Skip to content
This repository has been archived by the owner on May 23, 2023. It is now read-only.

Debug 404 error

Jump to bottom
Scott Ganyo edited this page May 13, 2019 · 3 revisions

Wildcard Gateway conflict

The helloworld sample declares a Gateway that uses a wildcard "*" hosts value. However, there can only be one such Gateway definition. So if you've previously deployed anything else that includes a wildcard Gateway, client calls to helloworld will fail with a 404 status.

For example, if you deployed the Istio Bookinfo example and it's Gateway to your mesh, you'd see two Gateways in Istio that have a wildcard hosts value:

$ istioctl get gateways
GATEWAY NAME         HOSTS     NAMESPACE   AGE
bookinfo-gateway     *         default     20s
helloworld-gateway   *         default     3s

A simple resolution to the problem could be to simply delete the other gateway:

kubectl delete gateway bookinfo-gateway

Figure out where things are failing

Istio is like an onion, it has layers. A good way to debug a 404 is to work outward from the core of the onion.

The backend workload

WORKLOAD_POD=helloworld-v1-d4557d97b-67fhm

Verify you can access the workload from the sidecar:

kubectl exec $WORKLOAD_POD -c istio-proxy -- curl localhost:5000/hello

The backend sidecar

POD_IP=$(kubectl get pod $WORKLOAD_POD -o jsonpath='{.status.podIP}')

Simulate accessing the workload through the sidecar. Via HTTP:

kubectl exec $WORKLOAD_POD -c istio-proxy -- curl -v http://helloworld.default.svc.cluster.local:5000/hello --resolve "helloworld.default.svc.cluster.local:5000:$POD_IP"

Or HTTPS:

kubectl exec $WORKLOAD_POD -c istio-proxy -- curl -v https://helloworld.default.svc.cluster.local:5000/hello --resolve "helloworld.default.svc.cluster.local:5000:$POD_IP" --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem --insecure

The gateway (or a frontend sidecar):

GATEWAY_POD=istio-ingressgateway-79b948f7c-s5wnv

Check to see if you can access the service from the gateway. Via HTTP:

kubectl -n istio-system exec $GATEWAY_POD -- curl -v http://helloworld.default.svc.cluster.local:5000/hello

Or HTTPS:

kubectl -n istio-system exec $GATEWAY_POD -- curl -v https://helloworld.default.svc.cluster.local:5000/hello --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem --insecure
Clone this wiki locally