I have configured application using ArgoCD, which works. Now, I wanted to add Istio with Ingress to run traffic to my application which is on AKS. I didn't enable Istio on AKS, I am doing it from scratch on my own. First I configured Gateway which looks like that:
kubectl get -n second-app-staging gw -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.istio.io/v1beta1","kind":"Gateway","metadata":{"annotations":{},"name":"second-app-gateway","namespace":"second-app-staging"},"spec":{"selector":{"istio":"ingressgateway"},"servers":[{"hosts":["*"],"port":{"name":"http","number":80,"protocol":"HTTP"}}]}}
creationTimestamp: "2025-03-02T20:39:46Z"
generation: 1
name: second-app-gateway
namespace: second-app-staging
resourceVersion: "1082933"
uid: 1a0e457a-6514-4a16-bc50-020a8ce07baf
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
kind: List
metadata:
resourceVersion: ""
This is my VirtualService configuration:
kubectl get virtualservice -n second-app-staging -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.istio.io/v1beta1","kind":"VirtualService","metadata":{"annotations":{},"name":"second-app-vs","namespace":"second-app-staging"},"spec":{"gateways":["second-app-gateway"],"hosts":["*"],"http":[{"match":[{"uri":{"prefix":"/"}}],"route":[{"destination":{"host":"staging-welcome-php","port":{"number":8080}}}]}]}}
creationTimestamp: "2025-03-02T20:41:01Z"
generation: 1
name: second-app-vs
namespace: second-app-staging
resourceVersion: "1083268"
uid: 81d97334-79f4-4d81-98b2-d4c5f49dd1ca
spec:
gateways:
- second-app-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /
route:
- destination:
host: staging-welcome-php
port:
number: 8080
kind: List
metadata:
resourceVersion: ""
My svc seems to be working:
kubectl get svc -n second-app-staging staging-welcome-php
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
staging-welcome-php ClusterIP 10.0.132.229 <none> 8080/TCP 23h
And I got IP address assigned:
kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.0.178.74 57.151.79.230 15021:31837/TCP,80:30589/TCP,443:31199/TCP 30m
istiod ClusterIP 10.0.51.162 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 30m
When I try to open the
http://57.151.79.230/address I got the message: upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end
So I added that part to my gateway.yaml and deploy it again:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: my-tls-secret
Then I generate key with:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=example"
Generating a RSA private key
.............................................+++++
...........................................................................................................+++++
writing new private key to 'tls.key'
Create secret in Kubenetes with that:
kubectl create -n second-app-staging secret tls my-tls-secret --key=tls.key --cert=tls.crt
secret/my-tls-secret created
Output:
kubectl get secret -n second-app-staging my-tls-secret
NAME TYPE DATA AGE
my-tls-secret kubernetes.io/tls 2 11s
Now when I try to open https://57.151.79.230/ it even cant open the webpage, just the message This site can’t be reached. What am I missing in my configuration? Why can't I open the webpage?
I have configured application using ArgoCD, which works. Now, I wanted to add Istio with Ingress to run traffic to my application which is on AKS. I didn't enable Istio on AKS, I am doing it from scratch on my own. First I configured Gateway which looks like that:
kubectl get -n second-app-staging gw -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.istio.io/v1beta1","kind":"Gateway","metadata":{"annotations":{},"name":"second-app-gateway","namespace":"second-app-staging"},"spec":{"selector":{"istio":"ingressgateway"},"servers":[{"hosts":["*"],"port":{"name":"http","number":80,"protocol":"HTTP"}}]}}
creationTimestamp: "2025-03-02T20:39:46Z"
generation: 1
name: second-app-gateway
namespace: second-app-staging
resourceVersion: "1082933"
uid: 1a0e457a-6514-4a16-bc50-020a8ce07baf
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
kind: List
metadata:
resourceVersion: ""
This is my VirtualService configuration:
kubectl get virtualservice -n second-app-staging -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.istio.io/v1beta1","kind":"VirtualService","metadata":{"annotations":{},"name":"second-app-vs","namespace":"second-app-staging"},"spec":{"gateways":["second-app-gateway"],"hosts":["*"],"http":[{"match":[{"uri":{"prefix":"/"}}],"route":[{"destination":{"host":"staging-welcome-php","port":{"number":8080}}}]}]}}
creationTimestamp: "2025-03-02T20:41:01Z"
generation: 1
name: second-app-vs
namespace: second-app-staging
resourceVersion: "1083268"
uid: 81d97334-79f4-4d81-98b2-d4c5f49dd1ca
spec:
gateways:
- second-app-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /
route:
- destination:
host: staging-welcome-php
port:
number: 8080
kind: List
metadata:
resourceVersion: ""
My svc seems to be working:
kubectl get svc -n second-app-staging staging-welcome-php
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
staging-welcome-php ClusterIP 10.0.132.229 <none> 8080/TCP 23h
And I got IP address assigned:
kubectl get svc -n istio-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 10.0.178.74 57.151.79.230 15021:31837/TCP,80:30589/TCP,443:31199/TCP 30m
istiod ClusterIP 10.0.51.162 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 30m
When I try to open the
http://57.151.79.230/address I got the message: upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end
So I added that part to my gateway.yaml and deploy it again:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: my-tls-secret
Then I generate key with:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=example"
Generating a RSA private key
.............................................+++++
...........................................................................................................+++++
writing new private key to 'tls.key'
Create secret in Kubenetes with that:
kubectl create -n second-app-staging secret tls my-tls-secret --key=tls.key --cert=tls.crt
secret/my-tls-secret created
Output:
kubectl get secret -n second-app-staging my-tls-secret
NAME TYPE DATA AGE
my-tls-secret kubernetes.io/tls 2 11s
Now when I try to open https://57.151.79.230/ it even cant open the webpage, just the message This site can’t be reached. What am I missing in my configuration? Why can't I open the webpage?
1 Answer
Reset to default 0First of all your gateway is listening 80 port only. But you are trying to reach 57.151.79.230 with https
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: my-tls-secret
hosts:
- '*'