I have k8s cluster in minikube.
I have my own namespace, 2 services: one for db, second one for my app
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/fm-db ClusterIP 10.111.140.200 <none> 5432/TCP 95m
service/fm-server ClusterIP 10.103.226.60 <none> 8080/TCP 96m
I tried to deploy Istio.
Did steps that provided in Istio documentation.
Now Im trying to configure gateway and virtual-service
For that I created 2 yaml files:
Gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: fm-server-gateway
namespace: fm-server
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: fm-generated-ssl
hosts:
- "fm.server.com"
VirtualService
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: "fm-server-vs"
namespace: "fm-server"
spec:
hosts:
- "fm.server.com"
gateways:
- fm-server-gateway
http:
- match:
- uri:
exact: /fm_graphql
route:
- destination:
host: fm-server.fm-server.svc.cluster.local
port:
number: 8080
timeout: 10s
fm-server.com is minikube ip added in /etc/hosts
When Im trying to make a request to my service
import requests
import json
SERVER_URL = 'https://fm.server.com:31736/fm_graphql'
# k8s-workers.iad-1-dev.us-east-1a.ntnxi.net
token = "SOME_TOKEN"
def _send():
query = """some_query"""
data = {'query': query}
headers = {'Accept': 'application/json',
'Content-Type': 'application/json',
'Authorization': "Bearer %s" % token
}
response = requests.post(SERVER_URL,
data=json.dumps(data).encode('utf-8'),
headers=headers,
verify="certs/tls.crt")
# certs/fm_server_ssl.crt
# certs/generated_ssl.crt
# certs/tls.crt
print(response)
if response.status_code == 200:
res = json.loads(response.text)
return True, res, None
return False, None, response.text
print(_send())
I got the error
python3.9/site-packages/urllib3/connection.py:460: SubjectAltNameWarning: Certificate for fm-server.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
<Response [503]>
(False, None, 'upstream connect error or disconnect/reset before headers. reset reason: connection termination')
But without Istio everything works normally. Cant understand whats the problem.
Here is output of
istioctl proxy-config route istio-ingressgateway-76b86f6b45-tsdxv -n istio-system -o json command
[
{
"name": "https.443.https.fm-server-gateway.fm-server",
"virtualHosts": [
{
"name": "fm.server.com:443",
"domains": [
"fm.server.com",
"fm.server.com:*"
],
"routes": [
{
"match": {
"path": "/fm_graphql",
"caseSensitive": true
},
"route": {
"cluster": "outbound|8080||fm-server.fm-server.svc.cluster.local",
"timeout": "10s",
"retryPolicy": {
"retryOn": "connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes",
"numRetries": 2,
"retryHostPredicate": [
{
"name": "envoy.retry_host_predicates.previous_hosts"
}
],
"hostSelectionRetryMaxAttempts": "5",
"retriableStatusCodes": [
503
]
},
"maxGrpcTimeout": "10s"
},
"metadata": {
"filterMetadata": {
"istio": {
"config": "/apis/networking.istio.io/v1alpha3/namespaces/fm-server/virtual-service/fm-server-vs"
}
}
},
"decorator": {
"operation": "fm-server.fm-server.svc.cluster.local:8080/fm_graphql"
}
}
],
"includeRequestAttemptCount": true
}
],
"validateClusters": false
},
{
"virtualHosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/stats/prometheus"
},
"route": {
"cluster": "prometheus_stats"
}
}
]
}
]
},
{
"virtualHosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/healthz/ready"
},
"route": {
"cluster": "agent"
}
}
]
}
]
}
]