Hi all,
I'm upgrading from hybrid 1.6 to 1.7. The actual runtime pods and cert-manager upgrade went well. I'm having trouble upgrading ASM. I was on ASM 1.9. However, upgrading to ASM 1.10 failed. I removed ASM 1.9 to start a fresh. Installing ASM 1.13.9 went well.
I'm using an ingress (maps to a LB) as I need to specify WAF and SSL policies. Accessing the FQDN returns 502.
Is there something I'm missing to "connect" ASM to hybrid pods?
Thanks.
Installation command used:
./asmcli install \
--verbose \
--project_id ${PROJECT_ID} \
--cluster_name ${CLUSTER_NAME} \
--cluster_location ${CLUSTER_LOCATION} \
--output_dir ${OUTPUT_DIR} \
--custom_overlay ${OVERLAY_FILE} \
--enable_all \
--option legacy-default-ingressgateway
Overlay file used:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
serviceAnnotations:
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
cloud.google.com/neg: '{"ingress": true}'
resources:
requests:
cpu: 1000m
service:
type: ClusterIP
ports:
- name: http-status-port
port: 15021
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: apigee-ingress
namespace: istio-system
annotations:
networking.gke.io/v1beta1.FrontendConfig: apigee-frontendconfig
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: "apigee-external-ingress-ip"
spec:
tls:
- secretName: apigee-api-cert # self-managed letsencrypt cert
defaultBackend:
service:
name: istio-ingressgateway
port:
number: 443
backend.yaml:
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: apigee-backendconfig
namespace: istio-system
spec:
healthCheck:
checkIntervalSec: 30
port: 15021
type: HTTP
requestPath: /healthz/ready
timeoutSec: 30
connectionDraining:
drainingTimeoutSec: 60
sessionAffinity:
affinityType: "NONE"
securityPolicy:
name: "apigee-waf-security-policy-2021-01"
frontend.yaml:
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: apigee-frontendconfig
namespace: istio-system
spec:
sslPolicy: apigee-ssl-policy-2021-01-gr
I've also patched the istio-ingressgateway service with the following config:
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
cloud.google.com/backend-config: '{"ports": {"443":"apigee-backendconfig"}}'
Need to understand more about this pattern. Can you post a system diagram?