Hello! Is there an annotation we can use in Google Cloud to build a Global HTTPS LB rather than a regional L4 network load balancer when defining a gateway of type load balancer in the Istio helm configuration? We are running GKE with open source Istio (non-Google managed) on Google Cloud.
Thanks!
Hi @mhite, were you able to figure this out? I am trying to do a similar thing to leverage IAP on the LB. I am following https://cloud.google.com/solutions/integrating-https-load-balancing-with-istio-and-cloud-run-for-anthos-deployed-on-gke but I adapted the steps since I too am using open source Istio. However, the health checks for the backend services are failing.
Yes! I had to do some “clever” stuff to get my health checks working right. What we really need is for Google Cloud to let us define health checks for GCE ingress controllers. This feature is coming to the GCE ingress controller, though. I will post something for you come Monday.
I had to get weird:
apiVersion: v1
kind: Service
metadata:
labels:
chart: gateways
name: mhite-elbgateway-hc
namespace: istio-system
spec:
externalName: localhost
ports:
- name: status-port
port: 15020
protocol: TCP
targetPort: 15020
sessionAffinity: None
type: ExternalName
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: mhite-elbgateway-vs
namespace: istio-system
spec:
gateways:
- mhite-elbgateway
hosts:
- '*'
http:
- match:
- headers:
user-agent:
prefix: GoogleHC
x-envoy-external-address:
regex: (^35\.191\.([1-9]?\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)$)|(^130\.211\.[0-3]\.([1-9]?\d|[12]\d\d)$)
x-forwarded-for:
regex: (^35\.191\.([1-9]?\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)$)|(^130\.211\.[0-3]\.([1-9]?\d|[12]\d\d)$)
method:
exact: GET
uri:
exact: /
rewrite:
authority: mhite-elbgateway-hc.istio-system.svc.cluster.local:15020
uri: /healthz/ready
route:
- destination:
host: mhite-elbgateway-hc.istio-system.svc.cluster.local
port:
number: 15020@pbhoj : I too faced the same issue. However creating a firewall rule to allow GCP LB ip for nodeports fixed the issue.
