nginx reverse proxy to services behind istio service mesh

Question

i am trying load balancing using nginx to services behind istio service mesh deployed on openshift.

my query is in nginx.conf which ip's i have to use in case of istio deployment? in non-istio deployment i used node ip of pod and nodeport of service.

upstream infra{
    server XXX.XXX.XXX.XXX:8080;
}

map $proxy_add_x_forwarded_for $client_ip {"~(?<IP>([0-9]{1,3}\.){3}[0-9]{1,3}),.*" $IP;}

server {
        listen       80;
        server_name example.com;
        access_log  /var/log/nginx/nginx.testmegh.access.log main;
        error_log  /var/log/nginx/nginx.testmegh.error.log error;
        location /fininfra {
          proxy_pass         http://infra:80;
          proxy_http_version 1.1;
          proxy_redirect     off;
          proxy_set_header   Host $host;
          proxy_set_header   X-Real-IP $remote_addr;
          proxy_set_header   X-Forwarded-Host $host;
          proxy_set_header   X-Forwarded-For $remote_addr;
        } 
}

Answer 1

Everything in istio goes through istio-ingressgateway external-IP, so it depends on how you configured your istio cluster. It can be either LoadBalancer or NodePort .

Quoted from documentation

Determining the ingress IP and ports

Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:

$ kubectl get svc istio-ingressgateway -n istio-system
NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP      PORT(S)   AGE
istio-ingressgateway   LoadBalancer   172.21.109.129   130.211.10.121   ...       17h

If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is (or perpetually ), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service's node port.

---

which ip's i have to use in case of istio deployment

In above example from documentation it's 130.211.10.121 .

Let's say you have deployed Bookinfo Application and you want to access it through a browser, you would have to use above IP and appropriate uri from virtual service . So it would be 130.211.10.121/productpage .