search

zioproto / istio-aks-example

Example of running Istio on AKS
MIT License
19 stars 9 forks source link

Issues while setting hostname to dns hostname instead of "*" in the virtual servicec #3

Closed syamrag closed 1 year ago

syamrag commented 1 year ago

I have followed the configuration and I was able to access the service by using hostname if I use the below configuration.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: test-virtual-service
spec:
  hosts:
    - "*"
  gateways:
  - istio-system/istio-ingressgateway
  http:
  - match:

    - uri:
        prefix: "/"

    route:
    - destination:
        host: nginx-service.default.svc.cluster.local
        port:
          number: 8080

But If I add a external hostname to the hostname field the service is not loading. Here is my other configurations for AFD helath prob. 

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: istio-ingressgateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - '*'
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: healthcheck
spec:
  hosts:
    - "*"
  gateways:
    - istio-ingressgateway
  http:
  - match:
    - uri:
        prefix: "/probe"
    rewrite:
        uri: "/healthz/ready"
    route:
    - destination:
        host: "istio-ingressgateway.istio-system.svc.cluster.local"
        port:
          number: 15021
zioproto commented 1 year ago

Hello, thanks for reporting this issue. This repository contains 4 examples. I understand you are using the istio-on-aks-with-front-door

When you set the spec.hosts in the VirtualService, you are filtering on the Host: header in the HTTP request that Azure Front Door makes to the Istio Ingress Gateway.

Azure Front Door will connect to the Istio Ingress Gateway using the IP address of the Azure Private Link Service. The HTTP request should have a Host: header that contains the IP address of the Azure Private Link Service. You should be able to confirm this looking at envoy logs of your Istio ingress gateway.

Here is the list of annotations passed in this example to the Kubernetes service that exposes the Istio ingress gateway: https://github.com/zioproto/istio-aks-example/blob/df31499c14297afbd2932e0f7a2f4d32da4e3b52/istio-on-aks-with-front-door/istio-tf/istio.tf#L68-L80

If you want to use DNS names instead of IPs you can look at the annoation service.beta.kubernetes.io/azure-pls-fqdns currently not used. Full documentation is here: https://cloud-provider-azure.sigs.k8s.io/topics/pls-integration/

The DNS name you want to use in service.beta.kubernetes.io/azure-pls-fqdns should match what you have in spec.hosts in your VirtualService.

Please let me know if this helps

syamrag commented 1 year ago

Thanks for the pointing out that, I was able to get it working by leaving the request header empty in the terraform configuration for AFD and that will eventually allow all the hosts.