Open
Description
Is this the right place to submit this?
- This is not a security vulnerability or a crashing bug
- This is not a question about how to use Istio
Bug Description
Hello,
I am trying to implement secure istio gateway. The traffic will access to istio-ingress gateway through ALB. My configs are below:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: istio-ingress
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
namespace: istio-ingress
spec:
selector:
app: nginx
ports:
- name: http
port: 80
targetPort: 80
type: ClusterIP
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: common-gateway
namespace: istio-ingress
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
credentialName: istio-ingress/mycompany-certs
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx-virtualservice
namespace: istio-ingress
spec:
hosts:
- nginx
gateways:
- common-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: nginx-service
port:
number: 80
my AWS ALB Ingress Config:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: istio-gateway-external
namespace: istio-ingress
annotations:
alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
alb.ingress.kubernetes.io/healthcheck-port: status-port
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/backend-protocol-version: HTTP2
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-central-1:123123123123:certificate/1d2d0756-39c2-4378-8e42-ef997975b444
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: instance
alb.ingress.kubernetes.io/load-balancer-name: istio-gateway-external
alb.ingress.kubernetes.io/actions.ssl-redirect: |
{
"Type": "redirect",
"RedirectConfig": {
"Protocol": "HTTPS",
"Port": "443",
"StatusCode": "HTTP_301"
}
}
spec:
ingressClassName: alb
rules:
- http:
paths:
- backend:
service:
name: ssl-redirect
port:
name: use-annotation
path: /
pathType: Prefix
- backend:
service:
name: istio-ingressgateway
port:
number: 15021
path: /
pathType: Prefix
- backend:
service:
name: istio-ingressgateway
port:
number: 443
path: /
pathType: Prefix
I create certs:
export DOMAIN_NAME=mycompany
openssl req -x509 -sha256 -nodes -days 365 \
-newkey rsa:2048 -subj '/O='$DOMAIN_NAME' Inc./CN='$DOMAIN_NAME'' \
-keyout $DOMAIN_NAME.key -out $DOMAIN_NAME.crt
openssl req -out \*.$DOMAIN_NAME.csr -newkey rsa:2048 \
-nodes -keyout \*.$DOMAIN_NAME.key \
-subj "/CN=*.$DOMAIN_NAME/O=apps from $DOMAIN_NAME"
openssl x509 -req -days 365 -CA $DOMAIN_NAME.crt \
-CAkey $DOMAIN_NAME.key -set_serial 0 \
-in \*.$DOMAIN_NAME.csr -out \*.$DOMAIN_NAME.crt
kubectl create secret tls mycompany-certs -n istio-ingress \
--key $DOMAIN_NAME.key \
--cert $DOMAIN_NAME.crt
Some checks:
tmp-shell:~# curl https://asdfadsfads.mydomain.com
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>
tmp-shell:~# curl https://nginx.mydomain.com
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>
tmp-shell:~# curl -I -k -sS --cert /opt/secret/tls.crt --key /opt/secret/tls.key -H \
'Host: nginx.mydomain.com' https://istio-ingressgateway.istio-ingress.svc
HTTP/2 404
date: Thu, 21 Nov 2024 18:39:27 GMT
server: istio-envoy
When I attempt to access app from outside of the cluster I get 502 bad gateway error.
When I attempt to access app from inside of the cluster I get 404 bad gateway error.
Could you please advise what I am missing?
Thanks&Regards
Version
client version: 1.24.0
base / istiod / gateway : 1.23.3
I use Helm Chart 1.23.3 to deploy istio
Additional Information
istiod namespace> istio-system
istio-gateway > istio-ingress
istioctl analyze -n demoapps doesn't find any problems.
My loadbalancer healthchecks are ok.
My istio ingress gateway uses "NodePort" service.
When I try the same architecture by using nginx ingress controller (without tls), it works.
My EKS has following rules:
...
node_security_group_additional_rules = {
ingress_cluster_15017 = {
description = "Cluster API to node groups"
protocol = "tcp"
from_port = 15017
to_port = 15017
type = "ingress"
source_cluster_security_group = true
}
ingress_15012 = {
description = "Cluster API to nodes ports/protocols"
protocol = "TCP"
from_port = 15012
to_port = 15012
type = "ingress"
source_cluster_security_group = true
}
}
...
My istio-ingressgateway produces the following errors:
2024-11-21T18:37:42.222413Z debug envoy http external/envoy/source/common/http/filter_manager.cc:1075 [Tags: "ConnectionId":"2110","StreamId":"13274701494911436017"] Sending local reply with details http1.codec_error thread=21
2024-11-21T18:37:42.222830Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:1894 [Tags: "ConnectionId":"2110","StreamId":"13274701494911436017"] stream reset: reset reason: local reset, response details: http1.codec_error thread=21
2024-11-21T18:37:42.222899Z debug envoy http external/envoy/source/common/http/conn_manager_impl.cc:431 [Tags: "ConnectionId":"2110"] dispatch error: http/1.1 protocol error: HPE_INVALID_METHOD thread=21