Goal
Set up preserved client addresses with the Istio controller.
What’s Wrong with the OVH Tutorial:
I followed OVH’s guide to preserve client IP addresses.
However, it didn’t solve the issue.
OVH Guide:
Patching with manifest files
Patching with Helm
After patching the Nginx controller, the external IP changed to “ip-xxx-xxx-xxx-xxx.sbg.lb.ovh.net” (unmentioned in the guide, but likely expected behavior).
-> kubectl get service ingress-nginx-controller -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.3.101.52 ip-57-128-40-224.sbg.lb.ovh.net 80:30276/TCP,443:30757/TCP 116m
OVH Guide -> 4. Testing
Encountered Warning:
-> kubectl apply -f echo.yaml
namespace/echo created
deployment.apps/echo-deployment created
service/echo-service created
Warning: annotation “kubernetes.io/ingress.class” is deprecated, please use ‘spec.ingressClassName’ instead
ingress.networking.k8s.io/echo-ingress created
There’s a warning message stating it works, but the ingress needs patching.
spec:
ingressClassName: nginx
The warning was added 4 years ago (March 25, 2020) for Kubernetes 1.18 (source).
However, after this step, I couldn’t make a curl request to the LoadBalancer endpoint.
-> curl 57.128.40.224
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx</center>
</body>
</html>
Istio Controller Attempt:
I also tried applying the same changes suggested in the OVH guide to the Istio controller.
apiVersion: v1
kind: Service
metadata:
annotations:
**service.beta.kubernetes.io/ovh-loadbalancer-proxy-protocol: “v2″**
labels:
app: istio-ingressgateway
install.operator.istio.io/owning-resource: unknown
istio: ingressgateway
istio.io/rev: default
operator.istio.io/component: IngressGateways
release: istio
name: istio-ingressgateway
namespace: istio-system
spec:
ports:
– name: status-port
port: 15021
protocol: TCP
targetPort: 15021
– name: http2
port: 80
protocol: TCP
targetPort: 8080
– name: https
port: 443
protocol: TCP
targetPort: 8443
selector:
app: istio-ingressgateway
istio: ingressgateway
**externalTrafficPolicy: Local**
type: LoadBalancer
The same behavior occurred: the LoadBalancer IP changed to “ip-xxx-xxx-xxx-xxx.sbg.lb.ovh.net.”
Previously, HTTP and HTTPS requests worked fine.
Current Issues:
HTTPS requests now fail with an SSL certificate error:
Secure Connection Failed
An error occurred during a connection to mars.orpheo.cloud. Peer reports incompatible or unsupported protocol version.
Error code: SSL_ERROR_PROTOCOL_VERSION_ALERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
This website might not support the TLS 1.2 protocol, which is the minimum version supported by Firefox.
With postman I get this error:
Error: write EPROTO 26611620712840:error:1000042e:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION:../../../../src/third_party/boringssl/src/ssl/tls_record.cc:594:SSL alert number 70
HTTP requests return a “Bad Request” error.
Looking for Guidance:
Do you have any leads that I haven’t tried or explored enough?
Is OVH the Right Choice?
Should I consider switching from OVH? It seems istio might be more compatible with AWS/GCP/Azure/IBM.
