I have a bare-metal kubernetes cluster, which use metallb as ELB.
I am tring to expose a service with istio gateway, but facing connection refused problem. I am new to istio, please help to check my manifests.
versions:
Kubernetes clsuter version: 1.27
Docker version 20.10.12, build e91ed57
cni-dockerd : cri-dockerd-0.3.4
OS: CentOS 7
MetalLB v0.13.10
problem:
Note: ceph-dashboard.xxx.com is in /etc/hosts file
[ggfan@fedora rook]$ curl -vvv https://ceph-dashboard.xxx.com/
* Trying 172.28.6.200:443...
* connect to 172.28.6.200 port 443 failed: Connection refused
* Failed to connect to ceph-dashboard.xxx.com port 443 after 2 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to ceph-dashboard.xxx.com port 443 after 2 ms: Connection refused
the service:
Name: rook-ceph-mgr-dashboard
Namespace: rook-ceph
Labels: app=rook-ceph-mgr
rook_cluster=rook-ceph
Annotations: <none>
Selector: app=rook-ceph-mgr,mgr_role=active,rook_cluster=rook-ceph
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.102.185.38
IPs: 10.102.185.38
Port: http-dashboard 7000/TCP
TargetPort: 7000/TCP
Endpoints: 172.16.228.168:7000
Session Affinity: None
Events: <none>
gateway and virtual service definition:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ceph-dashboard-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 7000
name: http-dashboard
protocol: http-web
tls:
mode: SIMPLE
credentialName: lecerts
hosts:
- ceph-dashboard.bgzchina.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ceph-dashboard-vs
spec:
hosts:
- "ceph-dashboard.bgzchina.com"
gateways:
- ceph-dashboard-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 7000
host: rook-ceph-mgr-dashboard
lecerts is tls secret created from certs from let's encrypt:
[ggfan@fedora ingress-nginx]$ kubectl describe secret lecerts -n rook-ceph
Name: lecerts
Namespace: rook-ceph
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 5238 bytes
tls.key: 241 bytes
the istio ingressgateway service:
West Farmer
上午 10:50
Hi, I am tring to expose a service with gateway, but I am facing connection refused problem, any idea ?
the service :
Name: rook-ceph-mgr-dashboard
Namespace: rook-ceph
Labels: app=rook-ceph-mgr
rook_cluster=rook-ceph
Annotations: <none>
Selector: app=rook-ceph-mgr,mgr_role=active,rook_cluster=rook-ceph
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.102.185.38
IPs: 10.102.185.38
Port: http-dashboard 7000/TCP
TargetPort: 7000/TCP
Endpoints: 172.16.228.168:7000
Session Affinity: None
Events: <none>
gateway and virtual service:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ceph-dashboard-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 7000
name: http-dashboard
protocol: http-web
tls:
mode: SIMPLE
credentialName: lecerts
hosts:
- ceph-dashboard.bgzchina.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ceph-dashboard-vs
spec:
hosts:
- "ceph-dashboard.bgzchina.com"
gateways:
- ceph-dashboard-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 7000
host: rook-ceph-mgr-dashboard
istio-ingressgateway:
[ggfan@fedora rook]$ kubectl -n istio-system describe svc istio-ingressgateway
Name: istio-ingressgateway
Namespace: istio-system
Labels: app=istio-ingressgateway
install.operator.istio.io/owning-resource=unknown
install.operator.istio.io/owning-resource-namespace=istio-system
istio=ingressgateway
istio.io/rev=default
operator.istio.io/component=IngressGateways
operator.istio.io/managed=Reconcile
operator.istio.io/version=1.18.1
release=istio
Annotations: metallb.universe.tf/ip-allocated-from-pool: default-pool
Selector: app=istio-ingressgateway,istio=ingressgateway
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.98.117.31
IPs: 10.98.117.31
LoadBalancer Ingress: 172.28.6.200
Port: status-port 15021/TCP
TargetPort: 15021/TCP
NodePort: status-port 31967/TCP
Endpoints: 172.16.228.161:15021
Port: http2 80/TCP
TargetPort: 8080/TCP
NodePort: http2 31509/TCP
Endpoints: 172.16.228.161:8080
Port: https 443/TCP
TargetPort: 8443/TCP
NodePort: https 30320/TCP
Endpoints: 172.16.228.161:8443
Port: tcp 31400/TCP
TargetPort: 31400/TCP
NodePort: tcp 32554/TCP
Endpoints: 172.16.228.161:31400
Port: tls 15443/TCP
TargetPort: 15443/TCP
NodePort: tls 32483/TCP
Endpoints: 172.16.228.161:15443
Session Affinity: None
External Traffic Policy: Cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal nodeAssigned 45m metallb-speaker announcing from node "k8sc01wn03" with protocol "layer2"
Normal nodeAssigned 28m (x4 over 88m) metallb-speaker announcing from node "k8sc01mn01" with protocol "layer2"
Please match your application gateway ports with istio-ingressgateway service https port information. There is no 7000 port in ingress gateway service defined.
Below information in application gateway has to be matched information in istio-ingressgateway service https information.
- port:
number: 443
name: https
protocol: HTTPS