Skip to content
This repository has been archived by the owner on Feb 16, 2019. It is now read-only.

Bug: Bookinfo tasks not working with Istio 0.8.0 on GKE #375

Open
jbrook opened this issue Jun 6, 2018 · 4 comments
Open

Bug: Bookinfo tasks not working with Istio 0.8.0 on GKE #375

jbrook opened this issue Jun 6, 2018 · 4 comments
Labels
area/networking
Milestone
2018/06 Snapshot ...

Comments

@jbrook
Copy link

jbrook commented Jun 6, 2018

BUG

Istio 0.8.0 LTS release from github releases.

Installed with Istio auth

What happened:

Installed Istio LTS release on GKE and tried to follow Bookinfo tasks. It worked up until creating the default v1 routes for the services. Error message when trying to access http://<gateway_url>/productpage:

503 - "upstream connect error or disconnect/reset before headers"

What you expected to happen:

I expected to see the bookinfo page backed by v1 of each of the services.

This works correctly with a slightly older daily release: istio-release-0.8-20180520-18-17

It also fails with a recent daily release: release-0.8-20180605-09-15

How to reproduce it:

Start a GKE 1.9 cluster from Google Cloud Shell:

gcloud container clusters create hello-istio \
    --cluster-version=1.9 \
    --machine-type=n1-standard-2

cluster role bindings:

kubectl create clusterrolebinding cluster-admin-binding \
    --clusterrole=cluster-admin \
    --user=$(gcloud config get-value core/account)

Download and install Istio 0.8.0:

curl -L https://git.io/getLatestIstio | ISTIO_VERSION=0.8.0 sh -
cd ./istio-0.8.0
export PATH=$PWD/bin:$PATH
kubectl apply -f install/kubernetes/istio-demo-auth.yaml

Enable automatic sidecar injection for the default namespace:

kubectl label namespace default istio-injection=enabled

Deploy Bookinfo:

kubectl apply -f samples/bookinfo/kube/bookinfo.yaml

Create gateway and corresponding virtual service:

istioctl create -f samples/bookinfo/routing/bookinfo-gateway.yaml

Find the external IP of the load balancer:

kubectl get svc istio-ingressgateway -n istio-system

Use the external IP to access the productpage in a browser:

http://<external ip>/productpage

This works.

Create default v1 routing rule according to instructions here:

istioctl create -f samples/bookinfo/routing/route-rule-all-v1.yaml

Try to access the product page in a browser and get a 503 error with the message:

upstream connect error or disconnect/reset before headers

Extra info:

Don't see any errors or requests arriving (after the initial 200s) in istio-proxy sidecar for the productpage pod. It seems to be listening:

[2018-06-05 21:49:10.621][14][info][upstream] external/envoy/source/server/lds_api.cc:62] lds: add/upda
te listener '0.0.0.0_9080'
[2018-06-05 21:49:10.622][14][info][upstream] external/envoy/source/server/lds_api.cc:62] lds: add/upda
te listener '0.0.0.0_80'

istio-ingressgateway pod shows the following logs for a single failed request - note 404s:

[2018-06-06T10:59:18.862Z] "GET / HTTP/1.1" 404 NR 0 0 3 - "10.24.0.1" "Mozilla/5.0 (Windows NT 10.0; W
OW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" "f359ecc8-82d1-9cf1-a4
a7-585fdc2feddc" "35.204.229.59:80" "-"
[2018-06-06T10:59:22.233Z] "GET / HTTP/1.1" 404 NR 0 0 2 - "10.164.0.6" "Mozilla/5.0 (Macintosh; IntelM
ac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" "210577e4-a
3a3-9cbe-98b2-59e94e90306e" "35.204.229.59" "-"
[2018-06-06T10:59:27.667Z] "GET /productpage HTTP/1.1" 503 UC 0 57 1 - "10.164.0.6" "Mozilla/5.0 (Macin
tosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
" "cce0f0ae-36a5-93d6-a0e1-9939a4f78515" "35.204.229.59" "10.24.0.14:9080"
@vadimeisenbergibm
Copy link

The same problem on IBM Cloud.

@vadimeisenbergibm
Copy link

The problem seems to be related to Istio auth. I do not see it with install/kubernetes/istio-demo.yaml.

To diagnose the problem, no need to create a gateway, it can be diagnosed by running curl from the sleep container (samples/sleep/sleep.yaml).

The steps to reproduce:

  1. kubectl apply -f install/kubernetes/istio-demo-auth.yaml
  2. kubectl label namespace default istio-injection=enabled
  3. kubectl apply -f samples/bookinfo/kube/bookinfo.yaml
  4. kubectl apply -f samples/sleep/sleep.yaml
kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadata.name}') -c sleep -- curl -v reviews:9080/reviews/1
* Hostname was NOT found in DNS cache
*   Trying 172.21.52.247...
* Connected to reviews (172.21.52.247) port 9080 (#0)
> GET /reviews/1 HTTP/1.1
> User-Agent: curl/7.35.0
> Host: reviews:9080
> Accept: */*
> 
< HTTP/1.1 200 OK
< x-powered-by: Servlet/3.1
< content-type: application/json
< date: Wed, 06 Jun 2018 16:43:23 GMT
< content-language: en-US
< content-length: 295
< x-envoy-upstream-service-time: 1068
* Server envoy is not blacklisted
< server: envoy
< 
* Connection #0 to host reviews left intact
{"id": "1","reviews": [{  "reviewer": "Reviewer1",  "text": "An extremely entertaining play by Shakespeare. The slapstick humour is refreshing!"},{  "reviewer": "Reviewer2",  "text": "Absolutely fun and entertaining. The play lacks thematic depth when compared to other plays by Shakespeare."}]}

  1. istioctl create -f samples/bookinfo/routing/route-rule-all-v1.yaml

kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadata.name}') -c sleep -- curl -v reviews:9080/reviews/1
* Hostname was NOT found in DNS cache
*   Trying 172.21.52.247...
* Connected to reviews (172.21.52.247) port 9080 (#0)
> GET /reviews/1 HTTP/1.1
> User-Agent: curl/7.35.0
> Host: reviews:9080
> Accept: */*
> 
< HTTP/1.1 503 Service Unavailable
< content-length: 57
< content-type: text/plain
< date: Wed, 06 Jun 2018 16:50:21 GMT
* Server envoy is not blacklisted
< server: envoy
< 
* Connection #0 to host reviews left intact
upstream connect error or disconnect/reset before headers

After deleting the rules, reviews becomes available again.

@jbrook Could you please check that Istio without Auth works in your environment?
@wattli Could you please check this issue?

@holger-hoffmann
Copy link

Try using
istioctl create -f samples/bookinfo/routing/route-rule-all-v1-mtls.yaml
instead of
istioctl create -f samples/bookinfo/routing/route-rule-all-v1.yaml.

Credits go to Kim Christensen, he pointed that out on the istio-users google group: BookInfo request routing with 0.8.0 does not work?.

@kenthua kenthua mentioned this issue Jun 12, 2018
Merged
@louiscryan louiscryan added this to the 2018/06 Snapshot (pre 1.0) milestone Jun 13, 2018
geeknoid pushed a commit to istio/istio.io that referenced this issue Jun 14, 2018
@kenthua @geeknoid
Update for installations with mTLS auth enabled (#1503)
7874083 
* Update for installations with mTLS auth enabled

The docs do not provide reference to installations with mTLS auth enabled.  If mTLS auth is enabled and the user goes through the instructions, they will encounter `upstream connect error or disconnect/reset before headers` when the DestinationRule is applied.

istio/old_issues_repo#375 (comment) helped lead to the resolution.
@sisiras
Copy link

sisiras commented Jun 14, 2018
edited
Loading

@holger-hoffmann Thank you for the reply. But it doesn't work following mTLS auth enabled. Could you please help ?

@sisiras sisiras mentioned this issue Jun 14, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/networking
Projects
None yet
Milestone
2018/06 Snapshot (pre 1.0)
Development

No branches or pull requests
5 participants
@jbrook @holger-hoffmann @louiscryan @vadimeisenbergibm @sisiras