istio: HTTP Routing through EgressGateway via the endpoint method doesn't work.
Describe the bug
As part of the work to validate https://github.com/istio/istio.io/issues/3312, we discovered that defining the ServiceEntry that routes HTTP traffic using ServiceEntry endpoints instead of VirtualServices does not work.
Expected behavior
After defining and configuring an EgressGateway to allow HTTP traffic to hit the edition.cnn.com/politics URL as in the Egress Gateway for HTTP traffic example, the expectation was that we would get a 200 response back from the HTTP request. Instead the request returns with a 404 response:
$ kubectl exec -it $SOURCE_POD -c sleep -- curl -v http://edition.cnn.com/politics* Trying 151.101.129.67...
* TCP_NODELAY set
* Connected to edition.cnn.com (151.101.129.67) port 80 (#0)
> GET /politics HTTP/1.1
> Host: edition.cnn.com
> User-Agent: curl/7.60.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< location: http://edition.cnn.com/politics
< date: Fri, 15 Mar 2019 14:47:46 GMT
< server: envoy
< content-length: 0
< x-envoy-upstream-service-time: 0
<
* Connection #0 to host edition.cnn.com left intact
Steps to reproduce the bug
When testing the ServiceEntry with endpoints scenario, we ran through the Egress Gateway for HTTP traffic example.
Version kubectl:
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.3", GitCommit:"721bfa751924da8d1680787490c54b9179b1fed0", GitTreeState:"clean",BuildDate:"2019-02-04T04:48:03Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.6+IKS", GitCommit:"2c3eb23229edae9a1f164f323d76a3192d94bccc", GitTreeState:"clean", BuildDate:"2019-02-28T08:09:00Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
istioctl:
Version: 1.0.6
GitRevision: 98598f88f6ee9c1e6b3f03b652d8e0e3cd114fa2-dirty
User: brew@Mojave-2.local
Hub: docker.io/istio
GolangVersion: go1.11.5
BuildStatus: Modified
Installation
Istio release 1.1.0-rc.5 was download via the getLatestIstio and installed using the helm template install method.
Environment Environment: IKS Cloud Provider: IBM
Configuration artifacts and Log Files
ServiceEntry definition:
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cnn
spec:
hosts:
- edition.cnn.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
endpoints:
- address: edition.cnn.com
network: external
ports:
http-port: 80
- address: istio-egressgateway.istio-system.svc.cluster.local
ports:
http-port: 80
location: MESH_EXTERNAL
EOF
mTLS-disabled EgressGateway:
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- edition.cnn.com
EOF
curl command output:
$ kubectl exec -it $SOURCE_POD -c sleep -- curl -v http://edition.cnn.com/politics* Trying 151.101.129.67...
* TCP_NODELAY set
* Connected to edition.cnn.com (151.101.129.67) port 80 (#0)
> GET /politics HTTP/1.1
> Host: edition.cnn.com
> User-Agent: curl/7.60.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< location: http://edition.cnn.com/politics
< date: Fri, 15 Mar 2019 14:47:46 GMT
< server: envoy
< content-length: 0
< x-envoy-upstream-service-time: 0
<
* Connection #0 to host edition.cnn.com left intact
sleep app log output:
kubectl logs -l app=sleep -c istio-proxy | tail
[2019-03-15 14:47:59.857][45][warning][misc] [external/envoy/source/common/protobuf/utility.cc:129] Using deprecated option 'envoy.api.v2.Listener.use_original_dst'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
[2019-03-15 15:15:35.551][45][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:102] gRPC config stream closed: 13,
[2019-03-15 15:15:35.938][45][warning][misc] [external/envoy/source/common/protobuf/utility.cc:129] Using deprecated option 'envoy.api.v2.Listener.use_original_dst'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
[2019-03-15 15:45:51.066][45][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:102] gRPC config stream closed: 13,
[2019-03-15 15:45:51.243][45][warning][misc] [external/envoy/source/common/protobuf/utility.cc:129] Using deprecated option 'envoy.api.v2.Listener.use_original_dst'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
[2019-03-15 16:16:34.261][45][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:102] gRPC config stream closed: 13,
[2019-03-15 16:16:34.674][45][warning][misc] [external/envoy/source/common/protobuf/utility.cc:129] Using deprecated option 'envoy.api.v2.Listener.use_original_dst'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
[2019-03-15 16:45:37.498][45][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:102] gRPC config stream closed: 13,
[2019-03-15 16:45:37.758][45][warning][misc] [external/envoy/source/common/protobuf/utility.cc:129] Using deprecated option 'envoy.api.v2.Listener.use_original_dst'. This configuration will be removed from Envoy soon. Please see https://github.com/envoyproxy/envoy/blob/master/DEPRECATED.md for details.
[2019-03-15T16:50:30.770Z] "GET /politics HTTP/1.1" 404 - "-" 0 0 3 3 "-" "curl/7.60.0" "d30f0061-a6fb-93b2-860d-0a515be8cea8" "edition.cnn.com" "172.21.227.106:80" outbound|80||edition.cnn.com - 151.101.65.67:80 172.30.220.15:39818 -
istioctl proxy-config listeners (JSON):
[
{
"name": "0.0.0.0_80",
"address": {
"socketAddress": {
"address": "0.0.0.0",
"portValue": 80
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager",
"statPrefix": "0.0.0.0_80",
"rds": {
"configSource": {
"ads": {}
},
"routeConfigName": "http.80"
},
"httpFilters": [
{
"name": "mixer",
"typedConfig": {
"@type": "type.googleapis.com/istio.mixer.v1.config.client.HttpClientConfig",
"transport": {
"networkFailPolicy": {
"policy": "FAIL_CLOSE",
"baseRetryWait": "0.080s",
"maxRetryWait": "1s"
},
"checkCluster": "outbound|9091||istio-policy.istio-system.svc.cluster.local",
"reportCluster": "outbound|9091||istio-telemetry.istio-system.svc.cluster.local"
},
"serviceConfigs": {
"default": {}
},
"defaultDestinationService": "default",
"mixerAttributes": {
"attributes": {
"context.reporter.kind": {
"stringValue": "outbound"
},
"context.reporter.uid": {
"stringValue": "kubernetes://istio-egressgateway-749bc9788c-c2qsl.istio-system"
},
"source.namespace": {
"stringValue": "istio-system"
},
"source.uid": {
"stringValue": "kubernetes://istio-egressgateway-749bc9788c-c2qsl.istio-system"
}
}
},
"forwardAttributes": {
"attributes": {
"source.uid": {
"stringValue": "kubernetes://istio-egressgateway-749bc9788c-c2qsl.istio-system"
}
}
}
}
},
{
"name": "envoy.cors"
},
{
"name": "envoy.fault"
},
{
"name": "envoy.router"
}
],
"tracing": {
"operationName": "EGRESS",
"clientSampling": {
"value": 100
},
"randomSampling": {
"value": 100
},
"overallSampling": {
"value": 100
}
},
"serverName": "istio-envoy",
"streamIdleTimeout": "0s",
"accessLog": [
{
"name": "envoy.file_access_log",
"typedConfig": {
"@type": "type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog",
"path": "/dev/stdout",
"format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME%\n"
}
}
],
"useRemoteAddress": true,
"generateRequestId": true,
"forwardClientCertDetails": "SANITIZE_SET",
"setCurrentClientCertDetails": {
"subject": true,
"dns": true,
"uri": true
},
"upgradeConfigs": [
{
"upgradeType": "websocket"
}
]
}
}
]
}
]
},
{
"address": {
"socketAddress": {
"address": "0.0.0.0",
"portValue": 15090
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.http_connection_manager",
"config": {
"codec_type": "AUTO",
"http_filters": {
"name": "envoy.router"
},
"route_config": {
"virtual_hosts": [
{
"domains": [
"*"
],
"name": "backend",
"routes": [
{
"match": {
"prefix": "/stats/prometheus"
},
"route": {
"cluster": "prometheus_stats"
}
}
]
}
]
},
"stat_prefix": "stats"
}
}
]
}
]
}
]
istioctl proxy-config routes (JSON):
[
{
"name": "http.80",
"virtualHosts": [
{
"name": "blackhole:80",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/"
},
"directResponse": {
"status": 404
},
"typedPerFilterConfig": {
"mixer": {
"@type": "type.googleapis.com/istio.mixer.v1.config.client.ServiceConfig"
}
}
}
]
}
],
"validateClusters": false
},
{
"virtualHosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/stats/prometheus"
},
"route": {
"cluster": "prometheus_stats"
}
}
]
}
]
}
]
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 17 (13 by maintainers)
@rshriram I see, so it is a ServiceEntry with an endpoint, and also a VirtualService for the gateway.
@ibm-jason Please add a VirtualService to your HTTP Egress Gateway example: