4
votes

I followed Istio's official documentation to setup Istio for sample bookinfo app with minikube. but I'm getting Unable to connect to the server: net/http: TLS handshake timeout error. these are the steps that I have followed(I have kubectl & minikube installed).

minikube start
curl -L https://git.io/getLatestIstio | sh -
cd istio-1.0.3
export PATH=$PWD/bin:$PATH
kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
kubectl apply -f install/kubernetes/istio-demo-auth.yaml
kubectl get pods -n istio-system

This is the terminal output I'm getting

$ kubectl get pods -n istio-system
NAME                                      READY     STATUS              RESTARTS   AGE
grafana-9cfc9d4c9-xg7bh                   1/1       Running             0          4m
istio-citadel-6d7f9c545b-lwq8s            1/1       Running             0          3m
istio-cleanup-secrets-69hdj               0/1       Completed           0          4m
istio-egressgateway-75dbb8f95d-k6xj2      1/1       Running             0          4m
istio-galley-6d74549bb9-mdc97             0/1       ContainerCreating   0          4m
istio-grafana-post-install-xz9rk          0/1       Completed           0          4m
istio-ingressgateway-6bd4957bc-vhbct      1/1       Running             0          4m
istio-pilot-7f8c49bbd8-x6bmm              0/2       Pending             0          4m
istio-policy-6c65d8cff4-hx2c7             2/2       Running             0          4m
istio-security-post-install-gjfj2         0/1       Completed           0          4m
istio-sidecar-injector-74855c54b9-nnqgx   0/1       ContainerCreating   0          3m
istio-telemetry-65cdd46d6c-rqzfw          2/2       Running             0          4m
istio-tracing-ff94688bb-hgz4h             1/1       Running             0          3m
prometheus-f556886b8-chdxw                1/1       Running             0          4m
servicegraph-778f94d6f8-9xgw5             1/1       Running             0          3m

$kubectl describe pod istio-galley-6d74549bb9-mdc97
Error from server (NotFound): pods "istio-galley-5bf4d6b8f7-8s2z9" not found

pod describe output

 $ kubectl -n istio-system describe pod  istio-galley-6d74549bb9-mdc97
Name:           istio-galley-6d74549bb9-mdc97
Namespace:      istio-system
Node:           minikube/172.17.0.4
Start Time:     Sat, 03 Nov 2018 04:29:57 +0000
Labels:         istio=galley
                pod-template-hash=1690826493
Annotations:    scheduler.alpha.kubernetes.io/critical-pod=
                sidecar.istio.io/inject=false
Status:         Pending
IP:
Controlled By:  ReplicaSet/istio-galley-5bf4d6b8f7
Containers:
  validator:
    Container ID:
    Image:         gcr.io/istio-release/galley:1.0.0    Image ID:
    Ports:         443/TCP, 9093/TCP    Host Ports:    0/TCP, 0/TCP
    Command:      /usr/local/bin/galley
      validator      --deployment-namespace=istio-system
      --caCertFile=/etc/istio/certs/root-cert.pem
      --tlsCertFile=/etc/istio/certs/cert-chain.pem
      --tlsKeyFile=/etc/istio/certs/key.pem
      --healthCheckInterval=2s
      --healthCheckFile=/health
      --webhook-config-file
      /etc/istio/config/validatingwebhookconfiguration.yaml
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Requests:
      cpu:        10m
    Liveness:     exec [/usr/local/bin/galley probe --probe-path=/health --interval=4s] delay=4s timeout=1s period=4s #success=1 #failure=3
    Readiness:    exec [/usr/local/bin/galley probe --probe-path=/health --interval=4s] delay=4s timeout=1s period=4s #success=1 #failure=3
    Environment:  <none>
    Mounts:
      /etc/istio/certs from certs (ro)
      /etc/istio/config from config (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from istio-galley-service-account-token-9pcmv(ro)
Conditions:
  Type           Status
  Initialized    True
  Ready          False
  PodScheduled   True
Volumes:
  certs:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  istio.istio-galley-service-account
    Optional:    false
  config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      istio-galley-configuration
    Optional:  false
  istio-galley-service-account-token-9pcmv:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  istio-galley-service-account-token-9pcmv
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason                 Age               From               Message
  ----     ------                 ----              ----               -------
  Normal   Scheduled              1m                default-scheduler  Successfully assigned istio-galley-5bf4d6b8f7-8t8qz to minikube
  Normal   SuccessfulMountVolume  1m                kubelet, minikube  MountVolume.SetUp succeeded for volume "config"
  Normal   SuccessfulMountVolume  1m                kubelet, minikube  MountVolume.SetUp succeeded for volume "istio-galley-service-account-token-9pcmv"
  Warning  FailedMount            27s (x7 over 1m)  kubelet, minikube  MountVolume.SetUp failed for volume "certs" : secrets "istio.istio-galley-service-account" not found

after some time :-

 $ kubectl describe pod istio-galley-6d74549bb9-mdc97

Unable to connect to the server: net/http: TLS handshake timeout

so I wait for istio-sidecar-injector and istio-galley containers to get created. If I again run kubectl get pods -n istio-system or any other kubectl commands gives Unable to connect to the server: net/http: TLS handshake timeout error.

Please help me with this issue. ps: I'm running minikube on ubuntu 16.04

Thanks in advance.

3
Can you post the output for kubectl describe pod istio-galley-6d74549bb9-mdc97Rico
question updated please take a look.mahendra
Sorry: kubectl -n istio-system describe pod istio-galley-6d74549bb9-mdc97Rico
updated the question please take a look.mahendra
@Mahendra Hegde, Does minikube logs command show any suspicious events?Nick_Kh

3 Answers

1
votes

Looks like you are running into this and this the secret istio.istio-galley-service-account is missing in your istio-system namespace. You can try the workaround as described:

Install as outlined in the docs: https://istio.io/docs/setup/kubernetes/minimal-install/ the missing secret is created by the citadel pod which isn't running due to the --set security.enabled=false flag, setting that to true starts citadel and the secret is created.

1
votes

Problem resolved. when I run minikube start --memory=4048. maybe it was a memory issue.

0
votes

When using either the istio-demo.yaml or istio-demo-auth.yaml, you'll find that a minimum of 4GB RAM is required to run Istio (particularly when you deploy its sample app, BookInfo, too). This is true whether your running MiniKube or Docker Desktop and is one of the gotchas that Meshery identifies and attempts to help those deploying Istio or other service meshes circumvent.