Hi there
I’ve a recently setup EKS cluster with Istio running. I can expose services using the recommended Gateway + VirtualService. We’ll use that for our services.
But for some third party, like Grafana, we would like to just “ingress.enable: true”, specify a letsencrypt generated wildcard certificate we have and done with it. Except that it doesn’t work. As a workaround we’re dropping a GW + VS basic manifest in every third party Helm chart… but I’ld like to troubleshoot this Kubernets ingress not working thing.
I created a test (helm create test), enabled ingress with the wildcard. Then a curl says
~ ᐅ curl -Lv https://test.company.cloud/
* Trying 3.122.144.240:443...
* Connected to test.company.cloud (xxx.xxx.xxx.240) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to test.company.cloud:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to test.company.cloud:443
Looking at istiod logs
istio-ingressgateway-9648f7447-snckp istio-proxy [2022-04-13T13:36:58.404Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 17 - "-" "-" "-" "-" "-" - - 10.x.x.7:8443 10.x.x.18:50592 3.122.144.240 -
Here’s the very basic ingress definition
apiVersion: v1
items:
- apiVersion: networking.k8s.io/v1
kind: Ingress
labels:
app.kubernetes.io/instance: test
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: test
app.kubernetes.io/version: 1.16.0
argocd.argoproj.io/instance: test
helm.sh/chart: test-0.1.0
name: test
namespace: test
spec:
ingressClassName: istio
rules:
- host: test.company.cloud
http:
paths:
- backend:
service:
name: test
port:
number: 80
path: /
pathType: ImplementationSpecific
- host: test2.company.cloud
http:
paths:
- backend:
service:
name: test
port:
number: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- test.company.cloud
- test2.company.cloud
secretName: wildcard-certificate
status:
loadBalancer: {}
kind: List
metadata:
resourceVersion: ""
selfLink: ""
Tried with / without sidecar. With the annotation instead of ingressClassName. With the tls annotation. Nothing worked…