ISTIO - Egress Gateway returns - command terminated with exit code 35?

Question

I have installed ISTIO with the below configuration

cat << EOF | kubectl apply -f -
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: istio-control-plane
spec:
  # Use the default profile as the base
  # More details at: https://istio.io/docs/setup/additional-setup/config-profiles/
  profile: default
  # Enable the addons that we will want to use
  addonComponents:
    grafana:
      enabled: true
    prometheus:
      enabled: true
    tracing:
      enabled: true
    kiali:
      enabled: true
  values:
    global:
      # Ensure that the Istio pods are only scheduled to run on Linux nodes
      defaultNodeSelector:
        beta.kubernetes.io/os: linux
    kiali:
      dashboard:
        auth:
          strategy: anonymous
  components:
    egressGateways:
    - name: istio-egressgateway
      enabled: true
  meshConfig:
    accessLogFile: /dev/stdout
    outboundTrafficPolicy:
      mode: REGISTRY_ONLY
EOF

and have configured the Egress Gateway, Destination Rule & Virtual Service as shown below

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: akv2k8s-test
  labels:
    istio-injection: enabled
    azure-key-vault-env-injection: enabled
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: edition-cnn-com
  namespace: akv2k8s-test
spec:
  hosts:
  - edition.cnn.com
  ports:
  - number: 443
    name: https-port
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: edition-cnn-com
  namespace: akv2k8s-test
spec:
  hosts:
  - edition.cnn.com
  tls:
  - match:
    - port: 443
      sniHosts:
      - edition.cnn.com
    route:
    - destination:
        host: edition.cnn.com
        port:
          number: 443
      weight: 100
EOF

While trying to access it throws an error

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.7/samples/sleep/sleep.yaml -n akv2k8s-test
export SOURCE_POD=$(kubectl get pod -l app=sleep -n akv2k8s-test -o jsonpath={.items..metadata.name})
kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://edition.cnn.com/politics
kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail

How do I fix this?

Update: I have also tried the below, but still the same result

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: svc-entry
  namespace: akv2k8s-test
spec:
  hosts:
  - google.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS
EOF

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ext-res-dr
  namespace: akv2k8s-test
spec:
  host: google.com
EOF

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ext-res-gw
  namespace: akv2k8s-test
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - google.com
    tls:
      mode: PASSTHROUGH
EOF

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: ext-res-vs
  namespace: akv2k8s-test
spec:
  hosts:
  - google.com
  gateways:
  - mesh
  - ext-res-gw
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - google.com
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: google
        port:
          number: 443
  - match:
    - gateways:
      - ext-res-gw
      port: 443
      sniHosts:
      - google.com
    route:
    - destination:
        host: google.com
        port:
          number: 443
      weight: 100
EOF

There are no logs in Egress Gateway because you dont use it, you use Istio ServiceEntry to access publicly accessible service edition.cnn.com from within your Istio cluster. I have used your yamls on new gke cluster and it worked without any issues. You mentioned that you use Destination Rule, could you add the yaml please? — Jakub, Oct 26 '20 at 14:48
the exit code 35 is from curl. curl's docs https://curl.haxx.se/libcurl/c/libcurl-errors.html say it is SSL handshake issue. How do you do the SSL termination? — Yuri G., Oct 26 '20 at 23:17

Jakub · Accepted Answer · 2020-10-27T14:36:04.220

I'm not sure what's wrong with first example as there are no all dependencies, about the update there was an issue with your DestinationRule

It should be

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ext-res-dr
  namespace: akv2k8s-test
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: google

Instead of

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ext-res-dr
  namespace: akv2k8s-test
spec:
  host: google.com

and hosts/sniHosts

It should be

www.google.com

Instead of

google.com

There is working example for https://www.google.com.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: svc-entry
  namespace: akv2k8s-test
spec:
  hosts:
  - www.google.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ext-res-dr
  namespace: akv2k8s-test
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: google
---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ext-res-gw
  namespace: akv2k8s-test
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - www.google.com
    tls:
      mode: PASSTHROUGH

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: ext-res-vs
  namespace: akv2k8s-test
spec:
  hosts:
  - www.google.com
  gateways:
  - mesh
  - ext-res-gw
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: google
        port:
          number: 443
  - match:
    - gateways:
      - ext-res-gw
      port: 443
      sniHosts:
      - www.google.com
    route:
    - destination:
        host: www.google.com
        port:
          number: 443
      weight: 100

And there is registry mode, curl and egress logs.

kubectl get istiooperator istio-control-plane -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY

kubectl exec "$SOURCE_POD" -n akv2k8s-test -c sleep -- curl -sL -o /dev/null -D - https://www.google.com
HTTP/2 200

kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
[2020-10-27T14:16:37.735Z] "- - -" 0 - "-" "-" 844 17705 45 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:59814 xx.xx.xx.xx:8443 1xx.xx.xx.xx:33112 www.google.com -
[2020-10-27T14:18:45.896Z] "- - -" 0 - "-" "-" 883 17647 38 - "-" "-" "-" "-" "xxx.xxx.xxx.xxx:443" outbound|443||www.google.com xx.xx.xx.xx:56834 xx.xx.xx.xx:8443 xx.xx.xx.xx:33964 www.google.com -

Please refer to this documentation.

Great, it works like a charm. I have spent 2 days and couldn't make it work, Thanks a lot. — One Developer, Oct 27 '20 at 14:56
Can you please briefly explain the difference between tls: - match: - gateways: - mesh and - match: - gateways: - ext-res-gw port: 443 — One Developer, Oct 27 '20 at 14:57
I would assume that - match: - gateways: - ext-res-gw will be hit first which would rediect the request to mesh gateway which is defined as tls: - match: - gateways: - mesh — One Developer, Oct 27 '20 at 14:58
Mesh gateway is an internal istio gateway which applies to all the sidecars in the mesh, I know it's not described well anywhere, there is an [example](https://istio.io/latest/docs/reference/config/networking/gateway/) with it. As I mentioned [here](https://stackoverflow.com/a/64549378/11977760), `mesh gateway` is the first sleep target, then from the `mesh gateway` the request goes to `egress gateway`, which in your case is ext-res-gw, then you hit the `external service`, which in your case is `www.google.com`. So the traffic goes like this, sleep -> mesh gateway -> egress gateway -> external — Jakub, Oct 27 '20 at 15:03
Is there any guidelines available on configuring the Prometheus, Grafana, Kiali along wtih ISTIO in Production? like secrets, volumes. I have raised a separate question but got closed. I just need some references if possible. — One Developer, Oct 27 '20 at 15:33
@KarthikeyanVijayakumar Something like mentioned [here](https://istio.io/latest/docs/tasks/observability/gateways/#option-1-secure-access-https)? But I wouldn't say it's production ready, there is a [comment](https://github.com/istio/istio/issues/17094#issuecomment-531494084) about that from istio dev, `Generally Istio is not trying to manage production grade Prometheus, grafana, etc deployments. We are doing some work to make it easy to integrate istio with your own Prometheus, kiali, etc.` — Jakub, Oct 27 '20 at 16:40

ISTIO - Egress Gateway returns - command terminated with exit code 35?

1 Answers1