HiveBrain v1.2.0
Get Started
← Back to all entries
debugkubernetesMinor

How to solve 'upstream connect error or disconnect/reset before headers. reset reason: connection termination' in Istio?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
errorconnectistioreasonheadersterminationsolvehowbeforedisconnect

Problem

I try to setup an aws load balancer (ELB) with SSL follow the instruction at #6566

Certificate was attached on ELB.

However, I got the issue "upstream connect error or disconnect/reset before headers. reset reason: connection termination" when trying to access our web on browser.

Our setup without SSL has been worked before.

I use the custom values.yaml to install the istio (helm template):

helm template ./istio/install/kubernetes/helm/istio --name istio \
--namespace istio-system --values ./mesh/values.yaml | kubectl apply -f -


I have inserted below annotations to the gateways tag:

istio-ingressgateway:
    serviceAnnotations: 
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:ap-southeast-1:xxxxx:certificate/my-crt"
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"


Here is my gateway.yaml:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-gateway
spec:
  selector:
    istio: ingressgateway #default istio ingressgateway
  servers:
  - port:
      number: 80
      name: http-istio-gateway
      protocol: HTTP
    hosts:
    - "*"
    tls:
      httpsRedirect: true
  - port:
      number: 443
      name: https-istio-gateway
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: api-gateway
spec:
  gateways:
  - istio-gateway
  hosts:
  - "*"
  http:
  - match:
    - uri:
        prefix: /socket.io/
    route:
    - destination:
        host: api-gateway-ws.default.svc.cluster.local
        port:
          number: 5001
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: api-gateway.default.svc.cluster.local
        port:
          number: 5000

Solution

I encountered the same error but with a different issue. The Service port needed a name added to it. https://github.com/istio/istio/issues/19966. And they need to follow the format (protocol-suffix) https://istio.io/docs/ops/deployment/requirements/

ports:
    - name: https # Use http or https
       protocol: TCP
       port: 8080
       targetPort: 8080

Code Snippets

ports:
    - name: https # Use http or https
       protocol: TCP
       port: 8080
       targetPort: 8080

Context

StackExchange DevOps Q#8167, answer score: 7

Revisions (0)

No revisions yet.