K
Q

Why Secure GRPC calls do not reach ingress gateway?

7/11/2019

I have installed istio 1.22.2 inside kubernetes (1.12.x) with sds enabled. I have been following this and I am able to do ssl termination at the ingress gateway for normal services (on HTTP/1.1). And I could see it in the access logs of the gateway.

gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 31400
      name: tcp
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: "review-this-co" # must be the same as secret
    hosts:
- "xyz.example.com"

However when GRPC is used over secure channel I could not see any access logs. (Grpc client fails). I Was expecting similar behavior for grpc as well(ie ssl termination at the ingress gateway).

NOTE: same grpc client works(call reaches the ingress gateway, visible in the access logs) with plaintext if the gateway is configured like following

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 31400
      name: tcp
      protocol: GRPC
    hosts:
    - "xyz.example.com"

Network loadbalancer has been used (pass through)

-- chandan
grpc
grpc-java
istio
kubernetes

Similar Questions

Creating a volume in a dockerfile without a persistent volume (claim) in Kubernetes?
How can I generate a `V1Job` object for the Kubernetes nodejs API client from a yaml file?
Stackdriver profiler failes to create profile because of permission running Java on GKE
Angular on Kubernetes (ingress routing)

2 Answers

7/23/2019

If I understand you correctly, the thing here is that:

  • GRPC currently works over a HTTP2 type transport

  • The current ingress is not capable of HTTP2

So are you sure your client is using HTTP1? Because otherwise it might not work.

Please let me know if that helped.

-- OhHiMark
Source: StackOverflow
12/8/2019

Try it out grpc greeter with istio, it works for me.

# greeter.yaml

apiVersion: v1
kind: Service
metadata:
  name: greeter
  labels:
    app: greeter
spec:
  ports:
  - name: grpc
    port: 50051
  selector:
    app: greeter
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: greeter
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: greeter
        version: v1
    spec:
      containers:
      - image: tobegit3hub/grpc-helloworld
        imagePullPolicy: IfNotPresent
        name: greeter
        ports:
        - containerPort: 50051
# gateway.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: greeter-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - 'xyz.example.com'
# virtualservice.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: greeter
spec:
  hosts:
    - 'xyz.example.com'
  gateways:
    - greeter-gateway
  http:
    - match:
        - uri:
            prefix: /
      route:
        - destination:
            host: greeter
            port:
              number: 50051
# grpc greeter client
docker run  -it tobegit3hub/grpc-helloworld /greeter_client.py xyz.example.com:80
-- Raymond
Source: StackOverflow