istiokiali

Unable to view kiali dashboard


I installed Istion version 1.6.9 with below steps

Install Istio Version 1.6.9
wget https://github.com/istio/istio/releases/download/1.6.9/istio-1.6.9-linux-amd64.tar.gz
tar -xzvf istio-1.6.9-linux-amd64.tar.gz
cd istio-1.6.9
cd bin/
sudo mv istioctl /usr/local/bin/
istioctl --version
istioctl install --set profile=demo

I want to access kiali dashboard but I am unable to figure out how to access!

I can see kiali is running in pod:

kubectl get pods -n istio-system
NAME                                    READY   STATUS    RESTARTS   AGE
grafana-5dc4b4676c-wcb59                1/1     Running   0          32h
istio-egressgateway-5889bb8976-stlqd    1/1     Running   0          32h
istio-ingressgateway-699d97bdbf-w6x46   1/1     Running   0          32h
istio-tracing-8584b4d7f9-p66wh          1/1     Running   0          32h
istiod-86d4497c9-xv2km                  1/1     Running   0          32h
kiali-6f457f5964-6sssn                  1/1     Running   0          32h
prometheus-5d64cf8b79-2kdww             2/2     Running   0          32h

I am able to see the kiali as services as well:

kubectl get svc -n istio-system
NAME                        TYPE           CLUSTER-IP       EXTERNAL-IP                                                                    PORT(S)                                                                      AGE
grafana                     ClusterIP      10.100.101.71    <none>                                                                         3000/TCP                                                                     32h
istio-egressgateway         ClusterIP      10.100.34.75     <none>                                                                         80/TCP,443/TCP,15443/TCP                                                     32h
istio-ingressgateway        LoadBalancer   10.100.84.203    a736b038af6b5478087f0682ddb4dbbb-1317589033.ap-southeast-2.elb.amazonaws.com   15021:31918/TCP,80:32736/TCP,443:30611/TCP,31400:30637/TCP,15443:31579/TCP   32h
istiod                      ClusterIP      10.100.111.159   <none>                                                                         15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP                                32h
jaeger-agent                ClusterIP      None             <none>                                                                         5775/UDP,6831/UDP,6832/UDP                                                   32h
jaeger-collector            ClusterIP      10.100.84.202    <none>                                                                         14267/TCP,14268/TCP,14250/TCP                                                32h
jaeger-collector-headless   ClusterIP      None             <none>                                                                         14250/TCP                                                                    32h
jaeger-query                ClusterIP      10.100.165.216   <none>                                                                         16686/TCP                                                                    32h
kiali                       ClusterIP      10.100.159.127   <none>                                                                         20001/TCP                                                                    32h
prometheus                  ClusterIP      10.100.113.255   <none>                                                                         9090/TCP                                                                     32h
tracing                     ClusterIP      10.100.77.39     <none>                                                                         80/TCP                                                                       32h
zipkin                      ClusterIP      10.100.247.201   <none>                                                                         9411/TCP

I also can see secret is also deployed as below:

kubectl get secrets
NAME                                       TYPE                                  DATA   AGE
default-token-ghz6r                        kubernetes.io/service-account-token   3      8d
sh.helm.release.v1.aws-efs-csi-driver.v1   helm.sh/release.v1                    1      6d
[centos@ip-10-0-0-61 ~]$ kubectl get secrets -n istio-system
NAME                                               TYPE                                  DATA   AGE
default-token-z6t2v                                kubernetes.io/service-account-token   3      32h
istio-ca-secret                                    istio.io/ca-root                      5      32h
istio-egressgateway-service-account-token-c8hfp    kubernetes.io/service-account-token   3      32h
istio-ingressgateway-service-account-token-fx65w   kubernetes.io/service-account-token   3      32h
istio-reader-service-account-token-hxsll           kubernetes.io/service-account-token   3      32h
istiod-service-account-token-zmtsv                 kubernetes.io/service-account-token   3      32h
kiali                                              Opaque                                2      32h
kiali-service-account-token-82gk7                  kubernetes.io/service-account-token   3      32h
prometheus-token-vs4f6                             kubernetes.io/service-account-token   3      32h

I ran all of the above commands on my Linux bastion host, I am hoping that if I open port 20001 on my Linux bastion as well as SG I should be able to access it admin/admin credentials? as like below:

http://10.100.159.127:20001/

My second question is ISTIO as the software is running on my Linux Bastion Server or on my EKS CLuster? My feeling is it is running on the local Bastion Server, but since we used the below commands

kubectl label ns default istio-injection=enabled
kubectl get ns
kubectl label ns jenkins istio-injection=enabled
kubectl label ns spinnaker istio-injection=enabled

Any pods running in these namespaces will have Envoy proxy pod injected automatically, correct?

P.S: I did the below:

nohup istioctl dashboard kiali &

Opened port at the SG level and at the OS level too... still not able to access the Kiali dashboard

http://3.25.217.61:40235/kiali
[centos@ip-10-0-0-61 ~]$ wget http://3.25.217.61:40235/kiali
--2020-09-11 15:56:18--  http://3.25.217.61:40235/kiali
Connecting to 3.25.217.61:40235... failed: Connection refused.

curl ifconfig.co
3.25.217.61

sudo netstat -nap|grep 40235
tcp        0      0 127.0.0.1:40235         0.0.0.0:*               LISTEN      29654/istioctl
tcp6       0      0 ::1:40235               :::*                    LISTEN      29654/istioctl

Truly, unable to understand what is going wrong...


Solution

  • Just run istioctl dashboard kiali.

    Istioctl will create a proxy. Now log in with admin/admin credentials.

    To answer the second question: Istio is running on your cluster and is configure with istioctl, installed on your bastion.

    By labeling a namespace with istio-injection=enabled the sidecar will be injected automatically. If necessary, you can disable the injection for a pod by annotating it like this:

    spec:
      selector:
        matchLabels:
          ...
      template:
        metadata:
          labels:
            ...
          annotations:
            sidecar.istio.io/inject: "false"
    

    Update

    To access kiali without istioctl/kubectl proxy, you have three options. As you found correctly, it depends on the kiali service type:

    1. ClusterIP (default)

    To use the default, set up a route from gateway to kiali service. This is done using VirtualService and DestinationRule. You can than access kiali by eg <ingress-gateway-loadbalancer-id>.amazonaws.com/kiali

    1. NodePort

    You can change type to NodePort by setting the corresponding value on istio installation and access kiali by <ingress-gateway-loadbalancer-id>.amazonaws.com:20001/kiali``

    1. LoadBalancer

    You can change type to LoadBalancer by setting the corresponding value on istio installation. A second elastic load balancer will be created on aws and the kiali service will have an external ip, like the ingressgateway service does. You can now access it by <kiali-loadbalancer-id>.amazonaws.com/kiali

    I would recommend option 1. It's best practice for production and you don't have to dig to deep into istio installation config, which can be overwhelming in the beginning.