Author: Fat toot left guard Gate Bear

preface

Although the title is no pit, but I will encounter and no pit are written, posterity good enjoy the shade!

1. Status code: 426 Upgrade Required

This is a common problem, and the author was quick to find it, but noted it anyway

background

Istio uses Envoy as the data surface to forward HTTP requests. Envoy defaults to HTTP/1.1 or HTTP/2, and returns 426 Upgrade Required when the client uses HTTP/1.0.

Common NGINx scenarios

If you use nginx for proxy_pass reverse proxy, the default is HTTP/1.0, you can display proxy_http_version as 1.1:

Upstream http_backend {server 127.0.0.1:8080; keepalive 16; } server { ... location /http/ { proxy_pass http://http_backend; Proxy_http_version 1.1; proxy_set_header Connection ""; . }}Copy the code

The resources

Envoy won’t connect to my HTTP/1.0 service

2. Status code 404: Not Found

404 is also a common problem, there are many possible, this problem the author checked a day to solve, here only cite their own example for everyone reference

background

The front-end POD1 static resource access is normal, but after the request is forwarded to the backend pod2 through the nginx configuration in POD1, 404 is returned.

Problematic nginx configuration

location /v1/ {
    proxy_set_header Host  $http_host;
    proxy_pass http://ppap.test.svc.cluster.local.:8080/v1/;
}

Copy the code

Modified nginx configuration

location /v1/ {
    proxy_set_header Host "ppap";
    proxy_pass http://ppap.test.svc.cluster.local.:8080/v1/;
}

Copy the code

conclusion

$http_host = $http_host; $http_host = $http_host

The resources

Nginx Proxy Pass to Istio Ingress Gateway 404

3. The front-end JS file is faulty

background

Front-end two versions of Deployment, with one service agent; When the isTIO gateway is not used, an error occurs when accessing the front-end page, and the incorrect JS is refreshed each time

why

When the front-end podA and podB versions are not routed through the ISTIO gateway, static resource requests are load balanced into the podA and podB versions.

However, there are no podA static resources in podB, and podA does not have podB static resources, so an error will be reported when accessing podA static resources.

4. no healthy upstream

background

Upstream is an Envoy and istio uses sidecar as an Envoy

  • Downstream: A Downstream host connects to an Envoy, sends a request and receives a response.

  • Upstream: The Upstream host receives a connection and request from the Envoy and returns a response.

why

There are many reasons why no healthy upstream may be Envoy Envoy unable to find his target

Here’s why:

  • Both VirtualServices are configured with gateways. As a result, a gateway does not know which SVC the traffic goes to. Therefore, you need to delete one gateway

example

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: test-frontend
  namespace: ppap
spec:
  hosts:
  - "*"
  gateways:
  - ppap-gateway
  http:
  - match:
    - headers:
        user_id:
          exact: 952795279527
    route:
    - destination:
        host: test-frontend
        subset: v2
  - route:
    - destination:
        host: test-frontend
        subset: v1
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: test-backend
  namespace: ppap
spec:
  hosts:
  - test-backend
  http:
  - match:
    - headers:
        user_id:
          exact: 952795279527
    route:
    - destination:
        host: test-backend
        subset: v2
  - route:
    - destination:
        host: test-backend
        subset: v1
---

Copy the code

Here’s the difference between the two VirtualServices

hosts:
  - "*"
  gateways:
  - ppap-gateway

Copy the code

If two VirtualServices are mounted to the same Gateway, an error is reported

reference

  • Envoy Chinese document

5. How to install ISTIO in an isolated environment

Usually live network machines cannot connect directly to the Internet, so the installation of ISTIO is a problem. Here is an idea

  1. Upload the image to an accessible mirror repository
  2. The istioctl installation hub is configured for installation
  3. Istioctl itself can be directly uploaded to the corresponding machine through the file

example

istioctl install --set hub=my-hub.cn/istio --set namespace=istio-system --set components.pilot.k8s.hpaSpec.minReplicas=2  --set components.ingressGateways[0].name=istio-ingressgateway --set components.ingressGateways[0].k8s.hpaSpec.minReplicas=2 --set components.ingressGateways[0].k8s.service.type=NodePort -yCopy the code

This article uses the article synchronization assistant to synchronize