No IP Address in Domain Configuration

[rldourado]

I installed Kalm on a Rancher k8s cluster. The access by kubectl port-forward ... is working fine, but when I tryed to Finish The Setup Steps, Kalm can't show the load balancer IP address, as showed bellow:

My k8s cluster is behind a nginx acting as reverse proxy. I created a entry on my DNS to point to this reverse proxy, and from there, to the actual k8s cluster nodes. When I try to access the URL pointing to Kalm, I receive the following message on the browser:

When I check and continue, I receive the message on the image above.

If I continue anyway on Kalm setup screen, after a while it shows all green but still not working.

Please help me

[davidqhr]

If it shows all green, it means the certs and routes are created successfully.

Are you deploying you rancher k8s cluster in your localhost minikube? If so, you need to run minikube tunnel first. If not, please provide what platform your are using to run the cluster, and provide some details(yaml, describe info) about the istio-ingressgateway service under istio-system namespace.

"Default backend -404" messags seems returned from your nginx ingress. I'm not sure about your nginx config, can you provide some details?

Note: To make sure kalm functions working, traffic should go into istio-ingressgateway first. You can try to set istio-ingressgateway service as a upstream in your nginx config.

[rldourado]

Hi @davidqhr ! I'll try show more details here.

My rancher k8s cluster sits on a air gapped network. It runs in three Ubuntu 18.04 nodes. It's not on a minikube, is a full k8s implementation. To enter, the trafic passes thru a external nginx reverse proxy server. So, I created a DNS entry to kalm.mydomain.com pointing to nginx who have this configuration:

upstream kalm-upstream {
    ip_hash;
    server 192.168.100.1;
    server 192.168.100.2;
    server 192.168.100.3;
}

server {
    listen 80;
    server_name kalm.mydomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name kalm.mydomain.com;

    ssl_protocols        SSLv3 TLSv1;
    ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;

    location / {
      proxy_pass        http://kalm-upstream;
      proxy_set_header  Host              $http_host;   # required for docker client's sake
      proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
      proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_read_timeout                  1800s;
    }
}

Inside k8s, the istio-ingressgateway yaml is:

apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"istio-ingressgateway","install.operator.istio.io/owning-resource":"istiocontrolplane","istio":"ingressgateway","operator.istio.io/component":"IngressGateways","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.6.1","release":"istio"},"name":"istio-ingressgateway","namespace":"istio-system"},"spec":{"ports":[{"name":"status-port","port":15021,"targetPort":15021},{"name":"http2","port":80,"targetPort":8080},{"name":"https","port":443,"targetPort":8443},{"name":"tls","port":15443,"targetPort":15443}],"selector":{"app":"istio-ingressgateway","istio":"ingressgateway"},"type":"LoadBalancer"}}
  creationTimestamp: "2020-09-14T15:36:47Z"
  labels:
    app: istio-ingressgateway
    install.operator.istio.io/owning-resource: istiocontrolplane
    istio: ingressgateway
    operator.istio.io/component: IngressGateways
    operator.istio.io/managed: Reconcile
    operator.istio.io/version: 1.6.1
    release: istio
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:labels:
          .: {}
          f:app: {}
          f:install.operator.istio.io/owning-resource: {}
          f:istio: {}
          f:operator.istio.io/component: {}
          f:operator.istio.io/managed: {}
          f:operator.istio.io/version: {}
          f:release: {}
      f:spec:
        f:externalTrafficPolicy: {}
        f:ports:
          .: {}
          k:{"port":80,"protocol":"TCP"}:
            .: {}
            f:name: {}
            f:port: {}
            f:protocol: {}
            f:targetPort: {}
          k:{"port":443,"protocol":"TCP"}:
            .: {}
            f:name: {}
            f:port: {}
            f:protocol: {}
            f:targetPort: {}
          k:{"port":15021,"protocol":"TCP"}:
            .: {}
            f:name: {}
            f:port: {}
            f:protocol: {}
            f:targetPort: {}
          k:{"port":15443,"protocol":"TCP"}:
            .: {}
            f:name: {}
            f:port: {}
            f:protocol: {}
            f:targetPort: {}
        f:selector:
          .: {}
          f:app: {}
          f:istio: {}
        f:sessionAffinity: {}
        f:type: {}
    manager: operator
    operation: Update
    time: "2020-09-14T15:36:46Z"
  name: istio-ingressgateway
  namespace: istio-system
  resourceVersion: "52628612"
  selfLink: /api/v1/namespaces/istio-system/services/istio-ingressgateway
  uid: 27b6daa4-4394-485a-8e81-304aa7969fbc
spec:
  clusterIP: 10.43.25.27
  externalTrafficPolicy: Cluster
  ports:
  - name: status-port
    nodePort: 30134
    port: 15021
    protocol: TCP
    targetPort: 15021
  - name: http2
    nodePort: 31398
    port: 80
    protocol: TCP
    targetPort: 8080
  - name: https
    nodePort: 31896
    port: 443
    protocol: TCP
    targetPort: 8443
  - name: tls
    nodePort: 32663
    port: 15443
    protocol: TCP
    targetPort: 15443
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer: {}

A strage thing is that istio-ingressgateway still in pending state:

There is a istio-ingressgateway service that is also in pending state:

Thank you for your help!

[davidqhr]

Interesting, never thought about this architecture pattern. Let me share my thoughts, you can refer to them to solve your problems.

The reason your service is pending. Because, It looks like you are using a custom deployed Kubernetes Cluster. In this case, there is no LoadBalancer integrated (unlike AWS or Google Cloud). With this default setup, you can only use NodePort.

Your nginx is running as a HTTP reverse proxy in front of kalm, and do the TLS termination.
Refer to the upstream ips, I guess your nginx is not running in cluster, and those ips are kuberentes nodes' ips.
In this case, your servers in upstream should also contain the node ports of ingress service in kalm.
In you case, the port should be 31398. So your upstream should configure as following.

upstream kalm-upstream {
    ip_hash;
    server 192.168.100.1:31398;
    server 192.168.100.2:31398;
    server 192.168.100.3:31398;
}

To be honest. This is not kalm recommanded way to use. I can tell a set of kalm functions will not work.

• https route should not be used, since your traffic goes into kalm all from http port.
• certifications should not be used, since you handle the TLS out of kalm.
• Kalm may support TCP traffic routing in the future. But your front nginx only runs as a http reverse proxy, I don't think they can work together.

But I look forward to your successful integration of kalm into your environment, because I hope that kalm can be easily
integrated into various tool chains.