istio: Bookinfo with HTTPS external access example is not working
Bug description
When trying to follow this “Bookinfo with HTTPS access to a Google Books web service” example, it is unable to retrieve the book info from google via an https call.
https://istio.io/blog/2018/egress-https/#bookinfo-with-https-access-to-a-google-books-web-service
Expected behavior
Expected it to be able to retrieve the book info via an https call after applying the serviceentry per the example.
Steps to reproduce the bug
- Install istio with my helm values below
- Run through the example step by step
Version (include the output of istioctl version --remote and kubectl version)
$ istioctl version --remote
client version: version.BuildInfo{Version:"1.1.5", GitRevision:"9b6d31b74d1c0cc9358cc82d395b53f71393326b", User:"root", Host:"3e29fde4-6c3f-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.4-10-g9b6d31b"}
citadel version: version.BuildInfo{Version:"1.1.5", GitRevision:"9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty", User:"root", Host:"3e29fde4-6c3f-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.4-10-g9b6d31b"}
egressgateway version: version.BuildInfo{Version:"1.1.5", GitRevision:"9b6d31b74d1c0cc9358cc82d395b53f71393326b", User:"root", Host:"3e29fde4-6c3f-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.4-10-g9b6d31b"}
galley version: version.BuildInfo{Version:"1.1.5", GitRevision:"9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty", User:"root", Host:"3e29fde4-6c3f-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.4-10-g9b6d31b"}
ingressgateway version: version.BuildInfo{Version:"1.1.5", GitRevision:"9b6d31b74d1c0cc9358cc82d395b53f71393326b", User:"root", Host:"3e29fde4-6c3f-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.4-10-g9b6d31b"}
ingressgateway-mqtt version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
nodeagent version: version.BuildInfo{Version:"", GitRevision:"", User:"", Host:"", GolangVersion:"", DockerHub:"", BuildStatus:"", GitTag:""}
pilot version: version.BuildInfo{Version:"1.1.5", GitRevision:"9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty", User:"root", Host:"3e29fde4-6c3f-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.4-10-g9b6d31b"}
policy version: version.BuildInfo{Version:"1.1.5", GitRevision:"9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty", User:"root", Host:"3e29fde4-6c3f-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.4-10-g9b6d31b"}
sidecar-injector version: version.BuildInfo{Version:"1.1.5", GitRevision:"9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty", User:"root", Host:"3e29fde4-6c3f-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.4-10-g9b6d31b"}
telemetry version: version.BuildInfo{Version:"1.1.5", GitRevision:"9b6d31b74d1c0cc9358cc82d395b53f71393326b-dirty", User:"root", Host:"3e29fde4-6c3f-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.4-10-g9b6d31b"}
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.1", GitCommit:"4ed3216f3ec431b140b1d899130a69fc671678f4", GitTreeState:"clean", BuildDate:"2018-10-05T16:46:06Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.7", GitCommit:"65ecaf0671341311ce6aea0edab46ee69f65d59e", GitTreeState:"clean", BuildDate:"2019-01-24T19:22:45Z", GoVersion:"go1.10.7", Compiler:"gc", Platform:"linux/amd64"}
How was Istio installed? Installed via helm template (https://istio.io/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template)
Values file:
---
# Top level istio values file has the following sections.
#
# global: This file is the authoritative and exhaustive source for the global section.
#
# chart sections: Every subdirectory inside the charts/ directory has a top level
# configuration key in this file. This file overrides the values specified
# by the charts/${chartname}/values.yaml.
# Check the chart level values file for exhaustive list of configuration options.
#
# Gateways Configuration, refer to the charts/gateways/values.yaml
# for detailed configuration
#
gateways:
enabled: true
# istio-ingressgateway:
# resources:
# requests:
# cpu: 10m
# memory: 40Mi
# limits:
# cpu: 100m
# memory: 128Mi
istio-egressgateway:
enabled: true
resources:
requests:
cpu: 10m
memory: 40Mi
limits:
cpu: 100m
memory: 128Mi
istio-ingressgateway:
enabled: true
#
# Secret Discovery Service (SDS) configuration for ingress gateway.
#
sds:
# If true, ingress gateway fetches credentials from SDS server to handle TLS connections.
enabled: true
# SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.
# This server runs in the same pod as ingress gateway.
image: node-agent-k8s
labels:
app: istio-ingressgateway
istio: ingressgateway
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
# specify replicaCount when autoscaleEnabled: false
# replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 256Mi
cpu:
targetAverageUtilization: 80
loadBalancerIP: ""
loadBalancerSourceRanges: []
externalIPs: []
serviceAnnotations: {}
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out
ports:
## You can add custom gateway ports
# Note that AWS ELB will by default perform health checks on the first port
# on this list. Setting this to the health check port will ensure that health
# checks always work. https://github.com/istio/istio/issues/12503
# - port: 15020
# targetPort: 15020
# name: status-port
- port: 80
targetPort: 80
name: http2
# nodePort: 31380
- port: 443
name: https
# nodePort: 31390
# Example of a port to add. Remove if not needed
# - port: 31400
# name: tcp
# nodePort: 31400
### PORTS FOR UI/metrics #####
## Disable if not needed
# - port: 15029
# targetPort: 15029
# name: https-kiali
# - port: 15030
# targetPort: 15030
# name: https-prometheus
# - port: 15031
# targetPort: 15031
# name: https-grafana
# - port: 15032
# targetPort: 15032
# name: https-tracing
# This is the port where sni routing happens
# - port: 15443
# targetPort: 15443
# name: tls
#### MESH EXPANSION PORTS ########
# Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect
# to pilot/citadel if global.meshExpansion settings are enabled.
# Delete these ports if mesh expansion is not enabled, to avoid
# exposing unnecessary ports on the web.
# You can remove these ports if you are not using mesh expansion
meshExpansionPorts:
- port: 15011
targetPort: 15011
name: tcp-pilot-grpc-tls
- port: 15004
targetPort: 15004
name: tcp-mixer-grpc-tls
- port: 8060
targetPort: 8060
name: tcp-citadel-grpc-tls
- port: 853
targetPort: 853
name: tcp-dns-tls
####### end MESH EXPANSION PORTS ######
##############
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
# Specify the pod anti-affinity that allows you to constrain which nodes
# your pod is eligible to be scheduled based on labels on pods that are
# already running on the node rather than based on labels on nodes.
# There are currently two types of anti-affinity:
# "requiredDuringSchedulingIgnoredDuringExecution"
# "preferredDuringSchedulingIgnoredDuringExecution"
# which denote “hard” vs. “soft” requirements, you can define your values
# in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
# correspondingly.
# For example:
# podAntiAffinityLabelSelector:
# - key: security
# operator: In
# values: S1,S2
# topologyKey: "kubernetes.io/hostname"
# This pod anti-affinity rule says that the pod requires not to be scheduled
# onto a node if that node is already running a pod with label having key
# “security” and value “S1”.
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
istio-ingressgateway-mqtt:
enabled: true
#
# Secret Discovery Service (SDS) configuration for ingress gateway.
#
sds:
# If true, ingress gateway fetches credentials from SDS server to handle TLS connections.
enabled: true
# SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.
# This server runs in the same pod as ingress gateway.
image: node-agent-k8s
labels:
app: istio-ingressgateway-mqtt
istio: ingressgateway-mqtt
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
# specify replicaCount when autoscaleEnabled: false
# replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 256Mi
cpu:
targetAverageUtilization: 80
loadBalancerIP: ""
loadBalancerSourceRanges: []
externalIPs: []
serviceAnnotations: {}
podAnnotations: {}
type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
#externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out
ports:
- port: 443
name: mqtt
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs
### Advanced options ############
env:
# A gateway with this mode ensures that pilot generates an additional
# set of clusters for internal services but without Istio mTLS, to
# enable cross cluster routing.
ISTIO_META_ROUTER_MODE: "sni-dnat"
nodeSelector: {}
podAntiAffinityLabelSelector: {}
podAntiAffinityTermLabelSelector: {}
# Second ingress gateway
# istio-ingressgateway-2:
# enabled: true
# #
# # Secret Discovery Service (SDS) configuration for ingress gateway.
# #
# sds:
# # If true, ingress gateway fetches credentials from SDS server to handle TLS connections.
# enabled: true
# # SDS server that watches kubernetes secrets and provisions credentials to ingress gateway.
# # This server runs in the same pod as ingress gateway.
# image: node-agent-k8s
# labels:
# app: istio-ingressgateway
# istio: ingressgateway
# autoscaleEnabled: true
# autoscaleMin: 1
# autoscaleMax: 5
# # specify replicaCount when autoscaleEnabled: false
# # replicaCount: 1
# resources:
# requests:
# cpu: 100m
# memory: 128Mi
# limits:
# cpu: 2000m
# memory: 256Mi
# cpu:
# targetAverageUtilization: 80
# loadBalancerIP: ""
# loadBalancerSourceRanges: []
# externalIPs: []
# serviceAnnotations: {}
# podAnnotations: {}
# type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be
# #externalTrafficPolicy: Local #change to Local to preserve source IP or Cluster for default behaviour or leave commented out
# ports:
# ## You can add custom gateway ports
# # Note that AWS ELB will by default perform health checks on the first port
# # on this list. Setting this to the health check port will ensure that health
# # checks always work. https://github.com/istio/istio/issues/12503
# - port: 15020
# targetPort: 15020
# name: status-port
# - port: 80
# targetPort: 80
# name: http2
# nodePort: 31381
# - port: 443
# name: https
# nodePort: 31391
# # Example of a port to add. Remove if not needed
# - port: 31400
# name: tcp
# nodePort: 31401
# ### PORTS FOR UI/metrics #####
# ## Disable if not needed
# - port: 15029
# targetPort: 15029
# name: https-kiali
# - port: 15030
# targetPort: 15030
# name: https-prometheus
# - port: 15031
# targetPort: 15031
# name: https-grafana
# - port: 15032
# targetPort: 15032
# name: https-tracing
# # This is the port where sni routing happens
# - port: 15443
# targetPort: 15443
# name: tls
#
# sidecar-injector webhook configuration, refer to the
# charts/sidecarInjectorWebhook/values.yaml for detailed configuration
#
sidecarInjectorWebhook:
enabled: true
#
# galley configuration, refer to charts/galley/values.yaml
# for detailed configuration
#
galley:
enabled: true
#
# mixer configuration
#
# @see charts/mixer/values.yaml, it takes precedence
mixer:
enabled: true
policy:
# if policy is enabled the global.disablePolicyChecks has affect.
enabled: true
telemetry:
enabled: true
#
# pilot configuration
#
# @see charts/pilot/values.yaml
pilot:
enabled: true
#
# security configuration
#
security:
enabled: true
#
# nodeagent configuration
#
nodeagent:
enabled: true
image: node-agent-k8s
env:
CA_PROVIDER: "Citadel"
CA_ADDR: "istio-citadel:8060"
VALID_TOKEN: true
#
# addon grafana configuration
#
grafana:
enabled: false
#
# addon prometheus configuration
#
prometheus:
enabled: true
#
# addon servicegraph configuration
#
servicegraph:
enabled: false
#
# addon jaeger tracing configuration
#
tracing:
enabled: false
#
# addon kiali tracing configuration
#
kiali:
enabled: false
#
# Istio CNI plugin enabled
# This must be enabled to use the CNI plugin in Istio. The CNI plugin is installed separately.
# If true, the privileged initContainer istio-init is not needed to perform the traffic redirect
# settings for the istio-proxy.
#
istio_cni:
enabled: false
# addon Istio CoreDNS configuration
#
istiocoredns:
enabled: false
# Common settings used among istio subcharts.
global:
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly
hub: docker.io/istio
# Default tag for Istio images.
# tag: 1.1.3
# monitoring port used by mixer, pilot, galley
monitoringPort: 15014
k8sIngress:
enabled: false
# Gateway used for k8s Ingress resources. By default it is
# using 'istio:ingressgateway' that will be installed by setting
# 'gateways.enabled' and 'gateways.istio-ingressgateway.enabled'
# flags to true.
gatewayName: ingressgateway
# enableHttps will add port 443 on the ingress.
# It REQUIRES that the certificates are installed in the
# expected secrets - enabling this option without certificates
# will result in LDS rejection and the ingress will not work.
enableHttps: false
proxy:
image: proxyv2
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Resources for the sidecar.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 128Mi
# Controls number of Proxy worker threads.
# If set to 0 (default), then start worker thread for each CPU thread/core.
concurrency: 2
# Configures the access log for each sidecar.
# Options:
# "" - disables access log
# "/dev/stdout" - enables access log
accessLogFile: ""
# Configure how and what fields are displayed in sidecar access log. Setting to
# empty string will result in default log format
accessLogFormat: ""
# Configure the access log for sidecar to JSON or TEXT.
accessLogEncoding: TEXT
# Configure the DNS refresh rate for Envoy cluster of type STRICT_DNS
# 5 seconds is the default refresh rate used by Envoy
dnsRefreshRate: 5s
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# If set, newly injected sidecars will have core dumps enabled.
enableCoreDump: false
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
statusPort: 15020
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 1
# The period between readiness probes.
readinessPeriodSeconds: 2
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 30
# istio egress capture whitelist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
# pod internal interfaces
kubevirtInterfaces: ""
# istio ingress capture whitelist
# examples:
# Redirect no inbound traffic to Envoy: --includeInboundPorts=""
# Redirect all inbound traffic to Envoy: --includeInboundPorts="*"
# Redirect only selected ports: --includeInboundPorts="80,8080"
includeInboundPorts: "*"
excludeInboundPorts: ""
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument
# would be <host>:<port>).
# Disabled by default.
# The istio-statsd-prom-bridge is deprecated and should not be used moving forward.
envoyStatsd:
# If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector.
enabled: false
host: # example: statsd-svc.istio-system
port: # example: 9125
# Sets the Envoy Metrics Service address, used to push Envoy metrics to an external collector
# via the Metrics Service gRPC API. This contains detailed stats information emitted directly
# by Envoy and should not be confused with the the Istio telemetry. The Envoy stats are also
# available to scrape via the Envoy admin port at either /stats or /stats/prometheus.
#
# See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto
# for details about Envoy's Metrics Service API.
#
# Disabled by default.
envoyMetricsService:
enabled: false
host: # example: metrics-service.istio-system
port: # example: 15000
# Specify which tracer to use. One of: lightstep, zipkin, datadog
tracer: "zipkin"
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxy_init
# imagePullPolicy is applied to istio control plane components.
# local tests require IfNotPresent, to avoid uploading to dockerhub.
# TODO: Switch to Always as default, and override in the local tests.
imagePullPolicy: IfNotPresent
# controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
# propagated, not recommended for tests.
controlPlaneSecurityEnabled: false
# disablePolicyChecks disables mixer policy checks.
# if mixer.policy.enabled==true then disablePolicyChecks has affect.
# Will set the value with same name in istio config map - pilot needs to be restarted to take effect.
disablePolicyChecks: true
# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
# Default is false which means the traffic is denied when the client is unable to connect to Mixer.
policyCheckFailOpen: false
# EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect.
enableTracing: true
# Configuration for each of the supported tracers
tracer:
# Configuration for envoy to send trace data to LightStep.
# Disabled by default.
# address: the <host>:<port> of the satellite pool
# accessToken: required for sending data to the pool
# secure: specifies whether data should be sent with TLS
# cacertPath: the path to the file containing the cacert to use when verifying TLS. If secure is true, this is
# required. If a value is specified then a secret called "lightstep.cacert" must be created in the destination
# namespace with the key matching the base of the provided cacertPath and the value being the cacert itself.
#
lightstep:
address: "" # example: lightstep-satellite:443
accessToken: "" # example: abcdefg1234567
secure: true # example: true|false
cacertPath: "" # example: /etc/lightstep/cacert.pem
zipkin:
# Host:Port for reporting trace data in zipkin format. If not specified, will default to
# zipkin service (port 9411) in the same namespace as the other istio components.
address: ""
datadog:
# Host:Port for submitting traces to the Datadog agent.
address: "$(HOST_IP):8126"
# Default mtls policy. If true, mtls between services will be enabled by default.
mtls:
# Default setting for service-to-service mtls. Can be set explicitly using
# destination rules or service annotations.
enabled: true
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any clustser configured with private docker registry.
imagePullSecrets:
# - private-registry-key
# Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows:
# 0 - Never scheduled
# 1 - Least preferred
# 2 - No preference
# 3 - Most preferred
arch:
amd64: 2
s390x: 2
ppc64le: 2
# Whether to restrict the applications namespace the controller manages;
# If not set, controller watches all namespaces
oneNamespace: false
# Default node selector to be applied to all deployments so that all pods can be
# constrained to run a particular nodes. Each component can overwrite these default
# values by adding its node selector block in the relevant section below and setting
# the desired values.
defaultNodeSelector: {}
# Whether to perform server-side validation of configuration.
configValidation: true
# Custom DNS config for the pod to resolve names of services in other
# clusters. Use this to add additional search domains, and other settings.
# see
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
# This does not apply to gateway pods as they typically need a different
# set of DNS settings than the normal application pods (e.g., in
# multicluster scenarios).
# NOTE: If using templates, follow the pattern in the commented example below.
#podDNSSearchNamespaces:
#- global
#- "[[ valueOrDefault .DeploymentMeta.Namespace \"default\" ]].global"
# If set to true, the pilot and citadel mtls will be exposed on the
# ingress gateway
meshExpansion:
enabled: false
# If set to true, the pilot and citadel mtls and the plain text pilot ports
# will be exposed on an internal gateway
useILB: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# enable pod distruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# The values aren't mutable due to a current PodDisruptionBudget limitation
# minAvailable: 1
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
# Use the Mesh Control Protocol (MCP) for configuring Mixer and
# Pilot. Requires galley (`--set galley.enabled=true`).
useMCP: true
# The trust domain corresponds to the trust root of a system
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
# Indicate the domain used in SPIFFE identity URL
# The default depends on the environment.
# kubernetes: cluster.local
# else: default dns domain
trustDomain: ""
# Set the default behavior of the sidecar for handling outbound traffic from the application:
# ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no
# services or ServiceEntries for the destination port
# REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well
# as those defined through ServiceEntries
# ALLOW_ANY is the default in 1.1. This means each pod will be able to make outbound requests
# to services outside of the mesh without any ServiceEntry.
# REGISTRY_ONLY was the default in 1.0. If this behavior is desired, set the value below to REGISTRY_ONLY.
outboundTrafficPolicy:
mode: ALLOW_ANY
# The namespace where globally shared configurations should be present.
# DestinationRules that apply to the entire mesh (e.g., enabling mTLS),
# default Sidecar configs, etc. should be added to this namespace.
# configRootNamespace: istio-config
# set the default set of namespaces to which services, service entries, virtual services, destination
# rules should be exported to. Currently only one value can be provided in this list. This value
# should be one of the following two options:
# * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar.
# . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host
#defaultConfigVisibilitySettings:
#- '*'
sds:
# SDS enabled. IF set to true, mTLS certificates for the sidecars will be
# distributed through the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
enabled: true
udsPath: ""
udsPath: "unix:/var/run/sds/uds_path"
useNormalJwt: true
# Configure the mesh networks to be used by the Split Horizon EDS.
#
# The following example defines two networks with different endpoints association methods.
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
# mapped to network1. The gateway for this network example is specified by its public IP
# address and port.
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (not
# supported yet).
#
# meshNetworks:
# network1:
# endpoints:
# - fromCidr: "192.168.0.1/24"
# gateways:
# - address: 1.1.1.1
# port: 80
# network2:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway
# port: 443
#
meshNetworks: {}
# Specifies the global locality load balancing settings.
# Locality-weighted load balancing allows administrators to control the distribution of traffic to
# endpoints based on the localities of where the traffic originates and where it will terminate.
# Please set either failover or distribute configuration but not both.
#
# localityLbSetting:
# distribute:
# - from: "us-central1/*"
# to:
# "us-central1/*": 80
# "us-central2/*": 20
#
# localityLbSetting:
# failover:
# - from: us-east
# to: eu-west
# - from: us-west
# to: us-east
localityLbSetting: {}
# Specifies whether helm test is enabled or not.
# This field is set to false by default, so 'helm template ...'
# will ignore the helm test yaml files when generating the template
enableHelmTest: false
Environment where bug was observed (cloud vendor, OS, etc)
AWS
Kube cluster brought up via Kops
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure [x ] Docs [ ] Installation [ ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [x ] User Experience
Additionally, please consider attaching a cluster state archive by attaching the dump file to this issue.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 15 (5 by maintainers)
Hi @mabushey
It may well be different but we share a symptom which is how I came across this and why I mentioned it. Specifically your curl test generated
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version numberLooking at your config you have a gateway called
istio-ingressgateway-mqttwith a port 443 named ‘mqtt’. If your problem is the same as me then renaming this to ‘https-mqtt’ or maybe tcp-mqtt could resolve your issue.maybe worth a try if you can.
I’ve been having the same issue and finally resolved it today with help from this link… https://discuss.istio.io/t/serviceentry-for-https-on-httpbin-org-resulting-in-connect-cr-srvr-hello-using-curl/2044/3
For me, I was deploying a dedicated ingress gateway for my application and as part of that I added a port called ‘http-port443’. This in tern was creating a service (as part of the ingress deployment) and I then hit the same problem described in the above link. My fix was to rename the port to ‘https-port443’ and now egress is working correctly.
This and your workaround leads me to think that the problem is with how the sidecar forwards https traffic to the egress but I don’t know enough about this to dig deeper and confirm if this is a bug or not.
Hope this helps