Cannot access Consul Ingress Gateway Debug Logs

zara.butt · May 22, 2022, 2:30pm

Hi, I am accessing consul ingress gateway from an external service. When tls is enabled for the ingress gateway, the external service is unable to access it. I have added the following in the config.yaml file and still I just see info logs for the ingress gateway. I want to see the http request in the logs.

  envoyExtraArgs: "--component-log-level upstream:debug,http:debug,router:debug,config:debug"

Command used to access the logs:

kubectl logs --follow consul-ingress-gateway-b69d6467b-sqb52 -c ingress-gateway

blake · May 25, 2022, 4:55pm

Hi @zara.butt,

In order to better assist you with debugging this problem, could you please share the following information:

Configuration entry for the ingress gateway.
Service intentions config entry for the destination service.
Details on how you are attempting to access the service (e.g., curl, web browser, etc).
Any client-side errors you are receiving when accessing the service.

Thanks.

zara.butt · May 30, 2022, 6:51am

@blake Yes sure
Configuration entry for the ingress gateway:

apiVersion: consul.hashicorp.com/v1alpha1
kind: IngressGateway
metadata:
  name: ingress-gateway
spec:
  tls:
    enabled: true
  listeners:
    - port: 8080
      protocol: http
      services:
        - name: info
          hosts:
          - "*"

Client side error:

[2022-05-24T12:54:43.425Z] "GET / HTTP/1.1" 503 UH no_healthy_upstream - "-" 0 19 0 - "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" "29c5d458-71a6-49f1-b5f9-16f29357d815" "info" "-" outbound|8080||a347d8718698c404d9f74897206f0db6-97400009.eu-central-1.elb.amazonaws.com - 172.20.10.238:80 10.0.25.245:36092 - -

[2022-05-30T12:40:40.565Z] "GET / HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure} - "-" 0 91 35 - "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" "42cf38c8-3ab5-43a8-bf3a-47c3d96f8b09" "info" "52.59.107.216:8080" outbound|8080||a0556f71604824d65bebcbe31030f601-1942062495.eu-central-1.elb.amazonaws.com - 10.100.71.205:80 172.31.10.55:35746 - -

I am accessing it from the browser and curl both.
The client-side service is Istio. I have configured the same root certificate at Istio and Consul side. When I remove TLS from ingress gateway configuration then the external service in Istio can access the service in Consul using the ingress gateway