Open rldourado opened 3 years ago
If it shows all green, it means the certs and routes are created successfully.
Are you deploying you rancher k8s cluster in your localhost minikube? If so, you need to run minikube tunnel
first. If not, please provide what platform your are using to run the cluster, and provide some details(yaml, describe info) about the istio-ingressgateway service under istio-system namespace.
"Default backend -404" messags seems returned from your nginx ingress. I'm not sure about your nginx config, can you provide some details?
Note: To make sure kalm functions working, traffic should go into istio-ingressgateway first. You can try to set istio-ingressgateway service as a upstream in your nginx config.
Hi @davidqhr ! I'll try show more details here.
My rancher k8s cluster sits on a air gapped network. It runs in three Ubuntu 18.04 nodes. It's not on a minikube, is a full k8s implementation. To enter, the trafic passes thru a external nginx reverse proxy server. So, I created a DNS entry to kalm.mydomain.com pointing to nginx who have this configuration:
upstream kalm-upstream {
ip_hash;
server 192.168.100.1;
server 192.168.100.2;
server 192.168.100.3;
}
server {
listen 80;
server_name kalm.mydomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name kalm.mydomain.com;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
location / {
proxy_pass http://kalm-upstream;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1800s;
}
}
Inside k8s, the istio-ingressgateway
yaml is:
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"istio-ingressgateway","install.operator.istio.io/owning-resource":"istiocontrolplane","istio":"ingressgateway","operator.istio.io/component":"IngressGateways","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.6.1","release":"istio"},"name":"istio-ingressgateway","namespace":"istio-system"},"spec":{"ports":[{"name":"status-port","port":15021,"targetPort":15021},{"name":"http2","port":80,"targetPort":8080},{"name":"https","port":443,"targetPort":8443},{"name":"tls","port":15443,"targetPort":15443}],"selector":{"app":"istio-ingressgateway","istio":"ingressgateway"},"type":"LoadBalancer"}}
creationTimestamp: "2020-09-14T15:36:47Z"
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: istiocontrolplane
istio: ingressgateway
operator.istio.io/component: IngressGateways
operator.istio.io/managed: Reconcile
operator.istio.io/version: 1.6.1
release: istio
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:labels:
.: {}
f:app: {}
f:install.operator.istio.io/owning-resource: {}
f:istio: {}
f:operator.istio.io/component: {}
f:operator.istio.io/managed: {}
f:operator.istio.io/version: {}
f:release: {}
f:spec:
f:externalTrafficPolicy: {}
f:ports:
.: {}
k:{"port":80,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
k:{"port":443,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
k:{"port":15021,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
k:{"port":15443,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
f:selector:
.: {}
f:app: {}
f:istio: {}
f:sessionAffinity: {}
f:type: {}
manager: operator
operation: Update
time: "2020-09-14T15:36:46Z"
name: istio-ingressgateway
namespace: istio-system
resourceVersion: "52628612"
selfLink: /api/v1/namespaces/istio-system/services/istio-ingressgateway
uid: 27b6daa4-4394-485a-8e81-304aa7969fbc
spec:
clusterIP: 10.43.25.27
externalTrafficPolicy: Cluster
ports:
- name: status-port
nodePort: 30134
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
nodePort: 31398
port: 80
protocol: TCP
targetPort: 8080
- name: https
nodePort: 31896
port: 443
protocol: TCP
targetPort: 8443
- name: tls
nodePort: 32663
port: 15443
protocol: TCP
targetPort: 15443
selector:
app: istio-ingressgateway
istio: ingressgateway
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer: {}
A strage thing is that istio-ingressgateway still in pending state:
There is a istio-ingressgateway service that is also in pending state:
Thank you for your help!
Interesting, never thought about this architecture pattern. Let me share my thoughts, you can refer to them to solve your problems.
The reason your service is pending. Because, It looks like you are using a custom deployed Kubernetes Cluster. In this case, there is no LoadBalancer integrated (unlike AWS or Google Cloud). With this default setup, you can only use NodePort.
Your nginx is running as a HTTP reverse proxy in front of kalm, and do the TLS termination. Refer to the upstream ips, I guess your nginx is not running in cluster, and those ips are kuberentes nodes' ips. In this case, your servers in upstream should also contain the node ports of ingress service in kalm. In you case, the port should be 31398. So your upstream should configure as following.
upstream kalm-upstream {
ip_hash;
server 192.168.100.1:31398;
server 192.168.100.2:31398;
server 192.168.100.3:31398;
}
To be honest. This is not kalm recommanded way to use. I can tell a set of kalm functions will not work.
But I look forward to your successful integration of kalm into your environment, because I hope that kalm can be easily integrated into various tool chains.
I installed Kalm on a Rancher k8s cluster. The access by
kubectl port-forward ...
is working fine, but when I tryed to Finish The Setup Steps, Kalm can't show the load balancer IP address, as showed bellow:My k8s cluster is behind a nginx acting as reverse proxy. I created a entry on my DNS to point to this reverse proxy, and from there, to the actual k8s cluster nodes. When I try to access the URL pointing to Kalm, I receive the following message on the browser:
When I
check and continue
, I receive the message on the image above.If I
continue anyway
on Kalm setup screen, after a while it shows all green but still not working.Please help me