How to expose an external IP address for a sample Istio application

4/30/2019

I am trying to set up the bookinfo sample application for Istio and Kubernetes on a small cluster. The cluster consists of two machines, a master and a worker, running on Ubuntu 18.04 on two Amazon AWS EC2 instances. Each of the instances has an external IP address assigned.

What I'm unable to do is figure out how to expose the bookinfo service to the outside world.

I am confused as to whether I need to expose the Istio ingress gateway or each one of the bookinfo services separately.

When listing the ingress gateway, the external IP field just says pending. Also, when describing the worker node, there's no mention of an external IP address in the output.

I've gone through google but can't really find a proper solution. Describing the ingress gateway only gives internal (i.e. 10.x.x.x) addresses.

Output from get and describe commands:

kubectl get svc istio-ingressgateway -n istio-system
NAME                   TYPE           CLUSTER-IP   EXTERNAL-IP   PORT(S)                                                                                                                                      AGE
istio-ingressgateway   LoadBalancer   10.96.39.4   <pending>     15020:31451/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:31075/TCP,15030:32093/TCP,15031:31560/TCP,15032:30526/TCP,15443:31526/TCP   68m

kubectl describe  svc istio-ingressgateway  -n istio-system
Name:                     istio-ingressgateway
Namespace:                istio-system
Labels:                   app=istio-ingressgateway
                          chart=gateways
                          heritage=Tiller
                          istio=ingressgateway
                          release=istio
Annotations:              kubectl.kubernetes.io/last-applied-configuration:
                            {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"istio-ingressgateway","chart":"gateways","heritage":"Til...
Selector:                 app=istio-ingressgateway,istio=ingressgateway,release=istio
Type:                     LoadBalancer
IP:                       10.96.39.4
Port:                     status-port  15020/TCP
TargetPort:               15020/TCP
NodePort:                 status-port  31451/TCP
Endpoints:                10.244.1.6:15020
Port:                     http2  80/TCP
TargetPort:               80/TCP
NodePort:                 http2  31380/TCP
Endpoints:                10.244.1.6:80
Port:                     https  443/TCP
TargetPort:               443/TCP
NodePort:                 https  31390/TCP
Endpoints:                10.244.1.6:443
Port:                     tcp  31400/TCP
TargetPort:               31400/TCP
NodePort:                 tcp  31400/TCP
Endpoints:                10.244.1.6:31400
Port:                     https-kiali  15029/TCP
TargetPort:               15029/TCP
NodePort:                 https-kiali  31075/TCP
Endpoints:                10.244.1.6:15029
Port:                     https-prometheus  15030/TCP
TargetPort:               15030/TCP
NodePort:                 https-prometheus  32093/TCP
Endpoints:                10.244.1.6:15030
Port:                     https-grafana  15031/TCP
TargetPort:               15031/TCP
NodePort:                 https-grafana  31560/TCP
Endpoints:                10.244.1.6:15031
Port:                     https-tracing  15032/TCP
TargetPort:               15032/TCP
NodePort:                 https-tracing  30526/TCP
Endpoints:                10.244.1.6:15032
Port:                     tls  15443/TCP
TargetPort:               15443/TCP
NodePort:                 tls  31526/TCP
Endpoints:                10.244.1.6:15443
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

Any help appreciated.

-- redmage123
istio
kubernetes

1 Answer

5/28/2019

Quoting Istio's official documentation:

If your cluster is running in an environment that does not support an external load balancer (e.g., minikube), the EXTERNAL-IP of istio-ingressgateway will say -pending-. To access the gateway, use the service’s NodePort, or use port-forwarding instead.

Your cluster seems to fall into 'Custom (cloud)' way of setting up Kubernetes, which by default does not support Load Balancer.

Solution for you:

  • You must allow inbound traffic to your AWS EC2 instance serving worker role
    (in other words you have to open NodePort of istio-ingressgateway's service on firewall, see below how to get this port number)
  • Get NodePort of istio-ingressgateway:

with command:

export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
  • Get EXTERNAL_IP of your worker node

with command:

export INGRESS_HOST=$(kubectl get nodes --selector='!node-role.kubernetes.io/master' -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}')

and follow the remaining part of bookinfo sample without any changes.

-- Nepomucen
Source: StackOverflow