1

I am following this guide for primary remote setup on different network.

https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/

Instead of using the load balancer on primary to expose the istiod, I am trying to use NodePort. Also verified it using netcat and it works. Now on remote machine when I configure using IstioOperator there is an option for remotePilotAddress but no option for the port i.e it get binded to default 15012. how can I change it to nodePort on which I have exposed the control plane istiod.

Umair Ahmad
  • 11
  • 4
  • Port 15012 is 1 of the [default](https://istio.io/latest/docs/ops/deployment/requirements/#ports-used-by-istio) port used by istiod, I think you shouldn't change it. Starting from 1.8 it's added to the default list of ports for the istio-ingressgateway Service for [easier multicluster setup](https://preliminary.istio.io/latest/news/releases/1.8.x/announcing-1.8/upgrade-notes/#avoid-use-of-mesh-expansion-installation-flags). If I understand correctly remotePilotAddress takes ip of the first cluster `ingressgateway LoadBalancer`, have you tried to change it to your `ingressgateway_ip:nodeport`? – Jakub Dec 10 '20 at 08:56
  • not ingress-gateway, east-west-gateway according to the docs that i have attatched. well i know that it'll work via `ingressgateway_ip:nodeport` but i don't know where to set it. – Umair Ahmad Dec 10 '20 at 10:54
  • on remote, ingress-gateway the envoy proxy is trying to connect to istiod on primary cluster by defualt on this port `connecting to upstream XDS server: istiod-remote.istio-system.svc:15012` i have tried to edit the pod but couldn't find the port that i can override. – Umair Ahmad Dec 10 '20 at 10:57
  • Have you tried to set the ip in [remotePilotAddress](https://istio.io/latest/docs/setup/install/multicluster/primary-remote_multi-network/#configure-cluster2-as-a-remote)? So it should be `remotePilotAddress: ingressgateway_ip:nodeport`, this command DISCOVERY_ADDRESS just take ip of the eastwestgateway load balancer ip. – Jakub Dec 10 '20 at 11:00
  • @Jakub I have set the ip correctly. and ip resoulution proves that too. but i haven't specify the port along with ip i have done like `remotePilotAddress:x.x.x.x` not `remotePilotAddress:x.x.x.x:PORT` – Umair Ahmad Dec 10 '20 at 11:11
  • I'm not sure if that works correctly? If you provide only ip, eg `remotePilotAddress:x.x.x.x`, then it's like you provide LoadBalancer IP instead of NodePort, as per kubernetes [documentation](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) NodePort uses `:`. – Jakub Dec 10 '20 at 11:19
  • 2
    for anyone else coming across this, remotePilotAddress:x.x.x.x:PORT won't work, it can ONLY be an IP Address. This is confirmed as you'll see the following in the eastwest gateway: `2021-01-29T14:04:21.692559Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, connection error: desc = "transport: Error while dialing dial tcp: lookup istiod-remote.istio-system.svc on 10.96.0.10:53: no such host"` This is because the Endpoints are never created correctly in the istiod-remote service because it's not a valid IP format. – Wojciech Wieroński Jan 29 '21 at 14:16

1 Answers1

0

So far I couldn't do something like this, But for home setup you can bind the service with the reachable address i.e the node ip on which the istiod is running you can do this via this command

kubectl patch svc istio-eastwestgateway -p '{"spec":{"externalIPs":["x.x.x.x"]}}' -n istio-system
Umair Ahmad
  • 11
  • 4