Cannot access Consul Ingress Gateway Debug Logs

Hi, I am accessing consul ingress gateway from an external service. When tls is enabled for the ingress gateway, the external service is unable to access it. I have added the following in the config.yaml file and still I just see info logs for the ingress gateway. I want to see the http request in the logs.

  envoyExtraArgs: "--component-log-level upstream:debug,http:debug,router:debug,config:debug"

Command used to access the logs:

kubectl logs --follow consul-ingress-gateway-b69d6467b-sqb52 -c ingress-gateway

Hi @zara.butt,

In order to better assist you with debugging this problem, could you please share the following information:

  • Configuration entry for the ingress gateway.
  • Service intentions config entry for the destination service.
  • Details on how you are attempting to access the service (e.g., curl, web browser, etc).
  • Any client-side errors you are receiving when accessing the service.

Thanks.

@blake Yes sure
Configuration entry for the ingress gateway:

apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
metadata:
  name: ingress-gateway
spec:
  tls:
    enabled: true
  listeners:
    - port: 8080
      protocol: http
      services:
        - name: info
          hosts:
          - "*"

Client side error:

[2022-05-24T12:54:43.425Z] "GET / HTTP/1.1" 503 UH no_healthy_upstream - "-" 0 19 0 - "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" "29c5d458-71a6-49f1-b5f9-16f29357d815" "info" "-" outbound|8080||a347d8718698c404d9f74897206f0db6-97400009.eu-central-1.elb.amazonaws.com - 172.20.10.238:80 10.0.25.245:36092 - -
[2022-05-30T12:40:40.565Z] "GET / HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure} - "-" 0 91 35 - "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" "42cf38c8-3ab5-43a8-bf3a-47c3d96f8b09" "info" "52.59.107.216:8080" outbound|8080||a0556f71604824d65bebcbe31030f601-1942062495.eu-central-1.elb.amazonaws.com - 10.100.71.205:80 172.31.10.55:35746 - -

I am accessing it from the browser and curl both.
The client-side service is Istio. I have configured the same root certificate at Istio and Consul side. When I remove TLS from ingress gateway configuration then the external service in Istio can access the service in Consul using the ingress gateway