Problem I am facing is that my istio-ingressgateway is working perfectly file at network layer load balancer(L4 loadbalancer or TCP load balancer) but when i connect istio-ingressgateway to Layer7 load balancer by attaching nodePort at backend service.after that http to https redirection not working properly its always give Response code 301 even when i request using https protocol.
Asked
Active
Viewed 1,273 times
0
-
Do you use GKE? or a custom K8S deployment? – guillaume blaquiere Oct 22 '19 at 16:05
-
I am using GKE. @guillaumeblaquiere – Bhavya Jain Oct 23 '19 at 07:39
-
Do you use the istio Add-on? Or do you install Istio by yourself ? – guillaume blaquiere Oct 23 '19 at 11:13
-
i installed it by my self @guillaumeblaquiere – Bhavya Jain Oct 23 '19 at 12:28
-
Just to understand well. You have an ingress-gateway define by Istio. This gateway has spawn an TCP load balancer on GCP. You have expose a service as NodePort, define an istio gateway and an istio virtual service and you can reach your service through the TCP load balancer. Now, you want to create an HTTP loadbalancer, to define the instance group as backend and reach it in HTTP and HTTPS. Am I correct? The backend is healthy but the response is 301. How do you test your HTTP loadbalancer ? Curl? Via Browser? – guillaume blaquiere Oct 23 '19 at 15:33
-
Yeah you are right we connect GKE instances as a backend of loadbalancer and its health check is perfectly fine. I tested it by both way curl and browser too. – Bhavya Jain Oct 24 '19 at 06:49
-
How did you get your backend port? Is it in HTTP or HTTPS ? – guillaume blaquiere Oct 25 '19 at 10:59
-
I connected it with HTTP NodePort – Bhavya Jain Oct 26 '19 at 06:08
-
I even tried it with HTTPS port but LB is not connected with it. and LoadBalancer give 502 @guillaumeblaquiere – Bhavya Jain Oct 26 '19 at 06:09
2 Answers
1
I successfully configured the same architecture. Here the step to reproduce:
- Deploy a GKE cluster. Either with Istio, or with istio installed afterward.
- Get the Istio-ingressgateway nodeport for http:
kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}'
- Create a Global Loadbalancer
- Create a backend service and select your cluster InstanceGroup.
- Set the istio-ingressgateway nodeport as port
- Create an health check, on the same nodeport value, in TCP mode
- Configure your URL path
- Validate and wait 5-10 minutes for letting the time to the health check to validate your configuration and to route the traffic
Now, you can reach your K8S cluster, through the Istio Nodeport with the global load balancer. Deploy a service on Istio, you could reach it through the Global Loadbalancer.

guillaume blaquiere
- 66,369
- 2
- 47
- 76
-
did you try https redirection with L7 load balancer ? Because i am able to connect application with L7 load balancer but HTTPS redirection not working properly – Bhavya Jain Oct 31 '19 at 06:02
-
@gguillaume-blaquiere why the health check has to be in TCP mode? Can't we use a HTTP health check? I tried your approach with a HTTP health check that checks ```/healthz/ready``` path of istio-ingressgateway, health check passes but app returns 404. – bakadevops Jan 10 '22 at 04:24
1
There is an issue on GitHub, Please check: https://github.com/istio/istio/issues/17980

pavansh
- 11
- 1