需要帮助疑难解答Istio IngressGateway HTTP错误503 [英] Need help troubleshooting Istio IngressGateway HTTP ERROR 503

问题描述

我的测试环境群集具有以下配置:

My Test Environment Cluster has the following configurations :

全局网格策略(由我们的组织作为群集设置的一部分安装):kubectl describe MeshPolicy default

Global Mesh Policy (Installed as part of cluster setup by our org) : output of kubectl describe MeshPolicy default

Name:         default
Namespace:
Labels:       operator.istio.io/component=Pilot
              operator.istio.io/managed=Reconcile
              operator.istio.io/version=1.5.6
              release=istio
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"authentication.istio.io/v1alpha1","kind":"MeshPolicy","metadata":{"annotations":{},"labels":{"operator.istio.io/component":...
API Version:  authentication.istio.io/v1alpha1
Kind:         MeshPolicy
Metadata:
  Creation Timestamp:  2020-07-23T17:41:55Z
  Generation:          1
  Resource Version:    1088966
  Self Link:           /apis/authentication.istio.io/v1alpha1/meshpolicies/default
  UID:                 d3a416fa-8733-4d12-9d97-b0bb4383c479
Spec:
  Peers:
    Mtls:
Events:  <none>

我相信上述配置使服务能够以mTls模式接收连接.

The above configuration I believe enables services to receive connections in mTls mode.

DestinationRule:kubectl describe DestinationRule commerce-mesh-port -n istio-system

DestinationRule : Output of kubectl describe DestinationRule commerce-mesh-port -n istio-system

Name:         commerce-mesh-port
Namespace:    istio-system
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"networking.istio.io/v1alpha3","kind":"DestinationRule","metadata":{"annotations":{},"name":"commerce-mesh-port","namespace"...
API Version:  networking.istio.io/v1beta1
Kind:         DestinationRule
Metadata:
  Creation Timestamp:  2020-07-23T17:41:59Z
  Generation:          1
  Resource Version:    33879
  Self Link:           /apis/networking.istio.io/v1beta1/namespaces/istio-system/destinationrules/commerce-mesh-port
  UID:                 4ef0d49a-88d9-4b40-bb62-7879c500240a
Spec:
  Host:  *
  Ports:
    Name:      commerce-mesh-port
    Number:    16443
    Protocol:  TLS
  Traffic Policy:
    Tls:
      Mode:  ISTIO_MUTUAL
Events:      <none>

Istio入口网关:

Istio Ingress-Gateway :

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: finrpt-gateway
  namespace: finrpt
spec:
  selector:
    istio: ingressgateway # use Istio's default ingress gateway
  servers:
  - port:
      name: https
      number: 443
      protocol: https
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "*"
  - port:
      name: http
      number: 80
      protocol: http
    tls:
      httpsRedirect: true
    hosts:
    - "*"

我创建了一个用于TLS的秘密，并使用该秘密在网关处终止TLS流量(在SIMPLE模式下配置)

I created a secret to be used for TLS and using that to terminate the TLS traffic at the gateway (as configured in mode SIMPLE)

接下来，我在相同的名称空间中配置了VirtualService，并为HTTP设置了URL匹配:

Next, I configured my VirtualService in the same namespace and did a URL match for HTTP :

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: finrpt-virtualservice
  namespace: finrpt
spec:
  hosts:
  - "*"
  gateways:
  - finrpt-gateway
  http:
  - match:
    - queryParams:
        target:
          exact: "commercialprocessor"
      ignoreUriCase: true
    route:
    - destination:
        host: finrpt-commercialprocessor
        port:
          number: 8118

Service CommercialProcessor(ClusterIP)服务期望HTTP/8118上的流量.

The Service CommercialProcessor (ClusterIP) is expecting traffic on HTTP/8118.

使用上述设置后，当我浏览到Ingress-Gateway的外部IP时，首先会收到证书错误(预期是因为我正在使用自签名进行测试)，然后继续进行操作时，我收到HTTP错误503

With the above setting in place, when I browse to the External IP of my Ingress-Gateway, first I get a certificate error (expected as I am using self-signed for testing) and then on proceeding I get HTTP Error 503.

我在网关中找不到任何有用的日志，我想知道网关是否无法以纯文本(TLS终止)与我的VirtualService通信，并且它期望使用https，但我将其设置为http? 非常感谢您的帮助，对于Istio来说我还是一个新手，我想这里可能会缺少一些天真的东西.

I am not able to find any useful logs in the gateway, I am wondering if the gateway is unable to communicate to my VirtualService in plaintext (TLS termination) and it is expecting https but I have put it as http? Any help is highly appreciated, I am very new to Istio and I think I might be missing something naive here.

我的期望是:我应该能够使用https到达网关，网关会终止，并将仅基于URL regex match的未加密流量转发到HTTP端口上VirtualService上配置的目标(我必须保持URL匹配部分常量).

My expectation is : I should be able to hit the Gateway with https, gateway does the termination and forwards the unencrypted traffic to the destination configured in the VirtualService on HTTP port based on URL regex match ONLY (I have to keep URL match part constant here).

推荐答案

由于503经常发生，很难找到问题，所以我几乎没有设置故障排除答案，还有几个月来我遇到的另一个503错误问题包括答案，istio文档中的有用信息以及我将要检查的内容.

As 503 often occurs and it´s hard to find the issue I set up little troubleshooting answer, there are another questions with 503 error which I encountered for several months with answers, useful informations from istio documentation and things I would check.

带有503错误的示例:

Examples with 503 error:

• (公共)网关和服务之间的Istio 503:s
• IstIO出口网关出现HTTP 503错误
• 具有TLS终止功能的Istio Ingress网关返回了503服务不可用
• 如何在istio中的入口网关处终止ssl?
• 访问启用mTLS时，使用istio ingress的服务会显示503错误

• Istio 503:s between (Public) Gateway and Service
• IstIO egress gateway gives HTTP 503 error
• Istio Ingress Gateway with TLS termination returning 503 service unavailable
• how to terminate ssl at ingress-gateway in istio?
• Accessing service using istio ingress gives 503 error when mTLS is enabled

istio文档中的503错误的常见原因:

Common cause of 503 errors from istio documentation:

• https://istio.io/docs/ops/best-practices/traffic-management/#avoid-503-errors-while-reconfiguring-service-routes
• https: //istio.io/docs/ops/common-problems/network-issues/#503-errors-after-setting-destination-rule
• https://istio.io/最新/docs/concepts/traffic-management/#working-with-your-applications

• https://istio.io/docs/ops/best-practices/traffic-management/#avoid-503-errors-while-reconfiguring-service-routes
• https://istio.io/docs/ops/common-problems/network-issues/#503-errors-after-setting-destination-rule
• https://istio.io/latest/docs/concepts/traffic-management/#working-with-your-applications

我首先要检查的几件事:

Few things I would check first:

• 检查服务端口名称，如果Istio知道协议，则可以正确路由流量.如 bookinfo应用程序示例和检查它是否按预期工作.
• 检查您的名称空间是否已注入，其中kubectl get namespace -L istio-injection
• 如果使用子集的VirtualService在定义子集的DestinationRule之前到达，则由Pilot生成的Envoy配置将引用不存在的上游池.这会导致HTTP 503错误，直到所有配置对象都可供飞行员使用为止.

• Check services ports name, Istio can route correctly the traffic if it knows the protocol. It should be <protocol>[-<suffix>] as mentioned in istio documentation.
• Check mTLS, if there are any problems caused by mTLS, usually those problems would result in error 503.
• Check if istio works, I would recommend to apply bookinfo application example and check if it works as expected.
• Check if your namespace is injected with kubectl get namespace -L istio-injection
• If the VirtualService using the subsets arrives before the DestinationRule where the subsets are defined, the Envoy configuration generated by Pilot would refer to non-existent upstream pools. This results in HTTP 503 errors until all configuration objects are available to Pilot.

希望您觉得这很有用.

这篇关于需要帮助疑难解答Istio IngressGateway HTTP错误503的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！