I added istio to my eks cluster. Sidecars are getting added to every pod and my Kiali dashboard is also up.
But after that I am not able to authenticate my APIs. I checked all the logs, came out to be that my pods are not able to connect to Cognito Server. I am getting following error:
Unhandled rejection TypeError: Unable to generate certificate due to
RequestError: Error: connect ECONNREFUSED 13.235.142.215:443
I went inside my pod to check if it can connect to any public DNS, I was able to ping google.com but not to aws.amazon.com
To crossverify, I removed istio from my cluster and it started working.
Got a github issue somewhat matching my issue, but that has also been closed without any solution (https://github.com/istio/istio/issues/10848).
Can anyone help me with this issue.
Thanks
Got the issue, my istio is trying to connect to aws cognito through ssl and it doesn't have certificates. Putting certificates in istio solved this.
Related
I have a Nuxt app (Vue client with Express server) that has been working for a couple years. I made a change, committed it and now my app is down. I use Elastic Beanstalk, Code Pipeline. I use route 53 as DNS and ACM (Certificate Manager).
I went straight to my EBS console to check the environment and saw that the health was severe. The logs showed no errors so I went to Events and looked for them there and found this:
Creating Load Balancer listener failed Reason: Resource handler returned message: "Certificate 'arn:aws:acm:us-east-2:019538876777:certificate/ee8af09b-c6d7-4636-b2a6-099792f66caf' not found
I went straight to the AWS Certificate Manager and saw that one certificate had expired for my domain but that another had been issued. So that means that I shouldn't have to request a new one, which I was I thought would be the case.
Where's the disconnect, then? If I have a newly reissued certificate then why is my EBS Environment still throwing an error? Thanks for any helpful tips.
We need to update/renew the API server endpoint (https://****************.__7.region-name.eks.amazonaws.com) for our EKS Cluster due to some security reason and not able to see any option to do that. We have created EKS Cluster back in 2021 and observed that SSL certification validity is of 2 years i.e. around 755 days. so, we wanted to update/renew this certificate.
We tried to validate all certificate (csr file) from kubeadm, but csr file looks fine here. tried to create a cluster configuration file with certificate but seems it was not working with EKS. Please let me knwo if anyone can help us out to figure out how we can update the kuber-apiserver certificate for API server endpoint access of our EKS Cluster.
I have setup SSL for AWS EB whcih terminates at ALB. It works when I do
CURL https://sampleapp.xxx-wedxxx.us-east-x.elasticbeanstalk.com/score/33639237
In VSCode extension - thunderclient
GET https://sampleapp.xxx-wedxxx.us-east-x.elasticbeanstalk.com/score/33639237
But, in postman it throws above error. I went throw the stackoverflow answer which suggest add host header as public Instance but As I am using EB with auto scaling, the instance can change and switching off SSL verification doesn't sounds like a good option to me.
Any help is appreciated.
I created an AWS client VPN endpoint with a VPC using google federated authentication and server certificate generated using open easy-rsa. I tried to connect the VPN, but I keep getting Error: app_not_configured_for_user on the browser. I have searched online but I haven't found a possible solution. Does anyhow know how I can fix this?
Thank you
I'm quite new to Istio.
I just installed Istio on a k8 cluster in GCP. I have 2 services in my private cluster. one of them needs to talk to a Redis memorystore (over internal private IP - 10.x.x.x).
I'm seeing errors trying to connect to redis. What am I missing in my Istio configuration?
Update: I have found that the redis error is misleading. The real issue it seems is something else - see one my comments below. I don't understand what that error means.
Some additional background: this is for a Tyk installation. The issue it seems is communication between the Tyk Dashboard and Tyk Gateway pods. I'm seeing the SSL error (see comments below) when trying to connect from Gateway to Dashboard (Dashboard to Gateway is fine). The error goes away if I rebuild everything without Istio. I must be doing something really silly. :( Both pods are in the same cluster, same namespace.
I managed to fix the issue. Redis wasn't the issue. Issue was communication from Tyk Gateway -> Tyk Dashboard was failing. The gateway talks to the dashboard to register its presence. The connection logs showed what looked like a tls origination issue with Istio envoy proxy when it is routing the traffic. I configured a DestinationRule that explicitly turned off mtls for the dashboard and the problem went away.