OpenShift and Istio Gateway traffic configuration in order to access using an external a domain

4/12/2019

After deploying Istio 1.1.2 on OpenShift there is an istio-ingressgateway route with its associated service and pod.

I have successfully used that ingress gateway to access an application, configuring a Gateway and a VirtualService using * as hosts.

However I would like to configure a domain, e.g insuranceinc.es, to access the application. According to the documentation I have this Istio config:

Gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: insuranceinc-gateway
  namespace: istio-insuranceinc
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "insuranceinc.es"

VirtualService

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: insuranceinc
  namespace: istio-insuranceinc
spec:
  hosts:
    - insuranceinc.es
  gateways:
    - insuranceinc-gateway
  http:
    - route:
        - destination:
            host: insuranceinc-web
            port:
              number: 8080

If I make this curl invocation...

curl http://istio-ingressgateway-istio-system.apps.mycluster.com/login

... I can see a 404 error in the ingress-gateway pod:

[2019-04-12T15:27:51.765Z] "GET /login HTTP/1.1" 404 NR "-" 0 0 1 - "xxx" "curl/7.54.0" "xxx" "istio-ingressgateway-istio-system.apps.mycluster.com" "-" - - xxx -

This makes sense since it isn't comming from an insuranceinc.es host. So I change the curl to send a Host: insuranceinc.es header:

curl -H "Host: insuranceinc.es" http://istio-ingressgateway-istio-system.apps.mycluster.com/login

Now I am getting a 503 error and there are no logs in the istio-ingressgateway pod.

Application is not available

The application is currently not serving requests at this endpoint. It may not have been started or is still starting.

This means the request hasn't been processed by that istio-ingressgateway route->service->poc.

Since it is an Openshift Route it must be needing a Host header containing the route host istio-ingressgateway-istio-system.apps.mycluster.com. In fact if I send curl -H "Host: istio-ingressgateway-istio-system.apps.mycluster.com" http://istio-ingressgateway-istio-system.apps.mycluster.com/login it is processed by the istio ingress gateway returning a 404.

So, how can I send my Host insuranceinc.es header and also reach the istio ingress gateway (which is actually an OpenShift route)?

-- codependent
istio
kubernetes
openshift
openshift-origin

1 Answer

7/8/2019

You need to create an openshift route in the istio-system namespace to relate to the hostname you created.

For example:

oc -n istio-system get routes
NAME              HOST/PORT                                            PATH      SERVICES               PORT      TERMINATION   WILDCARD
gateway1-lvlfn    insuranceinc.es                                                istio-ingressgateway   <all>                   None
-- Chris Reiche
Source: StackOverflow