Kubernetes + Istio Ingress Gateway port

0
votes

I have an application running in kubernetes pod (on my local docker desktop, with kubernetes enabled), listening on port 8080. I then have the following kubernetes configuration

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: myrelease-foobar-app-gw
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: default-foobar-local-credential
      hosts:
        - test.foobar.local
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myrelease-foobar-app-vs
  namespace: default
spec:
  hosts:
    - test.foobar.local
  gateways:
    - myrelease-foobar-app-gw
  http:
    - match:
        - port: 443
      route:
        - destination:
            host: myrelease-foobar-app.default.svc.cluster.local
            subset: foobarAppDestination
            port:
              number: 8081
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: myrelease-foobar-app-destrule
  namespace: default
spec:
  host: myrelease-foobar-app.default.svc.cluster.local
  subsets:
    - name: foobarAppDestination
      labels:
        app.kubernetes.io/instance: myrelease
        app.kubernetes.io/name: foobar-app
---
apiVersion: v1
kind: Service
metadata:
  name: myrelease-foobar-app
  namespace: default
  labels:
    helm.sh/chart: foobar-app-0.1.0
    app.kubernetes.io/name: foobar-app
    app.kubernetes.io/instance: myrelease
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/managed-by: Helm
spec:
  type: ClusterIP
  ports:
    - port: 8081
      targetPort: 8080
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: foobar-app
    app.kubernetes.io/instance: myrelease

This works fine. But I'd like to change that port 443 into something else, say 8443 (because I will have multiple Gateway). When I have this, I cant access the application anymore. Is there some configuration that I'm missing? I'm guessing I need to configure Istio to accept port 8443 too? I installed istio using the following command:

istioctl install --set profile=default -y

Edit: I've done a bit more reading (https://www.dangtrinh.com/2019/09/how-to-open-custom-port-on-istio.html), and I've done the following:

  1. kubectl -n istio-system get service istio-ingressgateway -o yaml > istio_ingressgateway.yaml
  2. edit istio_ingressgateway.yaml, and add the following: 
     - name: foobarhttps
   nodePort: 32700
   port: 445
   protocol: TCP
   targetPort: 8445
  3. kubectl apply -f istio_ingressgateway.yaml
  4. Change within my Gateway above: 
     - port:
     number: 445
     name: foobarhttps
     protocol: HTTPS
  5. Change within my VirtualService above: 
     http:
 - match:
     - port: 445

But I still cant access it from my browser (https://foobar.test.local:445)

2
dockerkubernetesistio

2 Answers

2
votes

I suppose that port has to be mapped on the Istio Ingress Gateway. So if you want to use a custom port, you might have to customize that.

But usually it should not be a problem if multiple Gateways use the same port, it does not cause a clash. So for that use case it should not be necessary to do that.

1
votes

Fixed it. What i've done wrong in my edit above is this:

- name: foobarhttps
   nodePort: 32700
   port: 445
   protocol: TCP
   targetPort: 8443

(notice that targetPort is still 8443). I'm guessing there is an istio component listening on port 8443, which handles all this https stuff. Thanks user140547 for the help!