Istio ingress-gateway for gRPC (connection closed)

Question

I have a gRPC server running on k8s cluster (remote server). I try to connect to this service from gRPC client (local pc). To do so, I use Istio ingress gateway. But I get "connection closed" msg with 14 error code.

Here is my gRPC client:

conn, err := grpc.Dial("service.example.com:80", grpc.WithInsecure())
if err != nil {
    panic(err)
}

c := service.NewServiceClient(conn)

if _, err := c.TestRPC(...); err != nil {
    log.Println(err.Error()) // rpc error: code = Unavailable desc = connection closed
}

My Gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: grpc
        protocol: GRPC
      hosts:
        - "*"

My VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: service-vs
spec:
  gateways:
    - gateway
  hosts:
    - "service.example.com"
  http:
    - match:
        - port: 80
      route:
        - destination:
            host: service
            port:
              number: 9000

My Service:

apiVersion: v1
kind: Service
metadata:
  name: service
  labels:
    app: service
spec:
  ports:
    - port: 9000
      name: grpc
  selector:
    app: service

My Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: service
  labels:
    app: service
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 25%
  selector:
    matchLabels:
      app: service
  template:
    metadata:
      labels:
        app: service
    spec:
      containers:
        - name: service
          image: registry.example.com/user/service:latest
          imagePullPolicy: Always
          ports:
            - name: grpc
              containerPort: 9000
      imagePullSecrets:
        - name: private-registry-secret

How can I solve this problem?

p.s.

My example.com is under CloudFlare.
I have set DNA A record for service.example.com
There are no firewall rules.
gRPC connection is on (I think it is not important as it only work for 443 port)

it is SUPER important your service to have the port name `grpc`. Are you covering this? — suren, Mar 29 '21 at 09:13
@suren Sorry, I don't understand your comment. As you can see in my code I use "grpc" name for my port because it is required by Istio. — Klimbo, Mar 31 '21 at 15:07
@suren Ok, I see. I have forgot to add **service** configuration to my SO post. You can check it now. There is a port with "grpc" name. — Klimbo, Mar 31 '21 at 18:45

score 1 · Answer 1 · answered Mar 30 '21 at 01:17

1

I didn't found where is wrong obvious, I guess the host of VirtualService should be a DNS in Kubernetes internal. like service.default.svc.cluster.local

answered Mar 30 '21 at 01:17

HelloWood

727
4
13

If so, what URL I should provider while connecting to k8s cluster? – Klimbo Mar 31 '21 at 15:09
@Klimbo It's format is `SeviceName.NameSpace.svc.cluster.local` – HelloWood Apr 01 '21 at 02:04
How I will be able to connect to sevice.default.svc.cluster.local from outside k8s cluster (from my laptop)? That url is internal, not external – Klimbo Apr 01 '21 at 07:03
@Klimbo Just read my comment, the DNS is for VS to proxy, not for you to access, you only need to access your host `"service.example.com:80"` – HelloWood Apr 01 '21 at 07:43

Istio ingress-gateway for gRPC (connection closed)

1 Answers1