I have a bare-metal kubernetes cluster, which use metallb as ELB.
I am tring to expose a service with istio gateway, but facing connection refused problem. I am new to istio, please help to check my manifests.
versions:
Kubernetes clsuter version: 1.27
Docker version 20.10.12, build e91ed57
cni-dockerd : cri-dockerd-0.3.4
OS: CentOS 7
MetalLB v0.13.10
problem:
Note: ceph-dashboard.xxx.com is in /etc/hosts file
[ggfan@fedora rook]$ curl -vvv https://ceph-dashboard.xxx.com/
* Trying 172.28.6.200:443...
* connect to 172.28.6.200 port 443 failed: Connection refused
* Failed to connect to ceph-dashboard.xxx.com port 443 after 2 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to ceph-dashboard.xxx.com port 443 after 2 ms: Connection refused
the service:
Name: rook-ceph-mgr-dashboard
Namespace: rook-ceph
Labels: app=rook-ceph-mgr
rook_cluster=rook-ceph
Annotations: <none>
Selector: app=rook-ceph-mgr,mgr_role=active,rook_cluster=rook-ceph
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.102.185.38
IPs: 10.102.185.38
Port: http-dashboard 7000/TCP
TargetPort: 7000/TCP
Endpoints: 172.16.228.168:7000
Session Affinity: None
Events: <none>
gateway and virtual service definition:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ceph-dashboard-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 7000
name: http-dashboard
protocol: http-web
tls:
mode: SIMPLE
credentialName: lecerts
hosts:
- ceph-dashboard.bgzchina.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ceph-dashboard-vs
spec:
hosts:
- "ceph-dashboard.bgzchina.com"
gateways:
- ceph-dashboard-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 7000
host: rook-ceph-mgr-dashboard
lecerts is tls secret created from certs from let’s encrypt:
[ggfan@fedora ingress-nginx]$ kubectl describe secret lecerts -n rook-ceph
Name: lecerts
Namespace: rook-ceph
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 5238 bytes
tls.key: 241 bytes
the istio ingressgateway service:
West Farmer
δΈε 10:50
Hi, I am tring to expose a service with gateway, but I am facing connection refused problem, any idea ?
the service :
Name: rook-ceph-mgr-dashboard
Namespace: rook-ceph
Labels: app=rook-ceph-mgr
rook_cluster=rook-ceph
Annotations: <none>
Selector: app=rook-ceph-mgr,mgr_role=active,rook_cluster=rook-ceph
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.102.185.38
IPs: 10.102.185.38
Port: http-dashboard 7000/TCP
TargetPort: 7000/TCP
Endpoints: 172.16.228.168:7000
Session Affinity: None
Events: <none>
gateway and virtual service:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ceph-dashboard-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 7000
name: http-dashboard
protocol: http-web
tls:
mode: SIMPLE
credentialName: lecerts
hosts:
- ceph-dashboard.bgzchina.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ceph-dashboard-vs
spec:
hosts:
- "ceph-dashboard.bgzchina.com"
gateways:
- ceph-dashboard-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 7000
host: rook-ceph-mgr-dashboard
istio-ingressgateway:
[ggfan@fedora rook]$ kubectl -n istio-system describe svc istio-ingressgateway
Name: istio-ingressgateway
Namespace: istio-system
Labels: app=istio-ingressgateway
install.operator.istio.io/owning-resource=unknown
install.operator.istio.io/owning-resource-namespace=istio-system
istio=ingressgateway
istio.io/rev=default
operator.istio.io/component=IngressGateways
operator.istio.io/managed=Reconcile
operator.istio.io/version=1.18.1
release=istio
Annotations: metallb.universe.tf/ip-allocated-from-pool: default-pool
Selector: app=istio-ingressgateway,istio=ingressgateway
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.98.117.31
IPs: 10.98.117.31
LoadBalancer Ingress: 172.28.6.200
Port: status-port 15021/TCP
TargetPort: 15021/TCP
NodePort: status-port 31967/TCP
Endpoints: 172.16.228.161:15021
Port: http2 80/TCP
TargetPort: 8080/TCP
NodePort: http2 31509/TCP
Endpoints: 172.16.228.161:8080
Port: https 443/TCP
TargetPort: 8443/TCP
NodePort: https 30320/TCP
Endpoints: 172.16.228.161:8443
Port: tcp 31400/TCP
TargetPort: 31400/TCP
NodePort: tcp 32554/TCP
Endpoints: 172.16.228.161:31400
Port: tls 15443/TCP
TargetPort: 15443/TCP
NodePort: tls 32483/TCP
Endpoints: 172.16.228.161:15443
Session Affinity: None
External Traffic Policy: Cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal nodeAssigned 45m metallb-speaker announcing from node "k8sc01wn03" with protocol "layer2"
Normal nodeAssigned 28m (x4 over 88m) metallb-speaker announcing from node "k8sc01mn01" with protocol "layer2"
2
Answers
Istio Gateway Connection refused might be caused due to any of the below reasons:
The istio-ingressgateway will not accept connections on a given port if it does not have a listener configured for that port. (Istio will configure the proxy to listen on the ports, ensure that external traffic to the ports are allowed into the mesh).
The Gateway object is specifying a credentialName and the Secret Discovery Service (SDS) is not enabled. For more details see credentialName in the Gateway TLS Settings reference.
Check the Gateway object is created, you can see the credentialName parameter is specified like the following:
You can search the pilot logs for more details.
To check if SDS is enabled, you can inspect the istio ConfigMap on the istio-system namespace. If the sdsUdsPath is empty or not set, it means SDS is not enabled.
To obtain the value you can run the below command:
If it is set, the output will be as follows:
If SDS is disabled, the value will be empty as follows:
Please match your application gateway ports with istio-ingressgateway service https port information. There is no 7000 port in ingress gateway service defined.
Below information in application gateway has to be matched information in istio-ingressgateway service https information.