kubernetesistiokialiistio-kiali

kiali dashboard login fails in istio demo profile

I have installed Istio as described here.

I used istioctl manifest apply --set profile=demo for this purpose. And then installed bookinfo application.

And set kiali to use NordPort using kubectl -n istio-system edit svc kiali.

kubectl -n istio-system get svc kiali shows its NordPort and Ports 20001:32173/TCP

When I try to access kiali dashboard using 192.168.123.456:32173/kiali, with default username and password admin I get following warining.

Your session has expired or was terminated in another window

Why is it happening? I haven't change any default settings.

Kiali pod is running.

As jt97 requested curl -v externalIP:port/kiali

*   Trying 192.168.123.456...
* TCP_NODELAY set
* Connected to 192.168.123.456 (192.168.123.456) port 15029 (#0)
> GET /kiali/ HTTP/1.1
> Host: 192.168.123.456:15029
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< accept-ranges: bytes
< content-length: 2330
< content-type: text/html; charset=utf-8
< last-modified: Mon, 04 May 2020 14:46:17 GMT
< vary: Accept-Encoding
< date: Mon, 04 May 2020 14:59:40 GMT
< x-envoy-upstream-service-time: 0
< server: istio-envoy
<
<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"/><meta name="theme-color" content="#000000"/><base href="/kiali/"/><script type="text/javascript" src="./env.js"></script><link rel="manifest" href="./manifest.json"/><link rel="shortcut icon" href="./kiali_icon_lightbkg_16px.png"/><title>Kiali Console</title><link href="./static/css/2.51abb30a.chunk.css" rel="stylesheet"><link href="./static/css/main.aebbfcdd.chunk.css" rel="stylesheet"></head><body class="pf-m-redhat-font"><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>!function(a){function e(e){for(var r,t,n=e[0],o=e[1],i=e[2],u=0,l=[];u<n.length;u++)t=n[u],Object.prototype.hasOwnProperty.call(p,t)&&p[t]&&l.push(p[t][0]),p[t]=0;for(r in o)Object.prototype.hasOwnProperty.call(o,r)&&(a[r]=o[r]);for(s&&s(e);l.length;)l.shift()();return c.push.apply(c,i||[]),f()}function f(){for(var e,r=0;r<c.length;r++){for(var t=c[r],n=!0,o=1;o<t.length;o++){var i=t[o];0!==p[i]&&(n=!1)}n&&(c.splice(r--,1),e=u(u.s=t[0]))}return e}var t={},p={1:0},c=[];function u(e){if(t[e])return t[e].exports;var r=t[e]={i:e,l:!1,exports:{}};return a[e].call(r.exports,r,r.exports,u),r.l=!0,r.exports}u.m=a,u.c=t,u.d=function(e,r,t){u.o(e,r)||Object.defineProperty(e,r,{enumerable:!0,get:t})},u.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},u.t=function(r,e){if(1&e&&(r=u(r)),8&e)return r;if(4&e&&"object"==typeof r&&r&&r.__esModule)return r;var t=Object.create(null);if(u.r(t),Object.defineProperty(t,"default",{enumerable:!0,value:r}),2&e&&"string"!=typeof r)for(var n in r)u.d(t,n,function(e){return r[e]}.bind(null,n));return t},u.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return u.d(r,"a",r),r},u.o=function(e,r){return Object.prototype.hasOwnProperty.call(e,r)},u.p="./";var r=this["webpackJsonp@* Connection #0 to host 192.168.123.456 left intact
kiali/kiali-ui"]=this["webpackJsonp@kiali/kiali-ui"]||[],n=r.push.bind(r);r.push=e,r=r.slice();for(var o=0;o<r.length;o++)e(r[o]);var s=n;f()}([])</script><script src="./static/js/2.f84a82a8.chunk.js"></script><script src="./static/js/main.339a2916.chunk.js"></script></body></html>

Kiali log : /var/log/containers/kiali-869c6894c5-4jp2v_istio-system_kiali-1xxx.log

{"log":"I0505 04:49:19.151849       1 kiali.go:66] Kiali: Version: v1.15.2, Commit: 718aedca76e612e2f95498d022fab1e116613792\n","stream":"stderr","time":"2020-05-05T04:49:19.152333612Z"}
{"log":"I0505 04:49:19.153038       1 kiali.go:205] Using authentication strategy [login]\n","stream":"stderr","time":"2020-05-05T04:49:19.153122786Z"}
{"log":"I0505 04:49:19.158187       1 kiali.go:87] Kiali: Console version: 1.15.1\n","stream":"stderr","time":"2020-05-05T04:49:19.158268318Z"}
{"log":"I0505 04:49:19.158210       1 kiali.go:286] Updating base URL in index.html with [/kiali]\n","stream":"stderr","time":"2020-05-05T04:49:19.158284789Z"}
{"log":"I0505 04:49:19.158840       1 kiali.go:267] Generating env.js from config\n","stream":"stderr","time":"2020-05-05T04:49:19.158915814Z"}
{"log":"I0505 04:49:19.168786       1 server.go:57] Server endpoint will start at [:20001/kiali]\n","stream":"stderr","time":"2020-05-05T04:49:19.168870138Z"}
{"log":"I0505 04:49:19.168813       1 server.go:58] Server endpoint will serve static content from [/opt/kiali/console]\n","stream":"stderr","time":"2020-05-05T04:49:19.16888486Z"}
{"log":"I0505 04:49:19.179424       1 metrics_server.go:18] Starting Metrics Server on [:9090]\n","stream":"stderr","time":"2020-05-05T04:49:19.179497168Z"}
{"log":"I0505 04:49:19.179752       1 kiali.go:137] Secret is now available.\n","stream":"stderr","time":"2020-05-05T04:49:19.17998388Z"}

I found another error, which is not visible at once. When I enter username and password, it gives :

You are logged in, but there was a problem when fetching some required server configurations, try refreshing the page.

Solution

  • As mentioned in istio docs here

    If you want to acces kiali dashboard you should install your istio demo profile with --set values.kiali.enabled=true

    istioctl manifest apply --set profile=demo --set values.kiali.enabled=true

    Then apply virtual service, gateway and destination rule

    cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kiali-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 15029
      name: http-kiali
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kiali-vs
  namespace: istio-system
spec:
  hosts:
  - "*"
  gateways:
  - kiali-gateway
  http:
  - match:
    - port: 15029
    route:
    - destination:
        host: kiali
        port:
          number: 20001
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: kiali
  namespace: istio-system
spec:
  host: kiali
  trafficPolicy:
    tls:
      mode: DISABLE
---
EOF

    Get your external-ip with

    kubectl get svc istio-ingressgateway -n istio-system

    And visit kiali via your browser with http://<EXTERNAL-IP>:15029/and credentials admin:admin.

    Additionally if you want to change the kiali credentials check this stackoverflow question.