Accessing TCP port using istio ingress gateway outside the cluster - kubernetes-ingress

I have my gateway setup this way
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
namespace: dev
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- hosts:
- "bitcoin-testnet-zmq.my.net"
port:
number: 48832
protocol: tcp
name: bitcoin-zmq-testnet
- hosts:
- "*"
port:
number: 80
protocol: http
name: bitcoin-mainnet
Virtual service like this
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bitcoin-testnet-zmq
namespace: dev
spec:
hosts:
- "bitcoin-testnet-zmq.my.net"
gateways:
- my-gateway
tcp:
- match:
- port: 48832
route:
- destination:
port:
number: 48832
name: bitcoin-zmq-testnet
host: bitcoinrpc-testnet-dev-service
and my service is as follows
kind: Service
apiVersion: v1
metadata:
name: bitcoinrpc-testnet-dev-service
namespace: dev
spec:
selector:
app: bitcoin-node-testnet
ports:
- name: bitcoin-testnet
protocol: TCP
port: 80
targetPort: 18332
- name: bitcoin-zmq-testnet
protocol: TCP
port: 48832
targetPort: 48832
type: NodePort
When I login to a pod in the same namespace and do telnet bitcoinrpc-testnet-dev-service 48832, then it can connect.
Also, found that all the other http serviecs can be accessed correctly through the istio-gateway

I don't see an issue with your configurations, actually that's the usage of the istio Gateway, to allow external access to your services.

Related

how to configure ingress to direct traffic to an https backend ... with istio ingress

Hi i have deployed elastic search in Kubernetes with a self-signed certificate I want expose elastic search URL but am able to do nginx ingress but not successful with istio can any one explained how to do that
this is the virtual service
kind: VirtualService
metadata:
name: elasticsearch
namespace: istio-system
spec:
hosts:
- elasticsearch.domain.com
gateways:
- monitor-gateway
http:
- match:
- port: 443
route:
- destination:
host: elasticsearch.monitor.svc.cluster.local
port:
number: 9200
gateway
# Source: istio-ingress/templates/gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: monitor-gateway
namespace: istio-system
labels:
app: istio-ingress
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: istio-ingress
app.kubernetes.io/version: 1.15.3
helm.sh/chart: gateway-1.15.3
istio: ingress
spec:
selector:
istio: ingress
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
- hosts:
- '*'
port:
name: https
number: 443
protocol: HTTP
- hosts:
- '*'
port:
name: tpc
number: 15021
protocol: TCP
By adding below destination Rule i resloved
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
annotations:
name: elasticsearch
namespace: istio-system
spec:
host: elasticsearch.monitor.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 9200
tls:
clientCertificate: /etc/istio/ingress/ca.cert
mode: SIMPLE
privateKey: /etc/istio/ingress/tls.key

AWS EKS service ingress and ALB --no ADDRESS

I seem to be having an issue with the way my ports are setup on this manifest, which is a simple go app. The app is configured to listen on port 3000.
This container runs fine on my local machine (localhost:3000), but I get no ADDRESS when I look at the Ingress (k get ingress ...).
I am getting an error logged in the AWS aws-load-balancer-controller log when I try to run this image on EKS:
controller-runtime.manager.controller.ingress","msg":"Reconciler error","name":"fiber-demo","namespace":"demo","error":"ingress: demo/fiber-demo: unable to find port 3000 on service demo/fiber-demo"
This is my k8s manifest:
apiVersion: apps/v1
kind: Deployment
metadata:
name: fiber-demo
namespace: demo
labels:
app: fiber-demo
spec:
replicas: 1
selector:
matchLabels:
app: fiber-demo
template:
metadata:
labels:
app: fiber-demo
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
containers:
- name: fiber-demo
image: 240195868935.dkr.ecr.us-east-2.amazonaws.com/fiber-demo:0.0.2
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
name: fiber-demo
namespace: demo
labels:
app: fiber-demo
spec:
selector:
app: fiber-demo
ports:
- protocol: TCP
port: 80
targetPort: 3000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: fiber-demo
namespace: demo
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
labels:
app: fiber-demo
spec:
rules:
- http:
paths:
- path: /
backend:
serviceName: fiber-demo
servicePort: 3000
Am I simply not able to specify a targetPort other than port 80 in the Service?
Am I simply not able to specify a targetPort other than port 80 in the Service?
backend.servicePort refers to port exposed by service, not container.
...
backend:
serviceName: fiber-demo # <-- ingress for this service, not container
servicePort: 80 # <-- port which the service exposed, not the port which the container exposed.

Problem with ALB Ingress Controller in redirecting to right path

I have done the setup of ALB (Application Load Balancer) using Ingress Controller (version -> docker.io/amazon/aws-alb-ingress-controller:v1.1.8) for my AWS EKS cluster (v 1.20) running with Fargate profile.
I can access my service using the load balancer link:-
http://5e07dbe1-default-nginxingr-29e9-1260427999.us-east-1.elb.amazonaws.com/
I have 2 different services configured in my Ingress as shown below:-
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: "nginx-ingress"
namespace: "default"
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/security-groups: sg-014b302d73097d083
# alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
# alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:195725532069:certificate/b6a9e691-b807-4f10-a0bf-0449730ecdf4
# alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
# alb.ingress.kubernetes.io/backend-protocol: HTTPS
#alb.ingress.kubernetes.io/load-balancer-attributes: "60"
#alb.ingress.kubernetes.io/rewrite-target: /
labels:
app: nginx-ingress
spec:
rules:
- http:
paths:
# - path: /*
# pathType: Prefix
# backend:
# service:
# name: ssl-redirect
# port:
# number: use-annotation
- path: /foo
pathType: Prefix
backend:
service:
name: "nginx-service"
port:
number: 80
- path: /*
pathType: Prefix
backend:
service:
name: "mydocker-svc"
port:
number: 8080
Now the problem is if I put /foo at the end of LB link then nothing happens and I get 404 not found error:-
Both my services are fine with respective Pods running behind their respective Kubernetes NodePort services but they are not accessible using the Ingress. If I swap the path to /* from /foo for the other service (nginx-service), I can then access that but then it will break my previous service (mydocker-svc).
Please let me know where I'm the mistake so that I can fix this issue. Thank you
ALB Controller:-
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: alb-ingress-controller
name: alb-ingress-controller
namespace: kube-system
spec:
selector:
matchLabels:
app.kubernetes.io/name: alb-ingress-controller
template:
metadata:
labels:
app.kubernetes.io/name: alb-ingress-controller
spec:
containers:
- name: alb-ingress-controller
args:
- --ingress-class=alb
- --cluster-name=eks-fargate-alb-demo
- --aws-vpc-id=vpc-0dc46d370e38de475
- --aws-region=us-east-1
image: docker.io/amazon/aws-alb-ingress-controller:v1.1.8
serviceAccountName: alb-ingress-controller
Nginx service:-
apiVersion: v1
kind: Service
metadata:
annotations:
alb.ingress.kubernetes.io/target-type: ip
name: "nginx-service"
namespace: "default"
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
type: NodePort
selector:
app: "nginx"
mydocker-svc:-
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
eks.amazonaws.com/fargate-profile: fp-default
run: mydocker
name: mydocker-svc
annotations:
alb.ingress.kubernetes.io/target-type: ip
spec:
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
eks.amazonaws.com/fargate-profile: fp-default
run: mydocker
type: NodePort
status:
loadBalancer: {}
TargetGroups become unhealthy, if the annotation in Kubernetes NodePort service like alb.ingress.kubernetes.io/target-type: IP is missing:-
You can try this out one i am using as reference
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-usermgmt-restapp-service
labels:
app: usermgmt-restapp
annotations:
# Ingress Core Settings
kubernetes.io/ingress.class: "alb"
alb.ingress.kubernetes.io/scheme: internet-facing
# Health Check Settings
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/healthcheck-port: traffic-port
#Important Note: Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer
#alb.ingress.kubernetes.io/healthcheck-path: /usermgmt/health-status
alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
alb.ingress.kubernetes.io/success-codes: '200'
alb.ingress.kubernetes.io/healthy-threshold-count: '2'
alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
spec:
rules:
- http:
paths:
- path: /app1/*
backend:
serviceName: app1-nginx-nodeport-service
servicePort: 80
- path: /app2/*
backend:
serviceName: app2-nginx-nodeport-service
servicePort: 80
- path: /*
backend:
serviceName: usermgmt-restapp-nodeport-service
servicePort: 8095
Read more at : https://www.stacksimplify.com/aws-eks/aws-alb-ingress/kubernetes-aws-alb-ingress-context-path-based-routing/

istio routing http to https upstream causes causes 302

My ingress gateway is at port 80 http and routing to a https destination.
With the following configuration
http://ingress-gateway.example.com/zzz
it gives 302 and the urls changes to https:
https://my-site.example.com/products
Why 302 and what am I missing?
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port: # Note: I am entering using this port
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port: # Note: I am NOT entering using this port
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: my-credential
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: apps-domain
spec:
hosts:
- my-site.example.com
ports:
- number: 443
name: https-my-site
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my
spec:
hosts:
- "*"
gateways:
- my-gateway
http:
- match:
- uri:
prefix: /zzz
rewrite:
uri: /products
route:
- destination:
port:
number: 443
host: my-site.example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-https-backend
spec:
host: my-site.example.com
trafficPolicy:
tls:
mode: SIMPLE
sni: my-site.example.com
You have a rewrite rule pointing to port 443
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my
spec:
hosts:
- "*"
gateways:
- my-gateway
http:
- match:
- uri:
prefix: /zzz
rewrite:
uri: /products
route:
- destination:
port:
number: 443 # here
host: my-site.example.com

How to access Kong admin API when Kong is deployed using Kong-Ingress-Controller

I have installed Kong using Minikube Kong-Ingress-Controller
Services are visible like below. Now I am trying to find kong admin API so that I can install Konga dashboard on top of it but not sure where to find that
I am not sure whether I am following the correct process.
Can anyone help me to access the Kong admin API?
use kubectl port-forward deployment/ingress-kong -n kong 8444:8444
You can follow this response in a GitHub issue.
https://github.com/Kong/kubernetes-ingress-controller/issues/59#issuecomment-534380451
Expanding in case the link is invalidated. You need to create a service to expose the admin API endpoint and set the env var and ports for the same in kong ingress controller deployment.
apiVersion: v1
kind: Service
metadata:
name: kong-admin
namespace: kong
spec:
type: NodePort
ports:
- name: admin
port: 8001
protocol: TCP
targetPort: 8001
- name: admin-ssl
port: 8444
targetPort: 8444
protocol: TCP
selector:
app: ingress-kong
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: ingress-kong
name: ingress-kong
namespace: kong
spec:
...
template:
...
spec:
containers:
- env:
...
- name: KONG_ADMIN_LISTEN
value: 0.0.0.0:8001,0.0.0.0:8444 ssl
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000,0.0.0.0:8443 ssl
image: kong:1.3
name: proxy
ports:
- containerPort: 8001
name: admin
protocol: TCP
- containerPort: 8444
name: admin-ssl
protocol: TCP
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-ssl
protocol: TCP
- containerPort: 9542
name: metrics
protocol: TCP