Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-357

OCP4 AWS Istio ingressgateway Load balancer default Health Check doesn't support port other than TCP:31380

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Minor
    • maistra-rc1
    • maistra-0.10.0
    • None
    • None
    • RC1

    Description

      Our test fails on OCP4 AWS . The failed task is :
      https://istio.io/docs/tasks/traffic-management/secure-ingress/mount/
      https://istio.io/docs/tasks/traffic-management/tcp-traffic-shifting/

      After user configure an ingress gateway with port number other than 80 to handle HTTPS traffic or TCP traffic , OpenShift 4 Beta on AWS does not support ingress gateway traffic without an existing service running on ingress gateway port 80.

      This is related to the AWS Load Balancer Health Check default behaviour. The Load Balancer Health Check only checks the first port defined in an istio ingress gateway supported ports list. This port is configured as 80/HTTP:31380/TCP. Without a service running on this port, the Load Balancer Health Check fails.

      In order to check HTTPS or TCP traffic through an ingress gateway, user need to have an existing HTTP service, for example, Bookinfo sample application productpage, running on ingress gateway port 80 first.

      Build: istio maistra-0.9.0
      Environment: OCP 4 AWS
      Test steps:
      https://istio.io/docs/tasks/traffic-management/secure-ingress/mount/
      https://istio.io/docs/tasks/traffic-management/tcp-traffic-shifting/

      Manual fix:
      User need to manually login AWS console and search for the Istio ingressgateway load balancer by pasting the value from
      $ oc -n istio-system get service istio-ingressgateway -o jsonpath='

      {.status.loadBalancer.ingress[0].hostname}

      And then under 'Instances' tab, check Instance Status. If the Status is "OutOfService", then we need to "Edit Health Check" under the "HEALTH check" tab. Update the "Ping Port" value from default "31380" to a running port.

      Issue:
      The ingressgateway service is not working when there is no app running on ingressgateway port 80 (which is mapped to tcp:31380)
      The AWS load balancer health check only checks the first endpoint port from
      $ oc get service -n istio-system istio-ingressgateway

      The default value is 80:31380/TCP in our Istio ingressgateway setup.

      If there is nothing running on that 80:31380/TCP, the AWS load balancer is not working.
      So tests failed when we check traffic through ingressgateway port 31400:31400/TCP or 443:31538/TCP even those ports are configured in the istio-ingressgateway service endpoints.

      Attachments

        Issue Links

          relates to

          Task - Represents a small unit of work that is not end-user facing. MAISTRA-348 OCP4 AWS tcp-traffic-shifting failed when using ingress-gateway route host name

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Activity

            People

              jsantana@redhat.com Jonh Wendell
              yuaxu@redhat.com Yuanlin Xu
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: