I have an EKS cluster with 2 EC2 nodes. I want to use Istio with ALB not the classic ELB, so I modified the gateway from the Istio helm chart to use NodePort like this:
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
labels:
app: istio-ingressgateway
istio: ingressgateway
release: istio
istio.io/rev: default
install.operator.istio.io/owning-resource: unknown
operator.istio.io/component: "IngressGateways"
spec:
type: NodePort
selector:
app: istio-ingressgateway
istio: ingressgateway
ports:
-
name: status-port
port: 15021
protocol: TCP
nodePort: 32767
-
name: http2
port: 80
protocol: TCP
nodePort: 31231
-
name: https
port: 443
protocol: TCP
nodePort: 31312
Also, I added the Ingress for the gateway:
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
namespace: istio-system
name: aws-load-balancer
spec:
controller: ingress.k8s.aws/alb
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: istio-system
name: ingress
labels:
app: ingress
annotations:
alb.ingress.kubernetes.io/healthcheck-port: "32767"
alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/subnets: subnet-foo,subnet-bar
spec:
ingressClassName: aws-load-balancer
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: istio-ingressgateway
port:
number: 80
The ALB and the TargetGroup are created as expected, the nodes are healthy according to the TargetGroup health check.
The sample bookinfo stack and gateway are installed to a labeled namesapce
% kubectl get ns bookinfo --show-labels
NAME STATUS AGE LABELS
bookinfo Active 18h istio-injection=enabled
Istioctl shows the proxy status
% istioctl proxy-status
NAME CDS LDS EDS RDS ISTIOD VERSION
details-v1-79f774bdb9-2scfv.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
istio-ingressgateway-8579cc48f8-2d5sd.istio-system SYNCED SYNCED SYNCED NOT SENT istiod-75c795985d-pwx9j 1.10.0
productpage-v1-6b746f74dc-l795c.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
ratings-v1-b6994bb9-l2vcp.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
reviews-v1-545db77b95-shzkj.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
reviews-v2-7bf8c9648f-6k6mk.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
reviews-v3-84779c7bbc-6mw5f.bookinfo SYNCED SYNCED SYNCED SYNCED istiod-75c795985d-pwx9j 1.10.0
But when I try to reach it it gives back 502.
% curl http://internal-k8s-istiosys-ingress-foo-bar.eu-west-1.elb.amazonaws.com/productpage
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>
Istio version: 1.10 Kubernetes version: 1.19 EKS version: eks.5
Edit:
It turned out there are no listeners attached:
% istioctl proxy-config listeners -n istio-system istio-ingressgateway-8579cc48f8-2d5sd.istio-system
ADDRESS PORT MATCH DESTINATION
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
However, if I change a port for the Gateway from 80 to 9000, the listeners created but it is need to match with the ingress-gateway port
% istioctl proxy-config listeners -n istio-system istio-ingressgateway-8579cc48f8-qzn59
ADDRESS PORT MATCH DESTINATION
0.0.0.0 9000 ALL Route: http.9000
0.0.0.0 15021 ALL Inline Route: /healthz/ready*
0.0.0.0 15090 ALL Inline Route: /stats/prometheus*
If anybody faces the same issue, it turned out that the default istio ingress gateway cannot bind to 80 since it is an unprivileged pod, updated the deployment specification, and now up and running.