I have istio 1.2.2 deployed on an openshift 3.11 cluster. I have successfully deployed our application and can access it from outside the cluster using http. I am now trying to allow access to a TCP based interface (java debug port) and cannot get it working. My service definition looks like this:
kind: Service
apiVersion: v1
metadata:
name: mcas-debug
spec:
selector:
app: mcas
ports:
- protocol: TCP
name: tcp
port: 5014
targetPort: 5014
I can connect to the port successfully from within the cluster. It is deployed in the namespace ‘ryan’. To expose the service I defined the following gateway and virtualservice (in the istio-system namespace):
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mcas-debug-gateway-ryan
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 5014
name: tcp
protocol: TCP
hosts:
- “*”
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: mcas-debug-vs-ryan
namespace: istio-system
spec:
hosts:
- “*”
gateways:
- mcas-debug-gateway-ryan
http: - match:
- port: 5014
route: - destination:
host: mcas-debug.ryan.svc.cluster.local
port:
number: 5014
- port: 5014
I also added the ‘5014’ port to the istio-ingressgateway service since this is not on a standard port (I excluded all the other ports for brevity):
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
labels:
chart: gateways
heritage: Tiller
release: istio
app: istio-ingressgateway
istio: ingressgateway
spec:
externalIPs:
- 10.25.23.200
- 10.25.23.201
type: LoadBalancer
selector:
release: istio
app: istio-ingressgateway
istio: ingressgateway
ports:
…
-
name: tcp-debug-ryan
port: 5014
targetPort: 5014
When I try to telnet to port 5014 on the 10.25.23.200, I get a connection refused. Any ideas on why that is?