[SOLVED] Cannot access container from NodePort using Kubernetes ingress istio

Cannot access container from NodePort using Kubernetes ingress istio

I'm learning Istio so I followed the instruction here

As I'm using terraform so I converted the yaml file to terraform and install istio via Helm

locals {
  istio_charts_url = "https://istio-release.storage.googleapis.com/charts"
}

resource "helm_release" "istio-base" {
  name             = "istio-base"
  repository       = local.istio_charts_url
  chart            = "base"
  namespace        = "istio-system"
  create_namespace = true

}
resource "helm_release" "istiod" {
  name       = "istiod"
  repository = local.istio_charts_url
  chart      = "istiod"
  namespace  = "istio-system"
  depends_on = [helm_release.istio-base]
}


resource "kubernetes_namespace" "istio-ingress" {
  metadata {
    labels = {
      istio-injection = "enabled"
    }

    name = "istio-ingress"
  }
}

resource "helm_release" "istio-ingress" {
  repository = local.istio_charts_url
  chart      = "gateway"
  name       = "istio-ingress"
  namespace  = kubernetes_namespace.istio-ingress.id
  depends_on = [helm_release.istiod]
  set {
    name  = "service.type"
    value = "NodePort"
  }
}

and application:

### blog page frontend
resource "kubernetes_service" "blog_page" {

  metadata {
    name      = "blog-page"
    namespace = kubernetes_namespace.istio-ingress.id
  }
  spec {

    port {
      port     = 5000
      name = "http"
    }
    selector = {
      app = "blog_page"
    }

  }
}


resource "kubernetes_deployment" "blog_page_v1" {
  metadata {
    name      = "blog-page-v1"
    namespace = kubernetes_namespace.istio-ingress.id
  }
  spec {
    replicas = 1
    selector {
      match_labels = {
        app     = "blog_page"
        version = "v1"
      }
    }
    template {
      metadata {
        labels = {
          app     = "blog_page"
          version = "v1"
        }
      }
      spec {
        container {
          image             = "thiv17/blog-service:v1"
          name              = "blog-page"
          image_pull_policy = "Always"

          port {
            container_port = 5000
          }
        }
      }
    }
  }
}


resource "kubernetes_ingress" "istio-app" {
  metadata {
    name        = "istio-app"
    namespace   = kubernetes_namespace.istio-ingress.id
    annotations = {
      "kubernetes.io/ingress.class" = "istio"
    }
  }

  spec {
    rule {
      http {
        path {
          path = "/*"
          backend {
            service_name = kubernetes_service.blog_page.metadata[0].name
            service_port = kubernetes_service.blog_page.spec[0].port[0].port
          }
        }
      }
    }
  }
}

I expected that I can access via the node port with the Node IP is 10.0.83.140

kubectl describe svc istio-ingress  --namespace=istio-ingress
-----
Port:                     http2  80/TCP
TargetPort:               80/TCP
NodePort:                 http2  30968/TCP
Endpoints:                10.0.91.237:80
Port:                     https  443/TCP

kubectl get pods --selector=“app=istio-ingress” --namespace=istio-ingress --output=wide
NAME                             READY   STATUS    RESTARTS   AGE   IP            NODE                                        NOMINATED NODE   READINESS GATES
istio-ingress-5bd77ffbdf-h25vs   1/1     Running   0          24h   10.0.91.237   ip-10-0-83-140.us-west-2.compute.internal   <none>           <none>

However, when I ssh to this node, even though this node is listening to the port 30968

[ec2-user@ip-10-0-83-140 ~]$ netstat -plan | grep 30968
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp        0      0 0.0.0.0:30968           0.0.0.0:*               LISTEN      -

But I can't access the address http://localhost:30968

*  Trying ::1:30968...
* connect to ::1 port 30968 failed: Connection refused
* Failed to connect to localhost port 30968 after 0 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 30968 after 0 ms: Connection refused
[ec2-user@ip-10-0-83-140 ~]$

I tried to use the public IP also (Changed Security group to public Port 30968) and even changed to use LoadBlancer as well but still did not access it successfully.

Other debug info

kubectl get pods  --namespace=istio-ingress
NAME                             READY   STATUS    RESTARTS   AGE
blog-api-v1-86789596cf-8rh2j     2/2     Running   0          7h58m
blog-page-v1-54d45997f8-q6h6l    2/2     Running   0          7h58m
blog-page-v2-74b6d4b7c9-bgdrm    2/2     Running   0          7h58m
istio-ingress-5bd77ffbdf-h25vs   1/1     Running   0          24h
 kubectl describe ingress istio-app --namespace=istio-ingress
Name:             istio-app
Labels:           <none>
Namespace:        istio-ingress
Address:          
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host        Path  Backends
  ----        ----  --------
  *           
              /*   blog-page:5000 (10.0.81.70:5000,10.0.95.8:5000)
Annotations:  kubernetes.io/ingress.class: istio
Events:       <none>

Full code:

https://gitlab.com/jimmy-pet-projects/terraform-eks-with-monitoring/-/blob/main/modules/kubernetes/istio.tf

https://gitlab.com/jimmy-pet-projects/terraform-eks-with-monitoring/-/blob/main/modules/kubernetes/istio_app.tf (edit

Solution

I found the issue: The name of helm should be istio-ingressgateway. I don't understand its document is using istio-ingress

$ helm install istio-ingress istio/gateway -n istio-ingress --wait