I have problem related to WebSocket connection on - Istio Ingress Gateway <br> My cluster: Istio - 1.7.2, Kubernetes - 1.18.6
I’m trying to run my application on new config cluster, My app is working properly on Istio 1.5.1 and k8s 1.15.11.
I have one problem with properly WebSocket connection on internal IngressGateway, rest of features is working.
Config:
I using two Istio IngressGateways:
default external IngressGateway
internal IngressGateway (ClusterIP)
Example traffic flow:
Internet > external IngressGateway > Ocelot Gateway > internal IngressGateway > services (pods)
This communication is working properly for http - but websocket doesn’t working.
I found that connection is break on internal IngressGateway.
I see only this log - internal ingress gateway pod:
[2020-10-12T10:05:16.903Z] "- - HTTP/2" 0 DPE "-" "-" 0 0 0 - "-" "-" "-" "-" "-" - - 10.244.2.62:8080 10.244.1.16:58426 - -
I don’t see any traffic in my destination service.
I have checked websocket connection directly on my destination service and there is working properly.
I have tried change VirtualService config - add „websocketUpgrade: True” - but there isn’t this field on new Istio.
Istio installation: I have used istioctl, my IstioOperator below:
apiVersion: install.istio.io/v1alpha1 kind: IstioOperator spec: meshConfig: accessLogFile: /dev/stdout components: ingressGateways: - namespace: istio-system name: internal-ingressgateway label: app: internal-ingressgateway istio: internal-ingressgateway enabled: true k8s: resources: requests: cpu: 100m memory: 1000Mi service: type: ClusterIP ports: - port: 80 targetPort: 8080 values: gateways: istio-ingressgateway: debug: Trace global: istiod: enableAnalysis: true pilot: env: PILOT_ENABLE_STATUS: true
Do you have any ideas on these issues?
UPDATE - add configs:
External IngressGateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: external-gtw
namespace: istio-system
labels:
app: ingressgateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
protocol: HTTP2
name: http
hosts:
- "*"
tls:
httpsRedirect: true # sends 301 redirect for http requests
- port:
number: 443
protocol: HTTPS
name: https-default
tls:
mode: SIMPLE
serverCertificate: "sds"
privateKey: "sds"
credentialName: ........
hosts:
- "*"
Internal IngressGateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: internal-gtw
namespace: istio-system
labels:
app: internal-gtw
spec:
selector:
app: internal-ingressgateway
servers:
- port:
number: 80
protocol: HTTP2
name: http
hosts:
- "*"
VirtualService
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: notificationservice
spec:
gateways:
- istio-system/internal-gtw
hosts:
- '*'
http:
- match:
- uri:
prefix: /notificationservice/
rewrite:
uri: /
route:
- destination:
host: notificationserviceDestinationRules - currently I don't use