Hello,
So I’ve been trying to set up Istio Replicated Control Plane on AKS for the last 2 days without success.
I’ve followed the instructions on the istio website to do so.
This is what I get
kubectl exec --context=$CTX_CLUSTER1 $SLEEP_POD -n foo -c sleep -- curl -v -I httpbin.bar.global:8000/headers
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 240.0.0.2:8000...
* Connected to httpbin.bar.global (240.0.0.2) port 8000 (#0)
> HEAD /headers HTTP/1.1
> Host: httpbin.bar.global:8000
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< content-length: 91
< content-type: text/plain
< date: Mon, 16 Nov 2020 07:49:04 GMT
< server: envoy
<
0 91 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
HTTP/1.1 503 Service Unavailable
content-length: 91
content-type: text/plain
date: Mon, 16 Nov 2020 07:49:04 GMT
server: envoy
* Connection #0 to host httpbin.bar.global left intact
I see that the traffic tries to go out of the sleep pod sidecar
{"user_agent":"curl/7.69.1","response_code":"503","response_flags":"UF,URX","start_time":"2020-11-16T07:41:08.203Z","method":"HEAD","request_id":"b30284ad-fe33-436e-a333-8591a3ecec6a","upstream_host":"51.136.76.144:15443","x_forwarded_for":"-","requested_server_name":"-","bytes_received":"0","istio_policy_status":"-","bytes_sent":"0","upstream_cluster":"outbound|8000||httpbin.bar.global","downstream_remote_address":"10.4.0.250:43544","authority":"httpbin.bar.global:8000","path":"/headers","protocol":"HTTP/1.1","upstream_service_time":"-","upstream_local_address":"-","duration":"22","upstream_transport_failure_reason":"-","route_name":"default","downstream_local_address":"240.0.0.2:8000"}
And that it reaches the other cluster ingress gateway
On this point, it seems like the httpbin.bar.global host is lost altogether, and that envoy cannot find the route to the pod. But that is just my wild guess.
{"upstream_transport_failure_reason":"-","route_name":"-","downstream_local_address":"10.5.0.194:15443","user_agent":"-","response_code":"0","response_flags":"NR","start_time":"2020-11-16T07:42:29.389Z","method":"-","request_id":"-","upstream_host":"-","x_forwarded_for":"-","requested_server_name":"-","bytes_received":"0","istio_policy_status":"-","bytes_sent":"0","upstream_cluster":"-","downstream_remote_address":"10.5.0.4:17882","authority":"-","path":"-","protocol":"-","upstream_service_time":"-","upstream_local_address":"-","duration":"0"}
{"bytes_sent":"0","upstream_cluster":"-","downstream_remote_address":"10.5.0.4:14948","authority":"-","path":"-","protocol":"-","upstream_service_time":"-","upstream_local_address":"-","duration":"0","upstream_transport_failure_reason":"-","route_name":"-","downstream_local_address":"10.5.0.194:15443","user_agent":"-","response_code":"0","response_flags":"NR","start_time":"2020-11-16T07:42:29.407Z","method":"-","request_id":"-","upstream_host":"-","x_forwarded_for":"-","requested_server_name":"-","bytes_received":"0","istio_policy_status":"-"}
{"istio_policy_status":"-","bytes_sent":"0","upstream_cluster":"-","downstream_remote_address":"10.5.0.4:1940","authority":"-","path":"-","protocol":"-","upstream_service_time":"-","upstream_local_address":"-","duration":"0","upstream_transport_failure_reason":"-","route_name":"-","downstream_local_address":"10.5.0.194:15443","user_agent":"-","response_code":"0","response_flags":"NR","start_time":"2020-11-16T07:42:29.421Z","method":"-","request_id":"-","upstream_host":"-","x_forwarded_for":"-","requested_server_name":"-","bytes_received":"0"}
This is the operator config for both clusters
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
finalizers:
- istio-finalizer.install.istio.io
generation: 1
labels:
app: istio-staging
app.kubernetes.io/instance: istio-staging
app.kubernetes.io/managed-by: argocd
app.kubernetes.io/name: istio-staging
name: istio-control-plane
namespace: istio-system
spec:
addonComponents:
grafana:
enabled: true
istiocoredns:
enabled: true
kiali:
enabled: true
prometheus:
enabled: true
tracing:
enabled: true
components:
egressGateways:
- enabled: true
name: istio-egressgateway
meshConfig:
accessLogEncoding: JSON
accessLogFile: /dev/stdout
profile: default
values:
gateways:
istio-egressgateway:
env:
ISTIO_META_REQUESTED_NETWORK_VIEW: external
global:
controlPlaneSecurityEnabled: true
defaultNodeSelector:
beta.kubernetes.io/os: linux
multiCluster:
enabled: true
globalDomainSuffix: global
includeEnvoyFilter: true
podDNSSearchNamespaces:
- global
kiali:
dashboard:
auth:
strategy: anonymous
status:
componentStatus:
AddonComponents:
status: HEALTHY
Base:
status: HEALTHY
EgressGateways:
status: HEALTHY
IngressGateways:
status: HEALTHY
Pilot:
status: HEALTHY
status: HEALTHY
And this is the ServiceEntry on cluster 1
(here is the cluster2 ingress gaateway LB)
istio-system istio-ingressgateway LoadBalancer 10.255.235.189 51.136.76.144
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: httpbin-bar
namespace: foo
spec:
addresses:
- 240.0.0.2
endpoints:
- address: 51.136.76.144
ports:
http1: 15443
hosts:
- httpbin.bar.global
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
This is the AKS coredns customization (for cluster 1)
istio-system istiocoredns ClusterIP 10.255.246.201 dns:53►0╱UDP dns-tcp:53►0
apiVersion: v1
data:
istio.server: |
global:53 {
errors
cache 30
forward . 10.255.246.201:53
}
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
For cluster 2
istio-system istiocoredns ClusterIP 10.255.229.17 dns:53►0╱UDP dns-tcp:53►0
apiVersion: v1
data:
istio.server: |
global:53 {
errors
cache 30
forward . 10.255.229.17:53
}
kind: ConfigMap
metadata:
labels:
addonmanager.kubernetes.io/mode: EnsureExists
apps.kubernetes.io/managed-by: terraform
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
name: coredns-custom
namespace: kube-system
These are the certs
apiVersion: v1
data:
ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZuakNDQTRhZ0F3SUJBZ0lEQ01VQU1BMEdDU3FHU0liM0RRRUJDd1VBTUNJeERqQU1CZ05WQkFvTUJVbHoKZEdsdk1SQXdEZ1lEVlFRRERBZFNiMjkwSUVOQk1CNFhEVEl3TVRFeE5URTNNakF6T0ZvWERUSXlNVEV4TlRFMwpNakF6T0Zvd1B6RU9NQXdHQTFVRUNnd0ZTWE4wYVc4eEdEQVdCZ05WQkFNTUQwbHVkR1Z5YldWa2FXRjBaU0JEClFURVRNQkVHQTFVRUJ3d0tiM0JsY21GMGFXOXVjekNDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dJUEFEQ0MKQWdvQ2dnSUJBSnQvSzF2U2FKakVYMUFOR3ZBd2U0LyszZFg4NFdCaWVpbDdaeTlTZDNRbDcxMHV3L3FmNzR2cwo5VGlWQjlKQW1abXFtd2NoRWNQL0RuY090VmNVV0JjNkIzVk9jS1pCV0pBVVBlK1g4djNBQ2Nvd2NtczQzRTRZCmxqTUE3OW5CSzhKZ0xYTzkvRzFxWnRzc2FoaVJMVzlXQnRmLzAzZUpaNUtJZ2FqcEVVQkxYOVRmeGdacnozYzkKcmd0UGVwV3c3anI0Z05WTmRoS1pwVEc1UytsQXA0MzZrZGo4SzNkbGwvaCt1STAwRUF0cmZwZzYyMkdPd1RuSQoydm45M1I3SU9oWFFoWGNEdGNrWStHR2dReldjaU43WTNmOWdGbmlMTVFPZjBIRExCSjFJc2tRZHZvMnJnRitECmRBSjBZekx0TXpBUGVuWHBla2hvUWV1RDdtdW9wWUEyb2F0QzAvMVgzZ0Y4SXY5YTVCRXAyUmYyMFVBTWxwSDkKRUNHemg0WGhYT1ltM1hKSzVFMlV2UkJrVzhhaHh1TFc1RGg5cVhpK05jS2twWEpiWFcycjRRZTY1SFFSTWQ2RApXLzgrenNmZmpKMFRKOEMyTzlSU0ZJUjcxNW5Na2kzUVhCN2xKdVF4RGVwSDhGTTdOSWg0SmJybkNNVnh2TGY0CktVeXNhakpFSk5ZUVNBRjdOdUNTWFlFbjFXdSs0ZXZJZXpIdVVmN0d6VUxyc0s4cDl2cmxuOXVDTEg3MzFSWjkKTlRjcWZ5a3lHMi9yOWZNWEFrOWtYRWdWUnVDTUVtallPTllTdmhKeGVBNTg4NUxlRktpU2VyS3B4Zm9hM2o2RApMRW1KaThZdERWTlhMY1V4Q1dQNnlVcG9oQmpoZ3p4TnI4b0xQVE1OOFMvMW9WQmRhclRsQWdNQkFBR2pnYjh3Cmdid3dIUVlEVlIwT0JCWUVGSHpPV0pKOVZ0SUxXbXVKZFFPeWtOSmlhVlgwTUJJR0ExVWRFd0VCL3dRSU1BWUIKQWY4Q0FRQXdEZ1lEVlIwUEFRSC9CQVFEQWdMa01IY0dBMVVkRVFSd01HNkdNWE53YVdabVpUb3ZMMk5zZFhOMApaWEl1Ykc5allXd3Zibk12YVhOMGFXOHRjM2x6ZEdWdEwzTmhMMk5wZEdGa1pXeUdMbk53YVdabVpUb3ZMMjl3ClpYSmhkR2x2Ym5NdmJuTXZhWE4wYVc4dGMzbHpkR1Z0TDNOaEwyTnBkR0ZrWld5Q0NXeHZZMkZzYUc5emREQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBdTBhVHhZek1JTWxjdGxBV1Z0a1VRM0Fqbm92VkpHMzJmT2RwdDYxbgpOQkw3aXJaVjkvTVp3TlBTN0tDZUd6ZE9TdFNCUmNXVnFTYUNtSWtvR3pYcW1EallUNElZTjNYMDJySWRDbHM0CmpveWVnbnZMOVZSa0NkUTBGY0NteHNlUTIrdWc4eGZKZmQ2VkhFWUNGTGNtU0VUWXlTRnFyeHBKTHZPMUVHa1IKYlVwZGsvbWlNSVRzRDZ5M1JBVnB5K0xGSHdLeHYyU2U0K1VrNnZRTG1zNFN2UzdzWmxVeG5jWEJVdGwxRnZhWQpOVWZvdGVlengxWEtmTjFWdHhVaEhyTlZ5TVBPb25MdWNPOXFaQ3h4Y2VuWjZLSTdnelNMYVlXUFN2YnJLdHRDCnU3MXNnSEFTYUQxdUcwd21CamYyT3U1LzAyTGxsZlJqdks0OHBMRnQ4UU5KZmZKemloN1k5NVRRRjNoQTJJbnYKZkJjajB5eWJ3R3E5L0tPTllsa2hhTjA1VDV1UGFoTjczaHlNU0hxOFFWNXZFdmwyRnNIWE1ab0cxZWtBbWJjQwpxUjlEUExQSDU5NU5Uam9uRGhsaTY1QTZpeW4yeTNUdG9wM3gzSDNib2tyd2JiNUZlYW9Bc3dDSmZaK0RxekkzCnh5L3hld3lLdU90ZnFkcXNoK1BoRnVWUWkvYTFEUVA3T0ZnUmdsNXpqcURFTjliQlFvRDNYVGlxSWlacVhOWVMKRUsxUDhMRm11TGVpbEJQUUNnczdmb2FST0E5QXUyTXV1ZXRNbGc5WCt1Z0N3ekhlNFBBOGJaQjF0K3dGUDVRbQpNY1pIZXZDYkRPeGhmT0RFTW1JQlNDMnJ0Ky9XN2NmMjhLMFhTczdydy9qLzBtUGU3Y3I1OGdRZ2xORm9FSmZlCnpVcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
ca-key.pem: REDACTED
cert-chain.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZuakNDQTRhZ0F3SUJBZ0lEQ01VQU1BMEdDU3FHU0liM0RRRUJDd1VBTUNJeERqQU1CZ05WQkFvTUJVbHoKZEdsdk1SQXdEZ1lEVlFRRERBZFNiMjkwSUVOQk1CNFhEVEl3TVRFeE5URTNNakF6T0ZvWERUSXlNVEV4TlRFMwpNakF6T0Zvd1B6RU9NQXdHQTFVRUNnd0ZTWE4wYVc4eEdEQVdCZ05WQkFNTUQwbHVkR1Z5YldWa2FXRjBaU0JEClFURVRNQkVHQTFVRUJ3d0tiM0JsY21GMGFXOXVjekNDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dJUEFEQ0MKQWdvQ2dnSUJBSnQvSzF2U2FKakVYMUFOR3ZBd2U0LyszZFg4NFdCaWVpbDdaeTlTZDNRbDcxMHV3L3FmNzR2cwo5VGlWQjlKQW1abXFtd2NoRWNQL0RuY090VmNVV0JjNkIzVk9jS1pCV0pBVVBlK1g4djNBQ2Nvd2NtczQzRTRZCmxqTUE3OW5CSzhKZ0xYTzkvRzFxWnRzc2FoaVJMVzlXQnRmLzAzZUpaNUtJZ2FqcEVVQkxYOVRmeGdacnozYzkKcmd0UGVwV3c3anI0Z05WTmRoS1pwVEc1UytsQXA0MzZrZGo4SzNkbGwvaCt1STAwRUF0cmZwZzYyMkdPd1RuSQoydm45M1I3SU9oWFFoWGNEdGNrWStHR2dReldjaU43WTNmOWdGbmlMTVFPZjBIRExCSjFJc2tRZHZvMnJnRitECmRBSjBZekx0TXpBUGVuWHBla2hvUWV1RDdtdW9wWUEyb2F0QzAvMVgzZ0Y4SXY5YTVCRXAyUmYyMFVBTWxwSDkKRUNHemg0WGhYT1ltM1hKSzVFMlV2UkJrVzhhaHh1TFc1RGg5cVhpK05jS2twWEpiWFcycjRRZTY1SFFSTWQ2RApXLzgrenNmZmpKMFRKOEMyTzlSU0ZJUjcxNW5Na2kzUVhCN2xKdVF4RGVwSDhGTTdOSWg0SmJybkNNVnh2TGY0CktVeXNhakpFSk5ZUVNBRjdOdUNTWFlFbjFXdSs0ZXZJZXpIdVVmN0d6VUxyc0s4cDl2cmxuOXVDTEg3MzFSWjkKTlRjcWZ5a3lHMi9yOWZNWEFrOWtYRWdWUnVDTUVtallPTllTdmhKeGVBNTg4NUxlRktpU2VyS3B4Zm9hM2o2RApMRW1KaThZdERWTlhMY1V4Q1dQNnlVcG9oQmpoZ3p4TnI4b0xQVE1OOFMvMW9WQmRhclRsQWdNQkFBR2pnYjh3Cmdid3dIUVlEVlIwT0JCWUVGSHpPV0pKOVZ0SUxXbXVKZFFPeWtOSmlhVlgwTUJJR0ExVWRFd0VCL3dRSU1BWUIKQWY4Q0FRQXdEZ1lEVlIwUEFRSC9CQVFEQWdMa01IY0dBMVVkRVFSd01HNkdNWE53YVdabVpUb3ZMMk5zZFhOMApaWEl1Ykc5allXd3Zibk12YVhOMGFXOHRjM2x6ZEdWdEwzTmhMMk5wZEdGa1pXeUdMbk53YVdabVpUb3ZMMjl3ClpYSmhkR2x2Ym5NdmJuTXZhWE4wYVc4dGMzbHpkR1Z0TDNOaEwyTnBkR0ZrWld5Q0NXeHZZMkZzYUc5emREQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBdTBhVHhZek1JTWxjdGxBV1Z0a1VRM0Fqbm92VkpHMzJmT2RwdDYxbgpOQkw3aXJaVjkvTVp3TlBTN0tDZUd6ZE9TdFNCUmNXVnFTYUNtSWtvR3pYcW1EallUNElZTjNYMDJySWRDbHM0CmpveWVnbnZMOVZSa0NkUTBGY0NteHNlUTIrdWc4eGZKZmQ2VkhFWUNGTGNtU0VUWXlTRnFyeHBKTHZPMUVHa1IKYlVwZGsvbWlNSVRzRDZ5M1JBVnB5K0xGSHdLeHYyU2U0K1VrNnZRTG1zNFN2UzdzWmxVeG5jWEJVdGwxRnZhWQpOVWZvdGVlengxWEtmTjFWdHhVaEhyTlZ5TVBPb25MdWNPOXFaQ3h4Y2VuWjZLSTdnelNMYVlXUFN2YnJLdHRDCnU3MXNnSEFTYUQxdUcwd21CamYyT3U1LzAyTGxsZlJqdks0OHBMRnQ4UU5KZmZKemloN1k5NVRRRjNoQTJJbnYKZkJjajB5eWJ3R3E5L0tPTllsa2hhTjA1VDV1UGFoTjczaHlNU0hxOFFWNXZFdmwyRnNIWE1ab0cxZWtBbWJjQwpxUjlEUExQSDU5NU5Uam9uRGhsaTY1QTZpeW4yeTNUdG9wM3gzSDNib2tyd2JiNUZlYW9Bc3dDSmZaK0RxekkzCnh5L3hld3lLdU90ZnFkcXNoK1BoRnVWUWkvYTFEUVA3T0ZnUmdsNXpqcURFTjliQlFvRDNYVGlxSWlacVhOWVMKRUsxUDhMRm11TGVpbEJQUUNnczdmb2FST0E5QXUyTXV1ZXRNbGc5WCt1Z0N3ekhlNFBBOGJaQjF0K3dGUDVRbQpNY1pIZXZDYkRPeGhmT0RFTW1JQlNDMnJ0Ky9XN2NmMjhLMFhTczdydy9qLzBtUGU3Y3I1OGdRZ2xORm9FSmZlCnpVcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRkZEQ0NBdnlnQXdJQkFnSVVHVXJ1QXBZbkdDdjJTRC9oL3ZHcVFqbEtNdFF3RFFZSktvWklodmNOQVFFTApCUUF3SWpFT01Bd0dBMVVFQ2d3RlNYTjBhVzh4RURBT0JnTlZCQU1NQjFKdmIzUWdRMEV3SGhjTk1qQXhNVEUxCk1UWTBPRE15V2hjTk16QXhNVEV6TVRZME9ETXlXakFpTVE0d0RBWURWUVFLREFWSmMzUnBiekVRTUE0R0ExVUUKQXd3SFVtOXZkQ0JEUVRDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBTTkxWW1mTgozM0FldUZnM1NuQkxodlBxcGxlVldJUHBpUVI4VFVpTTB6MTdaUUFRaDZ3ZkxiSEc2SUE4S21ERkZ6akNVRzJFClpMeVlYZmZkNDd6M0hxalB4aFNWL055UmJqbUp6UnZMWE5iY3ArdGJxSkpqNTV2dmp1QW5mSEc2V215eDJ3cGUKTnI4REJOZ29ZZjAzVVJyQUE2RGRsTk44Mm55T0JSQXdhTmxpU1JYUmFtMDRQNlBReVdaMmdIUUxsYzFYM3RUOQpseHhLTE1NSkpXMjJSUlp5MTRQc3RQMXRUR2kxYlZhU1VYQkpPVVJINGZhSXoxeWlGdU1YaE1hMis1K3dzWUd5CjgzY0tHdWI1UTkzS1ZnTmZGK01EcEM2aEdPVHFOSXZETkU5WGVVaW5QTjhMV2w3ZmtHSDhDbTRmZU0rM2hSRTkKcHRwRmY4bC9DL2NtL1RKUjZkdDc0UHl6d0VUVi9wOUltbG5JMUZ1RzhkLzFsdE5xRXNsL21vNndQMEVXTkFXMQpNQU4wN2htUUh4VXRsbEVoenFLOXhzWlRTR3JCUlExcy9mUlJieDUybUZibGh6ZEJtNWRwV21FYnY1SmdESk50ClFVWVltd1k5TGNyMy9hMGc0YldSL0J4a3Fxd1Q3YlpJRFY5Mi9DK1VNTHlxcktuYi9kcTVROU14ejIxU1F0a2gKbm9ob0RRM3M0NndKUkpDTk5IUlovKzBCeHphUDhWcE01YXNrYmJIMTNySjBvRVFiaTkySE9PeS8vTHRSUitlQwpaM3hMYjFMYUVHME9PbXA3NXJ2QUU0Q1p4cEFWSzVPKzR0S2RBZHc5OXJBTUtsbXpTWEZtSXlXT0Y2VWdTWkNwCmJuQytWWEJvWk9USjJtY0c0clEvcTBWcXFuUjlick9JcC9OdEFnTUJBQUdqUWpCQU1CMEdBMVVkRGdRV0JCUXYKMnFjTGphcU4wbzRDWTdGWFpOOXE1dmNBQXpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUE0R0ExVWREd0VCL3dRRQpBd0lDNURBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQU1uSUwwbXhKUXFaRFpST1kwZmJUV2txR3lEVFFOOTlJCmhKZnJTZ3I2bFI1U1FiZDBPa1BMSmV2bjFVSGc3WG1ES2VteGViZXR2OHIza1JSQzJ4QVFpM1VIRjBINnZ0bG0KR0N6bkRDV3BvcXN1Sy9IeEVxOHFVRzFINXBiZnNTZW05UnY1UDJKZVBERk81dTBHc0Z0amdBRjY2RnN5VlFDZAo3U3lOSUQ4WEcyRTRjNHlreXBlSUhra296RmZCOXJCN3YxQVNFQjdXM0FFQTEweTVQS2l2eHZzc09tanphQUtGClM4dVV4NVBIVDlDTW5lMHhyRGRnSWFoa29GbVlRYjRWNmJXVXRPdlhvTVNzVFYrK1lpNG9RRkJhT0xwUXM3dk0KTjVac2dMaG1oWVh4TmtsZlpmcU82QVhhQ2RMU1hYT1FPQ25LbXExRHdZb1RZVmxCMFNBWm1BbVUyNk1uaFFrRwo2U1BWY2c4SVc2YURKZVZWMEdNc1RHVjYySFRqNDlJczhqZ1VnY3doaDk3NTlhMjNlQno1NFkvbkhIYmRxU3RLCm50cnBkQnZCRGUzUStxMURTRXYwRUVPYlJ2S0NGRDZVRjNtSXI2NGFESThDNHNDSkJSVk1nQXZXTGRPSVZyTEwKYkc0OWZ0TUtyS01kd05DWERBTFpWcWRuRzU5QlhZbVI1MTZ4RE92aXAvRG95VFIzeVlqZTZoUmt0eUVYY0VtVgp3RnV1aHZIMUxwNFlDR0NvVjJuU2hJUTZKajNCZ0Y2RE1xcDZaUmFRL2ZtY000enJWRzA2UmRWZWFBZmRlMVJ1ClliUDVmTVlzK0FPSUVlMVF4azBRdktQTDZKZDJyTUhxTEFUV3N1QVF0ZkVseFlpZGxIdnVaRGdpTHR0MUlVOFIKanFidWQ4blRJMWs9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
root-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZGRENDQXZ5Z0F3SUJBZ0lVR1VydUFwWW5HQ3YyU0QvaC92R3FRamxLTXRRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0lqRU9NQXdHQTFVRUNnd0ZTWE4wYVc4eEVEQU9CZ05WQkFNTUIxSnZiM1FnUTBFd0hoY05NakF4TVRFMQpNVFkwT0RNeVdoY05NekF4TVRFek1UWTBPRE15V2pBaU1RNHdEQVlEVlFRS0RBVkpjM1JwYnpFUU1BNEdBMVVFCkF3d0hVbTl2ZENCRFFUQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU05MVltZk4KMzNBZXVGZzNTbkJMaHZQcXBsZVZXSVBwaVFSOFRVaU0wejE3WlFBUWg2d2ZMYkhHNklBOEttREZGempDVUcyRQpaTHlZWGZmZDQ3ejNIcWpQeGhTVi9OeVJiam1KelJ2TFhOYmNwK3RicUpKajU1dnZqdUFuZkhHNldteXgyd3BlCk5yOERCTmdvWWYwM1VSckFBNkRkbE5OODJueU9CUkF3YU5saVNSWFJhbTA0UDZQUXlXWjJnSFFMbGMxWDN0VDkKbHh4S0xNTUpKVzIyUlJaeTE0UHN0UDF0VEdpMWJWYVNVWEJKT1VSSDRmYUl6MXlpRnVNWGhNYTIrNSt3c1lHeQo4M2NLR3ViNVE5M0tWZ05mRitNRHBDNmhHT1RxTkl2RE5FOVhlVWluUE44TFdsN2ZrR0g4Q200ZmVNKzNoUkU5CnB0cEZmOGwvQy9jbS9USlI2ZHQ3NFB5endFVFYvcDlJbWxuSTFGdUc4ZC8xbHROcUVzbC9tbzZ3UDBFV05BVzEKTUFOMDdobVFIeFV0bGxFaHpxSzl4c1pUU0dyQlJRMXMvZlJSYng1Mm1GYmxoemRCbTVkcFdtRWJ2NUpnREpOdApRVVlZbXdZOUxjcjMvYTBnNGJXUi9CeGtxcXdUN2JaSURWOTIvQytVTUx5cXJLbmIvZHE1UTlNeHoyMVNRdGtoCm5vaG9EUTNzNDZ3SlJKQ05OSFJaLyswQnh6YVA4VnBNNWFza2JiSDEzckowb0VRYmk5MkhPT3kvL0x0UlIrZUMKWjN4TGIxTGFFRzBPT21wNzVydkFFNENaeHBBVks1Tys0dEtkQWR3OTlyQU1LbG16U1hGbUl5V09GNlVnU1pDcApibkMrVlhCb1pPVEoybWNHNHJRL3EwVnFxblI5YnJPSXAvTnRBZ01CQUFHalFqQkFNQjBHQTFVZERnUVdCQlF2CjJxY0xqYXFOMG80Q1k3RlhaTjlxNXZjQUF6QVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUUKQXdJQzVEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFNbklMMG14SlFxWkRaUk9ZMGZiVFdrcUd5RFRRTjk5SQpoSmZyU2dyNmxSNVNRYmQwT2tQTEpldm4xVUhnN1htREtlbXhlYmV0djhyM2tSUkMyeEFRaTNVSEYwSDZ2dGxtCkdDem5EQ1dwb3FzdUsvSHhFcThxVUcxSDVwYmZzU2VtOVJ2NVAySmVQREZPNXUwR3NGdGpnQUY2NkZzeVZRQ2QKN1N5TklEOFhHMkU0YzR5a3lwZUlIa2tvekZmQjlyQjd2MUFTRUI3VzNBRUExMHk1UEtpdnh2c3NPbWp6YUFLRgpTOHVVeDVQSFQ5Q01uZTB4ckRkZ0lhaGtvRm1ZUWI0VjZiV1V0T3ZYb01Tc1RWKytZaTRvUUZCYU9McFFzN3ZNCk41WnNnTGhtaFlYeE5rbGZaZnFPNkFYYUNkTFNYWE9RT0NuS21xMUR3WW9UWVZsQjBTQVptQW1VMjZNbmhRa0cKNlNQVmNnOElXNmFESmVWVjBHTXNUR1Y2MkhUajQ5SXM4amdVZ2N3aGg5NzU5YTIzZUJ6NTRZL25ISGJkcVN0SwpudHJwZEJ2QkRlM1ErcTFEU0V2MEVFT2JSdktDRkQ2VUYzbUlyNjRhREk4QzRzQ0pCUlZNZ0F2V0xkT0lWckxMCmJHNDlmdE1LcktNZHdOQ1hEQUxaVnFkbkc1OUJYWW1SNTE2eERPdmlwL0RveVRSM3lZamU2aFJrdHlFWGNFbVYKd0Z1dWh2SDFMcDRZQ0dDb1YyblNoSVE2SmozQmdGNkRNcXA2WlJhUS9mbWNNNHpyVkcwNlJkVmVhQWZkZTFSdQpZYlA1Zk1ZcytBT0lFZTFReGswUXZLUEw2SmQyck1IcUxBVFdzdUFRdGZFbHhZaWRsSHZ1WkRnaUx0dDFJVThSCmpxYnVkOG5USTFrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
kind: Secret
metadata:
name: cacerts
namespace: istio-system
type: Opaque
It seems like everything is in place. What could be the reason that the ingress gateway envoy proxy on CLUSTER2 responds with a NR (No Route) ?