search

istio / ztunnel

The `ztunnel` component of ambient mesh
Apache License 2.0
306 stars 101 forks source link

istio ambient with Ztunnel on premise - XDS client connection error #1362

Closed qfaure closed 1 week ago

qfaure commented 2 weeks ago

Hi everyone,

I'm trying to deploy istio with ambient mode activate on on-premise cluster. As DeamonSet Ztunnel is deploy on both master and worker.

But on master it can reach istio control plane. warn xds::client:xds{id=12} XDS client connection error: gRPC connection error connecting to https://istiod.istio-system.svc:15012: status: Unknown, message: "client error (Connect)", source: dns error: failed to lookup address information: Name or service not known, retrying in 15s

Ztunnel on worker is fine. Only this error appear on control plane.

Istio is installed using istioctl : istioctl install --set profile=ambient --set components.ingressGateways[0].enabled=true --set components.ingressGateways[0].name=istio -ingressgateway --set components.egressGateways[0].enabled=true --set components.egressGateways[0].name=istio-egressgateway

Core DNS is deploy on both worker and master, but seem to not change something.

Affected version of istio

Complementary information I'am not using waypoint Kubernetes version 1.31

Thanks in advance for your help

howardjohn commented 2 weeks ago

Ztunnel has entirely standard Kubernetes networking setup, so if the DNS lookup isn't working, either the Istiod service doesn't exist or your cluster DNS is having issues

qfaure commented 2 weeks ago

It's working on workers as Istiod service exist. Yes i think too that is DNS issue. I'm looking for why and how can i troubleshoot this.

hzxuzhonghu commented 1 week ago

If your master is not allowed to deploy applications, you donot need deploy ztunnel and istio-cni.

For "client error (Connect)", source: dns error: failed to lookup address information: Name or service not known, retrying in 15s, you may need to make sure if kube-proxy is there

qfaure commented 1 week ago

Agree with you for not deploying them on master., but in rare case i need to be able to run some job.

Kube proxy is present on each, but there is a bad configuration on kube proxy on master.

"Kube-proxy configuration may be incomplete or incorrect" err="nodePortAddresses is unset; NodePort connections will be accepted on all local IPs. Consider using --nodeport-addresses primary

Seems to be the problem thanks for your help