External-dns: Issues with istio and aws-alb-ingress-controller
We have exposed istio-ingressgateway using an ingress resource created by aws-alb-ingress-controller.
The ingress-gateway svc is of ClusterIP type. Ingress looks like
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: istio-ingress
namespace: istio-system
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/group.name: istio
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
spec:
rules:
- host: "*.example.com"
http:
paths:
- path: /*
backend:
serviceName: istio-ingressgateway
servicePort: 80
tls:
- hosts:
- "*.example.com"
We have two domains,
- dev.example.com
- example.com
Now if I create a gateway and virtual service like
kind: Gateway
metadata:
name: istio-addons
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- isito.dev.example.com
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- isito.dev.example.com
port:
name: https
number: 443
protocol: HTTP
and
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: istio-addons
namespace: istio-system
spec:
gateways:
- istio-addons
hosts:
- isito.dev.jupiter.money
http:
- route:
- destination:
host: kiali.istio-system.svc.cluster.local
port:
number: 20001
- match:
- uri:
prefix: /jaeger
route:
- destination:
host: tracing.istio-system.svc.cluster.local
port:
number: 9411
External-dns doesn't create any entry in route53 at all. What am I missing?
rverma-jm
All 6 comments
I have the same problem right now, but it's not the only one.
external-dns expects the Kubernetes Service that is in front of the istio-ingressgateway pod to be of type load balancer. The alternative is to specify the annotation external-dns.alpha.kubernetes.io/target on the Gateway and point it to a DNS record that in turn points to the ALB (to get such a record, you either need to add a host entry in your ingress or add the external-dns.alpha.kubernetes.io/hostname annotation on the ingress).
The next problem that I encountered (although that only happens when you use HTTPS between ALB and ingress gateway), is that specifying a hosts field in the gateway made istio filter for this host in the SNI field, but the ALB is not passing this SNI field along when forwarding the request to the ingress gateway, so this didn't work me. Instead I needed to set hosts: ['*']. But then again external-dns didn't pick up this Gateway at all.
devkid
on 3 Jan 2020
@devkid Did you found any solution to this?
rverma-jm
on 24 Feb 2020
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 24 May 2020
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
fejta-bot
on 23 Jun 2020
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
fejta-bot
on 23 Jul 2020
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen.
Mark the issue as fresh with/remove-lifecycle rotten.Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 23 Jul 2020
Related issues
bzon
路
3Comments
neilhwatson
路
4Comments
deimosfr
路
3Comments
lemaral
路
4Comments
naveeng68
路
4Comments