Open jbrook opened 6 years ago
The same problem on IBM Cloud.
The problem seems to be related to Istio auth. I do not see it with install/kubernetes/istio-demo.yaml
.
To diagnose the problem, no need to create a gateway, it can be diagnosed by running curl
from the sleep container (samples/sleep/sleep.yaml).
The steps to reproduce:
kubectl apply -f install/kubernetes/istio-demo-auth.yaml
kubectl label namespace default istio-injection=enabled
kubectl apply -f samples/bookinfo/kube/bookinfo.yaml
kubectl apply -f samples/sleep/sleep.yaml
kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadata.name}') -c sleep -- curl -v reviews:9080/reviews/1
* Hostname was NOT found in DNS cache
* Trying 172.21.52.247...
* Connected to reviews (172.21.52.247) port 9080 (#0)
> GET /reviews/1 HTTP/1.1
> User-Agent: curl/7.35.0
> Host: reviews:9080
> Accept: */*
>
< HTTP/1.1 200 OK
< x-powered-by: Servlet/3.1
< content-type: application/json
< date: Wed, 06 Jun 2018 16:43:23 GMT
< content-language: en-US
< content-length: 295
< x-envoy-upstream-service-time: 1068
* Server envoy is not blacklisted
< server: envoy
<
* Connection #0 to host reviews left intact
{"id": "1","reviews": [{ "reviewer": "Reviewer1", "text": "An extremely entertaining play by Shakespeare. The slapstick humour is refreshing!"},{ "reviewer": "Reviewer2", "text": "Absolutely fun and entertaining. The play lacks thematic depth when compared to other plays by Shakespeare."}]}
istioctl create -f samples/bookinfo/routing/route-rule-all-v1.yaml
kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadata.name}') -c sleep -- curl -v reviews:9080/reviews/1
* Hostname was NOT found in DNS cache
* Trying 172.21.52.247...
* Connected to reviews (172.21.52.247) port 9080 (#0)
> GET /reviews/1 HTTP/1.1
> User-Agent: curl/7.35.0
> Host: reviews:9080
> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< content-length: 57
< content-type: text/plain
< date: Wed, 06 Jun 2018 16:50:21 GMT
* Server envoy is not blacklisted
< server: envoy
<
* Connection #0 to host reviews left intact
upstream connect error or disconnect/reset before headers
After deleting the rules, reviews
becomes available again.
@jbrook Could you please check that Istio without Auth works in your environment? @wattli Could you please check this issue?
Try using
istioctl create -f samples/bookinfo/routing/route-rule-all-v1-mtls.yaml
instead of
istioctl create -f samples/bookinfo/routing/route-rule-all-v1.yaml
.
Credits go to Kim Christensen, he pointed that out on the istio-users google group: BookInfo request routing with 0.8.0 does not work?.
@holger-hoffmann Thank you for the reply. But it doesn't work following mTLS auth enabled. Could you please help ?
BUG
Istio 0.8.0 LTS release from github releases.
Installed with Istio auth
What happened:
Installed Istio LTS release on GKE and tried to follow Bookinfo tasks. It worked up until creating the default v1 routes for the services. Error message when trying to access http:///productpage:
503 - "upstream connect error or disconnect/reset before headers"
What you expected to happen:
I expected to see the bookinfo page backed by v1 of each of the services.
This works correctly with a slightly older daily release: istio-release-0.8-20180520-18-17
It also fails with a recent daily release: release-0.8-20180605-09-15
How to reproduce it:
Start a GKE 1.9 cluster from Google Cloud Shell:
cluster role bindings:
Download and install Istio 0.8.0:
Enable automatic sidecar injection for the default namespace:
Deploy Bookinfo:
Create gateway and corresponding virtual service:
Find the external IP of the load balancer:
Use the external IP to access the productpage in a browser:
This works.
Create default v1 routing rule according to instructions here:
Try to access the product page in a browser and get a 503 error with the message:
Extra info:
Don't see any errors or requests arriving (after the initial 200s) in istio-proxy sidecar for the productpage pod. It seems to be listening:
istio-ingressgateway pod shows the following logs for a single failed request - note 404s: