I’m trying to get Istio up an running into a new project we’re building.
Our app consists right now on an angular frontend, a backend app and an internal service.
First things I did was installing Istio, I’ve dumped a profile and customized it to use our existing grafana and prometheus servers. Kaili and Jaeger are both running correctly.
Then I’ve added the sidecar injection to the namespace, created a new subdomain and created the necessary Gateway and Virtual Service.
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: myapp-gateway namespace: myapp spec: servers: - port: number: 80 name: http-myapp protocol: HTTP hosts: - myapp.company.com --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: myapp namespace: myapp spec: hosts: - "*" gateways: - production-gateway http: - match: - uri: prefix: /api route: - destination: host: backend port: number: 80 - route: - destination: host: frontend port: number: 80
at this point everything was working properly, I pointed the DNS to the loadbalancer created by ISTIO and everything was ok.
I’ve then tried to enable HTTP using let’s encrypt. To do so I’ve changed my istio profile to include these changes:
--set values.gateways.istio-ingressgateway.sds.enabled=true \ --set values.global.k8sIngress.enabled=true \ --set values.global.k8sIngress.enableHttps=true \ --set values.global.k8sIngress.gatewayName=ingressgateway
At this point I saw that the guide only mentions having a single certificate for the main k8sIngress just created and it also uses default k8s ingresses but I want to use gateways and VirtualServices.
So I’ve then changed:
- turned off
values.global.k8sIngress.enableHttpsbecause it was constantly logging this error:
[Envoy (Epoch 0)] [2020-04-19 03:28:38.123][warning][config] [external/envoy/source/common/config/grpc_subscription_impl.cc:87] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) 0.0.0.0_443: Invalid path: /etc/istio/ingressgateway-certs/tls.crt
- created a new cert manager cluster issuer that uses istio ingress class instead of the default nginx one
- created the certificates I needed into the istio-system:
apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: myapp-certificate namespace: istio-system spec: secretName: myapp-tls issuerRef: name: letsencrypt-prod-istio kind: ClusterIssuer dnsNames: - myapp.company.com
- changed the gateway to include the https post with the new certificate:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: myapp-gateway namespace: myapp spec: servers: - port: number: 80 name: http-myapp protocol: HTTP hosts: - myapp.company.com tls: httpsRedirect: true - port: number: 443 name: https-myapp protocol: HTTPS hosts: - myapp.company.com tls: credentialName: myapp-tls mode: SIMPLE privateKey: sds serverCertificate: sds
at this point the ingress controller logged:
2020-04-19T04:34:14.808156Z warn secretfetcher failed load server cert/key pair from secret myapp-tls: server cert or private key is empty 2020-04-19T04:34:18.409583Z info secretfetcher scrtUpdated is called on kubernetes secret myapp-tls 2020-04-19T04:34:18.409632Z warn secretfetcher failed load server cert/key pair from secret myapp-tls: server cert or private key is empty
and the https endpoint was just returning a timeout. Cert manager already saved the secret but nothing happened on the ingress controller side.
After restarting the ingress controller instead, everything worked:
2020-04-19T04:36:39.395275Z info sds node:router~100.106.199.214~istio-ingressgateway-85576dff98-qt7pz.istio-system~istio-system.svc.cluster.local-3 resource:myapp-tls new connection 2020-04-19T04:36:39.395578Z info sds node:router~100.106.199.214~istio-ingressgateway-85576dff98-qt7pz.istio-system~istio-system.svc.cluster.local-3 resource:myapp-tls pushed key/cert pair to proxy 2020-04-19T04:36:39.395600Z info sds node:router~100.106.199.214~istio-ingressgateway-85576dff98-qt7pz.istio-system~istio-system.svc.cluster.local-3 resource:myapp-tls pushed secret
Now, I’ve many questions but I’ll try to summarize them:
- what’s the point of having
values.global.k8sIngress.enabledset to true?
- do I need both
values.global.k8sIngress.enabledand the regular ingress gateway? maybe I need k8sIngress for cert manager to get the certs via http validation?
- is there an obvious reason why I was getting the timeouts? (could it be because of https://istio.io/docs/ops/common-problems/network-issues/#port-conflict-when-configuring-multiple-tls-hosts-in-a-gateway ?)
- should I keep the default ingressgateway and istio-autogenerated-k8s-ingress gateway? Because opening my gateway config with Kiali I get
KIA0301 More than one Gateway for the same host port combinationI think because the two gateways above has host
Thank you in advance and sorry for the long post