Enable ports in istio ingress gateway

11/15/2018

Hey so for sake of project need I have configure application that will response on port 8083 for that I configured following deployment, gateway, service and virtual service inside dedicated namespace

apiVersion: v1
data:
  my.databag.1: need_triage
kind: ConfigMap
metadata:
  name: my-service-env-variables
  namespace: api

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: my-service
  name: my-service-service-deployment
  namespace: api
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        traffic.sidecar.istio.io/excludeOutboundIPRanges: 0.0.0.0/0
      labels:
        app: my-service-service-deployment
    spec:
      containers:
      - env:
        - name: my.variable
          valueFrom:
            secretKeyRef:
              key: my_token
              name: my.variable
        envFrom:
        - configMapRef:
            name: my-service-env-variables
        image: imaagepath:tag
        name: my-service-pod
        ports:
        - containerPort: 8080
          name: mysvcport
        resources:
          limits:
            cpu: 700m
            memory: 1.8Gi
          requests:
            cpu: 500m
            memory: 1.7Gi

---
apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: api
spec:
  ports:
  - port: 8083
    protocol: TCP
    targetPort: mysvcport
  selector:
    app: my-service-service-deployment

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-service-ingress
  namespace: api
spec:
  gateways:
  - http-gateway
  hosts:
  - my-service.example.com
  http:
  - route:
    - destination:
        host: my-service
        port:
          number: 8083
---
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1alpha3
  kind: Gateway
  metadata:
    clusterName: ""
    creationTimestamp: 2018-11-07T13:17:00Z
    name: http-gateway
    namespace: api
    resourceVersion: "11778445"
    selfLink: /apis/networking.istio.io/v1alpha3/namespaces/api/gateways/http-gateway
    uid: 694f66a4-e28f-11e8-bc21-0ac9e31187a0
  spec:
    selector:
      istio: ingressgateway
    servers:
    - hosts:
      - '*.example.com'
      port:
        name: http
        number: 80
        protocol: HTTP
    - hosts:
      - '*.example.com'
      port:
        name: http-tomcat
        number: 8083
        protocol: TCP
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

kubectl -n istio-system get service istio-ingressgateway -o yaml

apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"istio-ingressgateway","chart":"gateways-1.0.1","heritage":"Tiller","istio":"ingressgateway","release":"istio"},"name":"istio-ingressgateway","namespace":"istio-system"},"spec":{"ports":[{"name":"http2","nodePort":31380,"port":80,"targetPort":80},{"name":"https","nodePort":31390,"port":443},{"name":"tcp","nodePort":31400,"port":31400},{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853},{"name":"http2-prometheus","port":15030,"targetPort":15030},{"name":"http2-grafana","port":15031,"targetPort":15031}],"selector":{"app":"istio-ingressgateway","istio":"ingressgateway"},"type":"LoadBalancer"}}
  creationTimestamp: 2018-09-06T02:43:34Z
  labels:
    app: istio-ingressgateway
    chart: gateways-1.0.1
    heritage: Tiller
    istio: ingressgateway
    release: istio
  name: istio-ingressgateway
  namespace: istio-system
  resourceVersion: "12960680"
  selfLink: /api/v1/namespaces/istio-system/services/istio-ingressgateway
  uid: a6455551-b17e-11e8-893c-0a872c53b2c0
spec:
  clusterIP: 100.64.235.167
  externalTrafficPolicy: Cluster
  ports:
  - name: http2
    nodePort: 31380
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    nodePort: 31390
    port: 443
    protocol: TCP
    targetPort: 443
  - name: tcp
    nodePort: 31400
    port: 31400
    protocol: TCP
    targetPort: 31400
  - name: tcp-pilot-grpc-tls
    nodePort: 30052
    port: 15011
    protocol: TCP
    targetPort: 15011
  - name: tcp-citadel-grpc-tls
    nodePort: 30614
    port: 8060
    protocol: TCP
    targetPort: 8060
  - name: tcp-dns-tls
    nodePort: 30085
    port: 853
    protocol: TCP
    targetPort: 853
  - name: http2-prometheus
    nodePort: 30518
    port: 15030
    protocol: TCP
    targetPort: 15030
  - name: http2-grafana
    nodePort: 31358
    port: 15031
    protocol: TCP
    targetPort: 15031
  **_- name: http-tomcat
    nodePort: 30541
    port: 8083
    protocol: TCP
    targetPort: 8083_**
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - hostname: <elb_endpoint>

As we can see I edited the port in service ingress-gateway. But when I hit endpoint it gets response on port 80 and i am getting gateway timeout on 8083 I am wondering why its happening I added everywhere I can think of or get to know from docs and community. :)

Would really appreciate any help I can get in this.

-- Ahsan Naseem
istio
kubernetes
kubernetes-ingress
nginx

1 Answer

11/19/2018

By the way is istio-ingressgateway in correct status? I'm asking because the number of ports seems to exceed the limit. At our cluster we've discovered one day: Error creating load balancer (will retry): failed to ensure load balancer for service istio-system/istio-ingressgateway: googleapi: Error 400: Invalid value for field 'resource.ports[5]': '853'. Too many ports specified. Maximum is 5., invalid

You can check that by doing kubectl describe svc istio-ingressgateway -n istio-system

-- Anna Slastnikova
Source: StackOverflow