The version of istio I used is 1.45. I found the problem of ingressgate during the use, as follows.
My access form is simply as follows: client - > ingressgate - > service1
When the client initiates the access, the header carries "x-forward-for". After being forwarded by ingressgate, services1 cannot get "x-forward-for" content.
After testing, the ingressgate did not forward the header "x-forwarded-for" at all (bug no problem occurred in other customized headers).
I hope it can be solved
Are you installing Istio using Helm? Try to reinstalling it using the following:
gateways:
istio-ingressgateway:
externalTrafficPolicy: Local
According to your prompt, I modified it as follows:
1)exec command: kubectl edit svc istio-ingressgateway -n istio-system
2) change “Cluster” to “Local”
spec:
clusterIP: 10.245.163.159
externalTrafficPolicy: Local
healthCheckNodePort: 45748
But “x-forward-for” still can’t get 。
Solution, create EnvoyFilter:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: rsl-envoyfilter
namespace: istio-system
spec:
workloadLabels:
app: istio-ingressgateway
filters:
- listenerMatch:
portNumber: 58080
listenerType: GATEWAY
filterName: envoy.lua
filterType: HTTP
filterConfig:
inlineCode: |
function envoy_on_request(request_handle)
local xff_header = request_handle:headers():get("X-Forwarded-For")
local first_ip = string.gmatch(xff_header, "(%d+.%d+.%d+.%d+)")();
first_ip = string.gsub(first_ip, ",", "")
request_handle:headers():add("X-Custom-User-IP", first_ip);
end
Run the above envoyfilter, and we can get the real IP through request.headers [“x-custom-user-ip”] in the application or rule(mixer) or instance(mixer)
I built my own k8s and istio in alicloud and local test environment, and the test can be run。
k8s 1.63
istio 1.5
I have now seen my IP whitelisting work even with the Istio Ingress Gateway set to externalTrafficPolicy: Local and it seems like it was a misconfiguration on my part.
Does this work with HTTPS? I do not see it working (Istio 1.5.1 and K8s 16.6)
I have a gateway and virtual service as given below:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: controller-auth-gw
namespace: controller
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: https
number: 9443
protocol: HTTPS
tls:
httpsRedirect: true
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: controller-auth-vs
namespace: controller
spec:
gateways:
- controller-auth-gw
hosts:
- '*'
tls:
- match:
- port: 9443
sniHosts:
- '*'
route:
- destination:
host: controller-auth-service.controller.svc.cluster.local
port:
number: 9443
apiVersion: v1
kind: Service
metadata:
labels:
app: controller-auth
name: controller-auth-service
namespace: controller
spec:
ports:
- name: https-auth
port: 9443
protocol: TCP
targetPort: 9443
selector:
app: controller-auth
type: ClusterIP
Istio-ingressgatway is configured with externalTrafficPolicy: Local
That is stil something which I have yet to see working. I might be digging into it in the next day or two though. It should work, it might be that case though that a person would need to get an ALB involved and use something to pass traffic from the ALB to the Istio Ingress but I’m just riffing now.