4

We are using Prometheus operator and we need to expose Grafana publicly (outside) using istio, https://github.com/helm/charts/tree/master/stable/prometheus-operator

Normally when I have application which I need to expose publicly with istio, I adding something like following to my micro service and it works and exposed outside.

service.yaml

apiVersion: v1
kind: Service
metadata:
  name: po-svc
  namespace: po
spec:
  ports:
    - name: http
      port: 3000
      targetPort: 3000
  selector:
    app: myapp  //I take the name from deployment.yaml --in the chart NOT SURE WHICH VALUE I SHOULD TAKE FROM THE CHART---

And add a virtual service

virtualservice.yaml

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: po-virtualservice
  namespace: po
spec:
  gateways:
    - gw-system.svc.cluster.local
  hosts:
    - po.eu.trial.appos.cloud.mvn
  http:
    - route:
        - destination:
            host: po-svc
            port:
              number: 3000

Then I was able to access to my application publicly.

Now I want to the same for Grafana from the prometheus operator chart

in the values.yaml there is service entry

https://github.com/helm/charts/blob/master/stable/prometheus-operator/values.yaml#L576 However not sure if it should replace the service.yaml and if yes how to fill the data like app: myapp (which in regualr application I take from the deployment.yaml the `name' field) to be the grafana that the service have the reference to Grafana application

in addition, in the virutalservice.yaml there is a reference to the service (host: po-svc)

My question is: How should I fill those two values and be able to expose Grafana using istio ?

Btw, if I change the values from the chart to LoadBalancer like below, im getting a public url to access outside, however I want to expose it via istio.

  service:
    portName: service
    type: LoadBalancer

update

I've created the following virtual service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: po-virtualservice
  namespace: po
spec:
  gateways:
    - gw-system.svc.cluster.local
  hosts:
    - po.eu.trial.appos.cloud.mvn
  http:
    - route:
        - destination:
            host: po-grafana. // This is the name of the service that promethues operator created when applying the chart .
            port:
              number: 3000

and update the values.yaml like following

  service:
    portName: service
    port: 3000
    targetPort: 3000

Now when I hit the browser for the application url (po.eu.trial.appos.cloud.mvn) I got error

upstream connect error or disconnect/reset before headers. reset reason: connection termination any idea what could be the problem? how should I trace this issue ?

I would think(not sure 100%) I may be missing something on the service config in the chart but not sure what...

I've found this post which have similar error: (but not sure we have the same issue)

https://github.com/istio/istio/issues/19966

However not sure how should I add the nameport to the chart yaml service definition

PJEM
  • 557
  • 7
  • 33
  • Are your istio gateway deployed in the same namespace with the name `egw-system.svc.cluster.local`? What is your (`PeerAuthentication`) `spec.mtls.mode` for namespace with grafana? – FL3SH Sep 01 '20 at 16:21
  • @FL3SH - yes of course we are using this gateway on other applications that works and exposed publicly, regard the `PeerAuthentication` not sure what does it mean, how can I check that , should I run any k8s command to achieve it ? but not sure how it is related to my question :) – PJEM Sep 01 '20 at 19:35
  • If you are using `spec.mtls.mode: stric` you have to disable `mTLS` for this service – FL3SH Sep 02 '20 at 09:25
  • What did you create your own service named `po-svc`, promethus-operator should create service for grafana? – FL3SH Sep 02 '20 at 09:28
  • @FL3SH - please see my update – PJEM Sep 02 '20 at 09:49
  • @FL3SH - the prometheus operator is creating the service, i took the service name and put it inside the VS host property `host: po-grafana` – PJEM Sep 02 '20 at 09:50
  • 1
    Can you add a screenshot from kiali from namespace where promtheus-operator is deployed? Please also check what is your mTLS configuration right now. – FL3SH Sep 02 '20 at 09:53
  • Have you tried to deploy istio [grafana](https://istio.io/latest/docs/ops/integrations/grafana/) and [prometheus](https://istio.io/latest/docs/ops/integrations/prometheus/) with [appropriate](https://istio.io/latest/docs/tasks/observability/gateways/#option-2-insecure-access-http) gw,vs and dr to expose them? Or you need a prometheus operator? If you need operator could you provide informations like what is your istio version, what is your mtls configuration(since 1.5 it's STRICT by default if you haven't touched it), is prometheus operator in istio injected namespace? – Jakub Sep 02 '20 at 10:09
  • @FL3SH - how can I access kiali, please let me know how can I do it and i'll add a screenshot, one thing that importent to say when Im creating an app with the same gw and deploy it to the same namespace po, it works with the configuration i've provided in the post (first service and vs config) , im not defining any TLS etc, just the `VS` as-is and add the application the `service.yaml`, so I would think that the problem is not in the GW or TLS issue. – PJEM Sep 02 '20 at 11:45
  • @Jakub - I need to use `prometheus operator ` cannot use it as standalone, does it works for you ? we need the Prometheus operator grafana either , not just istio -grafana, How can I get the istio version on the cluster,? (i've full access ) . the prometheus operator is in the same namespace that our ops defined the GW which works for other apps in the same namesapce – PJEM Sep 02 '20 at 11:48
  • @FL3SH - I try to run `kubectl -n istio-system get svc kiali` and get not found, I check this namespace and we have only `istio-ingressgateway` and `istio-pilot` – PJEM Sep 02 '20 at 12:01
  • If you have `istioctl` installed then you can check version with `istioctl version`. If you dont have istioctl then you can check your istio-ingressgateway image version. About the injection, could you check it with `kubectl get namespace -L istio-injection`? Could you try to add destination rule similiar to this one [here](https://istio.io/latest/docs/tasks/observability/gateways/#option-2-insecure-access-http), which disable tls? – Jakub Sep 02 '20 at 12:57
  • @Jakub - i've install istioctl and got `client version: 1.7.0 control plane version: 1.4.3` – PJEM Sep 02 '20 at 13:43
  • @Jakub - when running `kubectl get namespace -L istio-injection` I got a lot of entries – PJEM Sep 02 '20 at 13:44
  • If it's possible could you check if it works if you change your host in gateway and vs from `po.eu.trial.appos.cloud.mvn` to `"*"`? I have checked now and it works for me but I have 503 issue with any host else than `"*"`. About kubectl get namespace, try with `kubectl get namespace -L istio-injection | grep po` – Jakub Sep 02 '20 at 13:47
  • @Jakub - when checking it with `"*"` I got error in the browser, using the gw I got`pstream connect error or disconnect/reset before headers. reset reason: connection termination` – PJEM Sep 02 '20 at 13:58
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/220868/discussion-between-bred-straruts-and-jakub). – PJEM Sep 02 '20 at 13:59

1 Answers1

2

There is a working example for istio with version 1.7.0

istioctl version
client version: 1.7.0
control plane version: 1.7.0
data plane version: 1.7.0 (1 proxies)

1.I have used helm fetch to get prometheus operator.

helm fetch stable/prometheus-operator --untar

2.I changed these in values.yaml.

Grafana Service.

service:
  portName: http-service
  port: 3000
  targetPort: 3000

Grafana host.

hosts:
  - grafana.domain.com

3.I have created po namespace and installed prometheus operator

kubectl create namespace po
helm install prometheus-operator ./prometheus-operator -n po

4.I have checked the grafana service name with

kubectl get svc -n po
prometheus-operator-grafana                    ClusterIP

5.I have used below yamls for istio, used grafana service name which is prometheus-operator-grafana as my virtual service and destination rule host.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: grafana-gateway
  namespace: po
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http-grafana
      protocol: HTTP
    hosts:
    - "grafana.domain.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grafana-vs
  namespace: po
spec:
  hosts:
  - "grafana.domain.com"
  gateways:
  - grafana-gateway
  http:
  - route:
    - destination:
        host: prometheus-operator-grafana.po.svc.cluster.local
        port:
          number: 3000
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: grafana
  namespace: po
spec:
  host: prometheus-operator-grafana.po.svc.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE

5.Test with curl, it's 302 instead of 200 as we have to login.

curl -v -H "host: grafana.domain.com" xx.xx.xxx.xxx/

GET / HTTP/1.1
> Host: grafana.domain.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 302 Found

Let me know if it worked or if you have any other questions. Maybe there is a problem with the 1.4.3 version you use.

Jakub
  • 8,189
  • 1
  • 17
  • 31
  • 1
    You are amazing!!! I just changed the portName from `portName: service` to `portName: http-service` and it works! – PJEM Sep 02 '20 at 14:22
  • How did you find this property value ? – PJEM Sep 02 '20 at 14:23
  • It's 1 of the requirements in istio [documentation](https://istio.io/latest/docs/ops/deployment/requirements/), Named service ports: Service ports may optionally be named to explicitly specify a protocol. See [Protocol Selection](https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/) for more details. – Jakub Sep 02 '20 at 14:27
  • Thanks you are really helped me! – PJEM Sep 02 '20 at 14:27