-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS NLB's health check fails if nodeports are updated #35348
Comments
I don't see how this can be triggered by Istio specifically? I am not an AWS expert though so maybe it would need to be converted into Istio concepts rather than just "NLB health checks" (ie curl reproducer, etc). But in general Ingress gw doesn't care or know about node ports. It just accepts traffic sent to it. |
@howardjohn Note that if I don't specify any specific node port (or remove the explicit node port which causes this issue), the new ingress pods come alive and the NLB turns into an healthy state. Note that after the NLB goes into an unhealthy state, the ingress doesn't receive any traffic. Also what's suprising is that the node port for status port works as compared to the http2 and https port. Looking at #28856, I believe this is a similar issue since even that seems to be reproducible when node ports are different. And looking at the recent comment on the issue (#28856 (comment)), it seems something similar is happening during upgrades too. Let me know if you need more details and I can gather the relevant logs etc. Thank you! |
#28856 was about the operator unintentionally changing the port. It seems like you are doing it intentionally though? |
@howardjohn Yeah, it was an intentional change for some of the use cases we have. |
Hi @psibi, I've just tried to expose another port on an existing NLB installed via istio operator. After updating the IstioOperator k8s resource, I see that an AWS target group is created for me with no targets. To get it working, I did the following:
|
This issue is still present and I don't have enough access to reopen the issue. |
This issue is still present and I don't have enough access to reopen the issue. |
I can reopen it but I don't see how this is an Istio issue.
Same would happen without Istio? |
When I do the same steps for NGINX controller (modifying the ports in the Service manifest), it doesn't happen and the NLB checks work fine. |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2022-04-27. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
This issue is still present and I don't have enough access to reopen the issue. |
Bug Description
As the issue title explains, if I update the ingress gateway's node
port, then it results in my network load balancer health check failure.
Steps to reproduce:
Click to Expand manifest
the above manifest like this to change the node port:
Click to expand manifest
Surprisingly for the
status-port
, the health checks are fine.Note that if I change the node port of my Nginx controllers (backed by NLB) - they do work fine.
There is also a similar looking issue opened previously but which has been closed stating that it should be fixed in 1.8+ : #28856
Version
The text was updated successfully, but these errors were encountered: