My ingress for azure application gateway, so that it will use istio gateway internally.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: server-ingress
namespace: productnamespace
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/backend-protocol: "http"
appgw.ingress.kubernetes.io/cookie-based-affinity: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
appgw.ingress.kubernetes.io/health-probe-status-codes: "200-399, 401, 403"
spec:
tls:
- hosts:
- dev1.myproductnamespace.com
secretName: productnamespace-cert-secret
rules:
- host: dev1.myproductnamespace.com
http:
paths:
- path: /
pathType: Prefix
backend:
namespace: istio-system
service:
name: istio-gateway
port:
number: 80
istio-gateway is in istio-system namespace, And above ingress is in productnamespace. When I did port-forwarding for istio-gateway, it is able to access the product pages. So, istio gateway is good.
But route from azure app gateway ingress to istio-gateway ingress is failing.
In the events, it shows as below.
It is trying to search for istio-gateway in productnamespace instead of istio-system and failing.
different namespace event
That error in the screenshot suggests that the azure application gateway ingress controller cannot find the endpoints (AKA IP address) of the istio-ingressgateway pods. Are you able to see the endpoints with this command?
$ kubectl get endpoints -n istio-system istio-ingressgateway
I installed with helm charts.
helm install istio/base --namespace istio-system --create-namespace --generate-name
helm install istio/istiod --namespace istio-system --create-namespace --generate-name
The name shows as istio-gateway now.
Something is wrong with istio-gateway. There should be endpoints. Make sure the istio-gateway pods are healthy and that the label selector on the istio-gateway service matches the labels on the istio-gateway pods.
Hi @rsalmond can you suggest any solution?
Please try from your end once.
application, azure app gateway ingress will be in productnamespace. istio ingress will be in istio-gateway namespace.
How to point to istio-gateway from azure ingress in different namespace?
It appears you have not installed an istio gateway. Use of helm charts to install istio requires a good understanding of the components and their interactions (istiod, base, gateways, etc). If you’re not sure what needs to be installed, you can use istioctl install instead and it will give you some simple defaults to get started.
istio-gateway already installed.
it installed in istio-gateway namespace
My azure ingress is in company namespace.
If I point this istio-gateway as a backend rule to it.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: server-ingress
namespace: istio-ingress
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/backend-protocol: "http"
appgw.ingress.kubernetes.io/cookie-based-affinity: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- dev1.mycompany.com
secretName: company-cert-secret1
- hosts:
- dev2.mycompany.com
secretName: company-cert-secret2
rules:
- host: dev1.mycompany.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: istio-ingress/istio-ingress
port:
number: 80
It is giving error as invalid service name format.
Even with this format also.
istio-ingress.istio-ingress.svc.cluster.local
Failed to save resource: {“error”:{“kind”:“Status”,“apiVersion”:“v1”,“metadata”:{},“status”:“Failure”,“message”:"Ingress.extensions "server-ingress" is invalid: [spec.rules[0].http.paths[0].backend.service.name: Invalid value: "istio-ingress.istio-ingress.svc.cluster.local": a DNS-1035 label must consist
So, I kept just istio-ingress in the service name and got below issue if you can see, it is trying to search for istio-ingress in the company namespace instead of istio-ingress namespace.
And for your information, istio-ingress is already there.
So please don’t divert to the topic as whether installed or not.
Please guide how to refer this istio-ingress service in main ingress of azure which is in different namespace.
