Hello,
We have ISTIO version 1.3.3 and we run 2 egress deployments and one is configured with
- name: ISTIO_META_REQUESTED_NETWORK_VIEW
value: external
This works fine but as soon as we add a regular Service Entry, the pods in one of the egress gateways deployments become not ready:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: example
namespace: istio-system
spec:
exportTo:
- '.'
hosts:
- 'example.com'
location: MESH_EXTERNAL
ports:
- name: https
number: 443
protocol: TLS
resolution: DNS
The following can be seen on the output as soon as we re-create the egress gateway pods:
info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 4 successful, 0 rejected; lds updates: 0 successful, 0 rejected
info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 4 successful, 0 rejected; lds updates: 0 successful, 0 rejected
info Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 4 successful, 0 rejected; lds updates: 0 successful, 0 rejected
Logs in Trace mode do not show any useful information.
As soon as the service entry is removed, the pods become ready:
][17][info][main] [external/envoy/source/server/server.cc:541] all clusters initialized. initializing init manager
[17][info][upstream] [external/envoy/source/server/lds_api.cc:60] lds: add/update listener '0.0.0.0_15443'
[17][info][config] [external/envoy/source/server/listener_manager_impl.cc:777] all dependencies initialized. starting workers
info Envoy proxy is ready
We also observed that if this service entry is not exposed to istio-system then the problem doesn’t occur.
The problem also goes away if we change the resolution to something other than “DNS”
Any ideas on what else to check and tweak?
Thanks