Kubernetes with Istio Ingress Not Running on Standard HTTP Ports 443/80

3
votes

I am attempting to get Istio setup on Kubernetes as an ingress controller. The problem is that my two applications seem to be accessible from the Istio ingress controllers node port (E.g., http://[host]:31380/application1 and http://[host]:31380/application2) but not accessible from 443/80.

I am new to Kubernetes and Istio so I had use the https://istio.io/docs/guides/bookinfo/ guide as a reference. Following the guide was fairly easy and I was able to access the Bookinfo application using the node port as mentioned. I am unable to access it from 443/80 though. I used the helm chart to install Istio. I also don't see anything under Ingresses within the Kubernetes dashboard.

Here is an example of the gateway/virtual service yaml:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: myapp-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp-virtual-service
spec:
  hosts:
  - "*"
  gateways:
  - myapp-gateway
  http:
  - match:
    - uri:
        prefix: /myapp
    route:
    - destination:
        host: myapp-app-service
        port:
          number: 7080
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: kibana
        port:
          number: 5601

Any ideas on what I have to do to get it to listen on 443? Am I missing a component entirely?

2
routingkuberneteskubernetes-ingressistio
I am facing the same issue. You should try posting this as an issue on their GitHub page. Might get a quick response. I tried changing the NodePort from 31380 to 80, but it says the NodePort range is between 30000 - 32767 Service "istio-ingressgateway" is invalid: spec.ports[0].nodePort: Invalid value: 80: provided port is not in the valid range. The range of valid ports is 30000-32767 - Kushal
@Kushal, The root cause of the issue is basically that you need an external load balancer deployed. I assume you are deploying with bare metal as well. If you run "kubectl get svc -n istio-system | grep istio-ingress" it shows the external IP as pending right? My workaround was to deploy to our IBM Bluemix K8 cluster which worked with the exact same yaml as above. - leeman24

2 Answers

3
votes

If routing to your application is required to run on 443/80, your Kubernetes cluster must have an external load balancer deployed. If one is not present, the traffic will be routed to the ingress node port.

Refer to - https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports (Determining the ingress IP and ports):

"If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is (or perpetually ), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port."

Example for my bare-metal instance without an external load balancer:

[admin@master1 ~]$ kubectl get svc -n istio-system | grep istio-ingress
istio-ingress              LoadBalancer   10.114.107.196   <pending>     80:32400/TCP,443:31564/TCP                                            5d
istio-ingressgateway       LoadBalancer   10.99.1.148      <pending>     80:31380/TCP,443:31390/TCP,31400:31400/TCP                            5d

If you are deploying to an online cloud provider such as IBM Bluemix (probably AWS/Azure/etc.), you should already have one configured. If your configuration is on bare-metal, you likely don't have a load balancer configured.

Example for my Bluemix instance with an external load balancer:

λ kubectl get svc -n istio-system | grep istio-ingress
istio-ingress              LoadBalancer   172.21.26.25     123.45.67.195   80:32000/TCP,443:31694/TCP                                            6h
istio-ingressgateway       LoadBalancer   172.21.139.142   123.45.67.196   80:31380/TCP,443:31390/TCP,31400:31400/TCP                            6h

I have not yet gone back to deploy a load balancer to bare-metal so would like to hear if anyone has. I have briefly looked at Metal but have not spent much time on it.

-1
votes

The nodeport range can be modifief on the api-server manifest, if you are using kubeadm, edit the '/etc/kubernetes/manifests/kube-apiserver.yaml' file and add the following line:

- --service-node-port-range=80-32767

Then, edit 'istio-ingressgateway' service:

  - name: http2
    nodePort: 80
    port: 80
    protocol: TCP
    targetPort: 8080
  - name: https
    nodePort: 443
    port: 443
    protocol: TCP
    targetPort: 8443