Hello everybody,
I have a scenario where I have a common external service that should be available for all namespaces. Traffic must always be routed through my istio-egressgateway.
To my understanding there are two factors: visibility (though exportTo) and the lookup path (1 client namespace, 2 service namespace and 3 istio-system).
Initially I place a ServiceEntry in a separate namespace and placed VirtualServices and DestinationRules there as well so when a client in a different namespace would make a request the request should hit the second part of the lookup path. That did not work.
Then I placed the ServiceEntry and other configurations in the istio-system namespace. That way it really should work being both on the second and third part of the lookup path. That did (to my surprise not work either).
I’m running Istio 1.8.1.
Here are my configurations:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: someservice-scan
namespace: istio-system
spec:
hosts:
- someservice.test.work.local
location: MESH_EXTERNAL
ports:
- number: 8008
name: tls-8008
protocol: TLS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: someservice-egressgateway
namespace: istio-system
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- someservice.test.work.local
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: tls-for-someservice
namespace: istio-system
spec:
host: someservice.test.work.local
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 8008
tls:
mode: SIMPLE
credentialName: someservice-ca-certs-egress-tls
sni: someservice.test.work.local
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: someservice-istio-egressgateway-subsets
namespace: istio-system
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: someservice-scan-subset
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: someservice.test.work.local
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: someservice-through-egress-gateway
namespace: istio-system
spec:
hosts:
- someservice.test.work.local
gateways:
- someservice-egressgateway
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: someservice-scan-subset
port:
number: 443
weight: 100
- match:
- gateways:
- someservice-egressgateway
port: 443
route:
- destination:
host: someservice.test.work.local
port:
number: 8008
weight: 100
---
apiVersion: v1
kind: Secret
metadata:
name: someservice-ca-certs-egress-tls
namespace: istio-system
data:
ca.crt: XYZ
---
Adding the sleep pod in another namespace (e.g. whatever-ns) and doing a:
kubectl exec sleep -c sleep – curl -v http://someservice.test.work.local
I get the following errors:
2021-02-05T11:34:12.720325Z debug envoy filter cannot find cluster outbound|443|someservice-scan-subset|istio-egressgateway.istio-system.svc.cluster.local
2021-02-05T11:34:12.720342Z debug envoy router [C39380][S9971233766828101197] unknown cluster 'outbound|443|someservice-scan-subset|istio-egressgateway.istio-system.svc.cluster.local'
[2021-02-05T11:34:12.720Z] "GET / HTTP/1.1" 503 NR "-" 0 0 0 - "-" "curl/7.69.1" "b739e908-0dcc-496d-9177-41893fa17f4c" "someservice.test.work.local" "-" - - 240.240.0.7:80 10.1.48.30:59156 - -
To me it seems like an error in the lookup path or visibility (which should default to ["*"])?
Can anybody give me any insight??
Best regards
Jesper