At the step when i try to verify the installation, i only get responses from the current cluster, not from the other one. However it seems like it try to communicate with the other cluster since i get this error mesage:
upstream connect error or disconnect/reset before headers. reset reason: local reset, transport failure reason: TLS error: 268435612:SSL routines:OPENSSL_internal:HTTP_REQUEST
What i tried so far:
To verify certs are configured correctly, you can compare the root-cert in each cluster:
diff
<(kubectl --context="{CTX_CLUSTER1}" -n istio-system get secret cacerts -ojsonpath='{.data.root-cert\.pem}') \
<(kubectl --context="{CTX_CLUSTER2}" -n istio-system get secret cacerts -ojsonpath=’{.data.root-cert.pem}’)
I was facing this problem with kubernetes-kind. I did unfortunatley not solve it. I did change the kubernetes setup to minikube instead, after that it worked like expected.
Tried with minikube still No luck. getting the same error. I tried even setting up minikube tunnel for both the cluster. Wondering if you had to do anything special …
upstream connect error or disconnect/reset before headers. reset reason: local reset, transport failure reason: TLS error: 268435612:SSL routines:OPENSSL_internal:HTTP_REQUEST
I guess you have an external IP on each eastwest-gateway? I did use metallb to get the external IP:s for my clusters.
Yes, I have been using metallb to get external IPs and I do have external IP for eas-west gateway
Maybe you can check your kube/config, for me the IP addresses there was localhost instead of my new external IP:s.
Thanks for mentioning it, I double-checked it and looks like it has the external IP of the cluster instead of localhost.
Although I think I noticed in .kube/config, the certificate-authority for the clusters is:
“certificate-authority: /Users/{$USER}/.minikube/ca.crt” . I wonder that should be changed as well and pointed to the root CA generated as pre-requisite.
Would it be possible for you to share the ~/kube/config values for the minikube clusters to cross-check? Thanks