Ingress gateway open port fails

Networking
1

Setup
Ubuntu 20.04.1
Istio 1.8.0

  1. I deployed a service and can access it locally:
my-service   ClusterIP   10.100.102.138   <none>        9000/TCP,4000/TCP                     16h

> curl 10.100.102.138:4000/list
Got valid response 

> echo $GATEWAY_URL
192.168.1.55:31438

  1. Now, I wanna access it from my app (mobile and desktop browser). To do that, I need to open a custom port for HTTP requests in a web browser. I’ve been following this

  2. My gateway and vs are as follows

---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 31455
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: vs-ingress-my
spec:
  hosts:
    - "*"
  gateways:
    - my-gateway
  http:
    - match:
        - port: 31455
      route:
        - destination:
            host: my-service
            port:
              number: 4000
  1. I edited ingress-gateway with the following: kubectl edit svc istio-ingressgateway -n istio-system and added this:
ports:
  - name: tcp-my
    nodePort: 30001
    port: 31455
    protocol: TCP
    targetPort: 80

  1. Running istioctl analyze -n my-system returns ok:
    :heavy_check_mark: No validation issues found when analyzing namespace: my-system

  2. However, when I run istioctl ps, I’m getting the following:

NAME                                                   CDS        LDS                            EDS        RDS        ISTIOD                      VERSION
istio-ingressgateway-848588d9cb-nwf9m.istio-system     SYNCED     STALE (Never Acknowledged)     SYNCED     SYNCED     istiod-767798f6fd-lz8p4     1.8.0

So LDS remains STALE even after rebooting.

  1. When I get to this, curl $GATEWAY_URL locally doesn’t work as well, until I remove my-gateway and virtual service vs-ingress-my.

Pls help and advice. Really stuck with this.

2

I am a newbie too but I believe you don’t have to do Step 5, your step 5 is a mistake. I did all till step 4 and it works like a charm. Please do not edit the istio-ingressgateway. Keep it as it is.

Your application should still be accessible.

3

Hi Ameya

Thanks for your advice. I tried to remove that entry from the ingress-gateway in step 5. That indeed solves my issue with the LDS STALE, however, I can’t access my service thru that port, but can access HTTP 80 though:

curl $GATEWAY_URL
Response received

curl $GATEWAY_HOST:31455/list
curl: (7) Failed to connect to 192.168.1.55 port 31455: Connection refused

Any ideas ? Thanks !

PS: If I remove that entry, istioctl analyze -n my-space returns the following:
Warning [IST0104] (Gateway my-gateway.my-space) The gateway refers to a port that is not exposed on the workload (pod selector istio=ingressgateway; port 31455)

4

Update

I was able to solve this issue by using the default ingress-gateway port 80. However, opening custom ports is still an issue. Let me know if anyone can do that the proper way

Thank you !

5

I used DNS name in the hosts specifications. I also use virtualservice, destinationrule and gateway. Just take a look at the example below:

So these istio objects you create AFTER service is created.

Let me know how you go and if you need any other help.