Hi all
I have problem with Istio and OpenLDAP (phpLDAPadmin).
The requests sent to phpLDAPadmin with 302 (Found) become 503 (Service Unavailable) on Istio Ingress Gateway.
When I try to invoke the same url without Ingress Gateway phpLDAPadmin works.
Other applications exposed by Ingress Gateway (like Gogs) work fine.
Istio version: 1.4.2
Scenario:
(host dap.montecampo.priv) -> INGRESSGW -> service ldap (port 80) -> pod ldap (targetPort 80)
kubectl get pods --namespace security -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ldap-6dd6499bd5-j9c7j 3/3 Running 0 36m 192.168.42.38 montecampo <none> <none>
kubectl get service --namespace security -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
ldap NodePort 10.96.213.6 <none> 80:31659/TCP 43m app=ldap
kubectl get virtualservice --namespace security -o wide
NAME GATEWAYS HOSTS AGE
ldap [ldap-gateway] [ldap.montecampo.priv] 44m
kubectl get gateway --namespace security -o wide
NAME AGE
ldap-gateway 44m
TCPDUMP
montecampo.1972 > 192.168.42.12.http
GET /cmd.php?cmd=refresh&server_id=1&noheader=1&purge=1&meth=ajax HTTP/1.1
Host:ldap.montecampo.priv
User-Agent: curl/7.67.0
Accept: /
…
192.168.42.12.55606 > 192.168.42.38.http
GET /cmd.php?cmd=refresh&server_id=1&noheader=1&purge=1&meth=ajax HTTP/1.1
host: ldap.montecampo.priv
…
192.168.42.38.http > 192.168.42.12.55606
HTTP/1.1 302 Found
…
Location: cmd.php?cmd=draw_tree_node&noheader=1&server_id=1&meth=ajax&frame=TREE
…
After 5 sec (I have tried to change timeout on virtualservice getting another error):
192.168.42.12.http > montecampo.1972
HTTP/1.1 503 Service Unavailable
upstream connect error or disconnect/reset before headers. reset reason: connection termination
Configuration:
apiVersion: v1
kind: Namespace
metadata:
name: security
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ldap-gateway
namespace: security
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "ldap.montecampo.priv"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ldap
namespace: security
spec:
hosts:
- "ldap.montecampo.priv"
gateways:
- ldap-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 80
host: ldap
---
apiVersion: v1
kind: Service
metadata:
name: ldap
namespace: security
labels:
app: ldap
spec:
type: NodePort
ports:
- name: ldap-http
port: 80
targetPort: 80
selector:
app: ldap
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ldap
namespace: security
spec:
replicas: 1
selector:
matchLabels:
app: ldap
version: v1
template:
metadata:
labels:
app: ldap
version: v1
spec:
volumes:
- name: openldap-vol
hostPath:
path: /home/carnevale/data/security/openldap
containers:
- image: osixia/openldap
imagePullPolicy: IfNotPresent
name: openldap
env:
- name: LDAP_ORGANISATION
value: "Carnevale"
- name: LDAP_DOMAIN
value: "carnevale.priv"
- name: LDAP_BASE_DN
value: ""
- name: LDAP_ADMIN_PASSWORD
value: "capracotta1421"
ports:
- containerPort: 389
volumeMounts:
- name: openldap-vol
mountPath: /var/lib/ldap
- image: osixia/phpldapadmin
imagePullPolicy: IfNotPresent
name: openldapweb
ports:
- containerPort: 80
env:
- name: PHPLDAPADMIN_LDAP_HOSTS
value: "127.0.0.1"
- name: PHPLDAPADMIN_HTTPS
value: "false"
Regards
Giacomo