AWS load-balancer with TLS ingress-gateway #31421
Description
What I'm trying to do is call my app via AWS LB. I tried all three ALB, NLB and ELB. But I'm not able to achieve so. Is this not valid usecase?
AWS LB is listening on 443 and forwarding the TLS/HTTPS request to ingressgateway on port 30443.
My deployment, service and virtual-service are in namespace-1.
spec:
gateways:
- istio-system/my-gateway
hosts:
- links.dev.domain.us
http:
- route:
- destination:
host: httpbin.namespace-1.svc.cluster.local
port:
number: 8000
My gateway and secrets are in istio-system namespace
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*.dev.domain.us'
port:
name: http-gw
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- '*.dev.domain.us'
port:
name: https-gw
number: 443
protocol: HTTPS
tls:
credentialName: links-credential
mode: SIMPLE
It works as expected when I hit the service directly as below.
# curl -HHost:links.dev.domain.us --resolve "links.dev.domain.us:30443:172.23.8.175" "https://links.dev.domain.us:30443/status/418" -k
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`
But when I try to access the same via ALB like curl -XGET https://links.dev.domain.us/status/418 -v --resolve links.dev.domain.us:443:3.213.184.218 I'm getting 502 Bad Gateway where 3.213.184.218 is IP of ALB.
And for classic loadbalancer (ELB) I'm getting 408 REQUEST_TIMEOUT.
Following is what I see in ingressgateway logs.
2021-03-12T11:28:44.275090Z debug envoy conn_handler [C961] new connection
2021-03-12T11:28:44.275145Z debug envoy http [C961] new stream
2021-03-12T11:28:44.275166Z debug envoy http [C961][S6781970186881343100] Sending local reply with details http1.codec_error
2021-03-12T11:28:44.275204Z debug envoy http [C961][S6781970186881343100] closing connection due to connection close header
2021-03-12T11:28:44.275224Z debug envoy http [C961][S6781970186881343100] encoding headers via codec (end_stream=false):
':status', '400'
'content-length', '11'
'content-type', 'text/plain'
'date', 'Fri, 12 Mar 2021 11:28:44 GMT'
'server', 'envoy'
'connection', 'close'
2021-03-12T11:28:44.275251Z debug envoy http [C961][S6781970186881343100] doEndStream() resetting stream
2021-03-12T11:28:44.275256Z debug envoy http [C961][S6781970186881343100] stream reset
2021-03-12T11:28:44.275265Z debug envoy connection [C961] closing data_to_write=156 type=2
2021-03-12T11:28:44.275277Z debug envoy connection [C961] setting delayed close timer with timeout 1000 ms
2021-03-12T11:28:44.275291Z debug envoy http [C961] dispatch error: http/1.1 protocol error: HPE_INVALID_METHOD
2021-03-12T11:28:44.275300Z debug envoy connection [C961] closing data_to_write=156 type=2
2021-03-12T11:28:44.275303Z debug envoy connection [C961] remote close
2021-03-12T11:28:44.275306Z debug envoy connection [C961] closing socket: 0
2021-03-12T11:28:44.275352Z debug envoy conn_handler [C961] adding to cleanup list
Version (include the output of istioctl version --remote and kubectl version --short and helm version --short if you used Helm)
Istio version - 1.9.1
K8S version - 1.19.8
How was Istio installed?
With Istio operator.