Issue with using an internal ingress

#1

Currently running istio off the release-1.1 branch. I used helm to install and had it create the default ingressgateway as well as the ilbgateway and modified the annotation for AWS internal instead of google. I can curl the internal ELB and get a 404 which I think tells me that the ingress is mostly functioning. However when i take the httpbin example and modify it to try and use the internal ingress, I still get 404s. y gateway and virtual service definition is below. I’m using external-dns to create the r53 entry and have confirmed its creating it based on the ILB fqdn, not the external one. What am I missing?

Thanks

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
  namespace: default
  annotations:
    kubernetes.io/ingress.class: internal
spec:
  selector:
    istio: ilbgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "httpbin.internal.domain"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
  namespace: default
spec:
  hosts:
  - "httpbin.internal.domain"
  gateways:
  - httpbin-gateway
  http:
  - match:
    - uri:
        prefix: /ip
    route:
    - destination:
        port:
          number: 8000
        host: httpbin.default.svc.cluster.local
#2

Anyone have any ideas?

#3

I’m doing something pretty similar on istio 1.1.1, the main difference is I am using ingressgateway for the selector:

spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
#4

Yeah not sure what I had misconfigured but was eventually able to get things working with TLS. For anyone else that runs into this, this is what I use for exposing our grafana via an internal ingress.

# Grafana
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
  name: "grafana"
  namespace: "istio-system"
spec:
  host: grafana.istio-system.svc.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE

--- 
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-grafana-gateway
  namespace: "istio-system"
  annotations:
    kubernetes.io/ingress.class: internal # This is for external-dns integration
spec:
  selector:
    istio: ilbgateway
  servers:
  - port:
      number: 443
      name: https-grafana-istio
      protocol: HTTPS
    hosts:
    - "grafana.domain"
    tls: # This is a *.domain cert
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key 
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: istio-grafana
  namespace: "istio-system"
spec:
  hosts:
  - "grafana.domain"
  gateways:
  - istio-grafana-gateway
  http:
  - route:
    - destination:
        port:
          number: 3000
        host: grafana.istio-system.svc.cluster.local
TLS termination at ingress for non mTLS service?