Demo install issue on k8s bare metal cluster with calico and crio

Hi, I’m running a freshly installed k8s cluster on bare metal with crio, and calico as CNI. I’m trying to install istio (1.10.2) but it always fail to setup ingress and egress gateway. I install it using this command :

istioctl install --set profile=demo -y

Here is a sample of log output from egress pod :

 2021-07-05T14:26:13.404655Z info Epoch 0 starting
 2021-07-05T14:26:13.413694Z info Envoy command: [-c etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --drain-strategy immediate --parent-shutdown-time-s 60 --service-cluster istio-egressgateway --service-node router~172.25.116.14~istio-egressgateway-7d4f75956-24rvw.istio-system~istio-system.svc.cluster.local --local-address-ip-version v4 --bootstrap-version 3 --disable-hot-restart --log-format %Y-%m-%dT%T.%fZ %l envoy %n %v -l warning --component-log-level misc:error]
 2021-07-05T14:26:31.332682Z warn ca ca request failed, starting attempt 1 in 102.093205ms
 2021-07-05T14:26:31.435746Z warn ca ca request failed, starting attempt 2 in 217.620363ms
 2021-07-05T14:26:31.654388Z warn ca ca request failed, starting attempt 3 in 413.164804ms
 2021-07-05T14:26:32.068164Z warn ca ca request failed, starting attempt 4 in 790.034269ms

and one from ingress pod:

 2021-07-05T14:26:11.069541Z info Epoch 0 starting
 2021-07-05T14:26:11.078320Z info Envoy command: [-c etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --drain-strategy immediate --parent-shutdown-time-s 60 --service-cluster istio-ingressgateway --service-node router~172.25.116.13~istio-ingressgateway-5d57955454-26bvk.istio-system~istio-system.svc.cluster.local --local-address-ip-version v4 --bootstrap-version 3 --disable-hot-restart --log-format %Y-%m-%dT%T.%fZ %l envoy %n %v -l warning --component-log-level misc:error]
 2021-07-05T14:26:30.992215Z warn ca ca request failed, starting attempt 1 in 102.093205ms
 2021-07-05T14:26:31.095283Z warn ca ca request failed, starting attempt 2 in 217.620363ms
 2021-07-05T14:26:31.288126Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: i/o timeout"
 2021-07-05T14:26:31.313423Z warn ca ca request failed, starting attempt 3 in 413.164804ms
 2021-07-05T14:26:31.726867Z warn ca ca request failed, starting attempt 4 in 790.034269ms

When i run precheck :

 # istioctl x precheck
 ✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
   To get started, check out https://istio.io/latest/docs/setup/getting-started/

Is there any specific recommandations with Calico ? or CRI-O ?

Now the issue is solved !

How did you solve it?

Istio doesn’t care what Kubernetes network plugin you use, as long as all the pods can connect to each other (and the control plane) everything should work.

That error suggests your gateway couldn’t connect to the control plane to get its certificate.

Despite having no error message, kube-proxy was behaving badly regarding DNS resolution on some pod networks. After restarting kube-proxy service, things went smoothly.

I really think the precheck should test this, as it looks like DNS resolution is a common issue in freshly deployed k8s cluster.