My ingress gateway is at port 80 http and routing to a https destination.
With the following configuration
http://ingress-gateway.example.com/zzz
it gives 302 and the urls changes to https:
https://my-site.example.com/products
Why 302 and what am I missing?
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port: # Note: I am entering using this port
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port: # Note: I am NOT entering using this port
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-credential
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: apps-domain
spec:
hosts:
- my-site.example.com
ports:
- number: 443
name: https-my-site
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my
spec:
hosts:
- "*"
gateways:
- my-gateway
http:
- match:
- uri:
prefix: /zzz
rewrite:
uri: /products
route:
- destination:
port:
number: 443
host: my-site.example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-https-backend
spec:
host: my-site.example.com
trafficPolicy:
tls:
mode: SIMPLE
sni: my-site.example.com
You have a rewrite rule pointing to port 443
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my
spec:
hosts:
- "*"
gateways:
- my-gateway
http:
- match:
- uri:
prefix: /zzz
rewrite:
uri: /products
route:
- destination:
port:
number: 443 # here
host: my-site.example.com
Related
Hi i have deployed elastic search in Kubernetes with a self-signed certificate I want expose elastic search URL but am able to do nginx ingress but not successful with istio can any one explained how to do that
this is the virtual service
kind: VirtualService
metadata:
name: elasticsearch
namespace: istio-system
spec:
hosts:
- elasticsearch.domain.com
gateways:
- monitor-gateway
http:
- match:
- port: 443
route:
- destination:
host: elasticsearch.monitor.svc.cluster.local
port:
number: 9200
gateway
# Source: istio-ingress/templates/gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: monitor-gateway
namespace: istio-system
labels:
app: istio-ingress
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingress
app.kubernetes.io/version: 1.15.3
helm.sh/chart: gateway-1.15.3
istio: ingress
spec:
selector:
istio: ingress
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
- hosts:
- '*'
port:
name: https
number: 443
protocol: HTTP
- hosts:
- '*'
port:
name: tpc
number: 15021
protocol: TCP
By adding below destination Rule i resloved
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
annotations:
name: elasticsearch
namespace: istio-system
spec:
host: elasticsearch.monitor.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 9200
tls:
clientCertificate: /etc/istio/ingress/ca.cert
mode: SIMPLE
privateKey: /etc/istio/ingress/tls.key
##Working ingress file##
apiVersion: networking.k8s.io/v1
kind: Ingress`enter code here`
metadata:
name: signaler-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.org/websocket-services: "websocket"
spec:
ingressClassName: nginx
tls:
- hosts:
- i2adevcluster-dns.westus2.cloudapp.azure.com
secretName: tls-secret
rules:
- host: i2adevcluster-dns.westus2.cloudapp.azure.com
http:
paths:
- path: /signaler(/|$)(.*)
pathType: Prefix
backend:
service:
name: signaler
port:
number: 3000
- path: /websocket(/|$)(.*)
pathType: Prefix
backend:
service:
name: signaler
port:
number: 3001
##Want to define a path with consistency## prefix /signaler/websocket
##expecting work the same with the below configuration##
--------------------------------------------------------------
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: signaler-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.org/websocket-services: "websocket"
spec:
ingressClassName: nginx
tls:
- hosts:
- i2adevcluster-dns.westus2.cloudapp.azure.com
secretName: tls-secret
rules:
- host: i2adevcluster-dns.westus2.cloudapp.azure.com
http:
paths:
- path: /signaler(/|$)(.*)
pathType: Prefix
backend:
service:
name: signaler
port:
number: 3000
- path: /signaler/websocket(/|$)(.*)
pathType: Prefix
backend:
service:
name: signaler
port:
number: 3001
Details about the solutions I am looking for
my ingress route is working with the inconsistency path but I want to make my path consistent with prefix /signaler with each subpath
The first working configuration is not having path consistency with prefix /signaler with Websocket so it should be /signaler/websocket/ instead of /WebSocket/
I have done the setup of ALB (Application Load Balancer) using Ingress Controller (version -> docker.io/amazon/aws-alb-ingress-controller:v1.1.8) for my AWS EKS cluster (v 1.20) running with Fargate profile.
I can access my service using the load balancer link:-
http://5e07dbe1-default-nginxingr-29e9-1260427999.us-east-1.elb.amazonaws.com/
I have 2 different services configured in my Ingress as shown below:-
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: "nginx-ingress"
namespace: "default"
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/security-groups: sg-014b302d73097d083
# alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
# alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:195725532069:certificate/b6a9e691-b807-4f10-a0bf-0449730ecdf4
# alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
# alb.ingress.kubernetes.io/backend-protocol: HTTPS
#alb.ingress.kubernetes.io/load-balancer-attributes: "60"
#alb.ingress.kubernetes.io/rewrite-target: /
labels:
app: nginx-ingress
spec:
rules:
- http:
paths:
# - path: /*
# pathType: Prefix
# backend:
# service:
# name: ssl-redirect
# port:
# number: use-annotation
- path: /foo
pathType: Prefix
backend:
service:
name: "nginx-service"
port:
number: 80
- path: /*
pathType: Prefix
backend:
service:
name: "mydocker-svc"
port:
number: 8080
Now the problem is if I put /foo at the end of LB link then nothing happens and I get 404 not found error:-
Both my services are fine with respective Pods running behind their respective Kubernetes NodePort services but they are not accessible using the Ingress. If I swap the path to /* from /foo for the other service (nginx-service), I can then access that but then it will break my previous service (mydocker-svc).
Please let me know where I'm the mistake so that I can fix this issue. Thank you
ALB Controller:-
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: alb-ingress-controller
name: alb-ingress-controller
namespace: kube-system
spec:
selector:
matchLabels:
app.kubernetes.io/name: alb-ingress-controller
template:
metadata:
labels:
app.kubernetes.io/name: alb-ingress-controller
spec:
containers:
- name: alb-ingress-controller
args:
- --ingress-class=alb
- --cluster-name=eks-fargate-alb-demo
- --aws-vpc-id=vpc-0dc46d370e38de475
- --aws-region=us-east-1
image: docker.io/amazon/aws-alb-ingress-controller:v1.1.8
serviceAccountName: alb-ingress-controller
Nginx service:-
apiVersion: v1
kind: Service
metadata:
annotations:
alb.ingress.kubernetes.io/target-type: ip
name: "nginx-service"
namespace: "default"
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
type: NodePort
selector:
app: "nginx"
mydocker-svc:-
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
eks.amazonaws.com/fargate-profile: fp-default
run: mydocker
name: mydocker-svc
annotations:
alb.ingress.kubernetes.io/target-type: ip
spec:
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
eks.amazonaws.com/fargate-profile: fp-default
run: mydocker
type: NodePort
status:
loadBalancer: {}
TargetGroups become unhealthy, if the annotation in Kubernetes NodePort service like alb.ingress.kubernetes.io/target-type: IP is missing:-
You can try this out one i am using as reference
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-usermgmt-restapp-service
labels:
app: usermgmt-restapp
annotations:
# Ingress Core Settings
kubernetes.io/ingress.class: "alb"
alb.ingress.kubernetes.io/scheme: internet-facing
# Health Check Settings
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/healthcheck-port: traffic-port
#Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
#alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
alb.ingress.kubernetes.io/success-codes: '200'
alb.ingress.kubernetes.io/healthy-threshold-count: '2'
alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
spec:
rules:
- http:
paths:
- path: /app1/*
backend:
serviceName: app1-nginx-nodeport-service
servicePort: 80
- path: /app2/*
backend:
serviceName: app2-nginx-nodeport-service
servicePort: 80
- path: /*
backend:
serviceName: usermgmt-restapp-nodeport-service
servicePort: 8095
Read more at : https://www.stacksimplify.com/aws-eks/aws-alb-ingress/kubernetes-aws-alb-ingress-context-path-based-routing/
I am using AKS and I need to make the ingress controller accessible by host and IP (to be accessed traffic manager), I am using Nginx Ingress rules as below:
for example using https://foo.bar.com and https://14.15.16.222
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo
namespace: default
spec:
tls:
- hosts:
- foo.bar.com
secretName: foo-secret
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: echoheaders-x
servicePort: 80
path: /
The below configuration did the trick eventhough I get a certificate error with the IP access.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo
namespace: default
spec:
tls:
- hosts:
- foo.bar.com
secretName: foo-secret
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: echoheaders-x
servicePort: 80
path: /
http:
paths:
- backend:
serviceName: echoheaders-x
servicePort: 80
path: /
I have my gateway setup this way
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
namespace: dev
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- hosts:
- "bitcoin-testnet-zmq.my.net"
port:
number: 48832
protocol: tcp
name: bitcoin-zmq-testnet
- hosts:
- "*"
port:
number: 80
protocol: http
name: bitcoin-mainnet
Virtual service like this
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bitcoin-testnet-zmq
namespace: dev
spec:
hosts:
- "bitcoin-testnet-zmq.my.net"
gateways:
- my-gateway
tcp:
- match:
- port: 48832
route:
- destination:
port:
number: 48832
name: bitcoin-zmq-testnet
host: bitcoinrpc-testnet-dev-service
and my service is as follows
kind: Service
apiVersion: v1
metadata:
name: bitcoinrpc-testnet-dev-service
namespace: dev
spec:
selector:
app: bitcoin-node-testnet
ports:
- name: bitcoin-testnet
protocol: TCP
port: 80
targetPort: 18332
- name: bitcoin-zmq-testnet
protocol: TCP
port: 48832
targetPort: 48832
type: NodePort
When I login to a pod in the same namespace and do telnet bitcoinrpc-testnet-dev-service 48832, then it can connect.
Also, found that all the other http serviecs can be accessed correctly through the istio-gateway
I don't see an issue with your configurations, actually that's the usage of the istio Gateway, to allow external access to your services.