.networking.istio.io/direct-google-through-egress-gateway   [istio-egressgateway mesh]   [www.google.com]                    17m

Yaml for egress config: GW and VS

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - www.google.com
    tls:
      mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-google-through-egress-gateway
spec:
  hosts:
  - www.google.com
  gateways:
  - istio-egressgateway
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: google
        port:
          number: 443
      weight: 100
  - match:
    - gateways:
      - istio-egressgateway
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: www.google.com
        port:
          number: 443
      weight: 100

Even after this I get NOT SENT in RDS column for istio-egressgateway:

NAME                                                    CDS        LDS        EDS        RDS          PILOT                      

istio-egressgateway-85c588bc8c-pzdmj.istio-system       SYNCED     SYNCED     SYNCED     NOT SENT     istiod-7f59648c4c-s2ck7

Can see the logs is pod’s istio-proxy side car, but not in istio-egressgateway pod of istio-system namespace.

Not sure what exactly is going wrong. I get 200 ok response. But if I put a network policy to allow egress traffic between istio-proxy and istio-system namespace communication breaks.

Can someone please help me find what am I missing here?

ramsateesh · December 7, 2020, 2:14am

Closing this one, pretty clear from my egress virtualservice config. Match should have been on tls rather than http. my bad.

Topic		Replies	Views
Istio 1.10.4 ingress and egress pods are not ready Networking release	0	434	September 21, 2021
Gateway namespace in documentation Networking	2	527	May 10, 2019
ISTIO egress gateway for databases Networking	0	1092	April 20, 2022
Istio Egress Gateway without support for k8s egress networking policy Networking	0	584	November 14, 2020
egressGateways showing enabled as "false" when it's up and running	0	339	June 17, 2021

Created Egress config but don't see logs in istio-egressgateway

Related topics