This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

ASM 1.13.9 not connecting to hybrid runtime

Posted on 11-17-2022 12:48 AM
MH1169
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi all,

I'm upgrading from hybrid 1.6 to 1.7. The actual runtime pods and cert-manager upgrade went well. I'm having trouble upgrading ASM. I was on ASM 1.9. However, upgrading to ASM 1.10 failed. I removed ASM 1.9 to start a fresh. Installing ASM 1.13.9 went well.

I'm using an ingress (maps to a LB) as I need to specify WAF and SSL policies. Accessing the FQDN returns 502.

Is there something I'm missing to "connect" ASM to hybrid pods?

Thanks.

Installation command used:

./asmcli install \
  --verbose \
  --project_id ${PROJECT_ID} \
  --cluster_name ${CLUSTER_NAME} \
  --cluster_location ${CLUSTER_LOCATION} \
  --output_dir ${OUTPUT_DIR} \
  --custom_overlay ${OVERLAY_FILE} \
  --enable_all \
  --option legacy-default-ingressgateway

Overlay file used:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        k8s:
          serviceAnnotations:
            cloud.google.com/app-protocols: '{"https":"HTTPS"}'
            cloud.google.com/neg: '{"ingress": true}'
          resources:
            requests:
              cpu: 1000m
          service:
            type: ClusterIP
            ports:
              - name: http-status-port
                port: 15021
              - name: http2
                port: 80
                targetPort: 8080
              - name: https
                port: 443
                targetPort: 8443

 ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: apigee-ingress
  namespace: istio-system
  annotations:
    networking.gke.io/v1beta1.FrontendConfig: apigee-frontendconfig
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: "apigee-external-ingress-ip"
spec:
  tls:
  - secretName: apigee-api-cert # self-managed letsencrypt cert
  defaultBackend:
    service:
      name: istio-ingressgateway
      port:
        number: 443

backend.yaml:

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: apigee-backendconfig
  namespace: istio-system
spec:
  healthCheck:
    checkIntervalSec: 30
    port: 15021
    type: HTTP
    requestPath: /healthz/ready
  timeoutSec: 30
  connectionDraining:
    drainingTimeoutSec: 60
  sessionAffinity:
    affinityType: "NONE"
  securityPolicy:
    name: "apigee-waf-security-policy-2021-01"

frontend.yaml:

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: apigee-frontendconfig
  namespace: istio-system
spec:
  sslPolicy: apigee-ssl-policy-2021-01-gr

I've also patched the istio-ingressgateway service with the following config:

kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-system
  annotations:
    cloud.google.com/backend-config: '{"ports": {"443":"apigee-backendconfig"}}'

 

 

0 1 116
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
rajeshmi
Staff
Reply posted on --/--/---- --:-- AM

Need to understand more about this pattern. Can you post a system diagram? 

0 Likes
Top Solution Authors
View all