Istio 1.8 上游连接错误或在标头之前断开/重置。重置原因：连接失败

我正在尝试学习如何使用 istio 进行金丝雀部署。

这个想法是使用 Istio 和 Traefik ingress 的混合体。

不幸的是，我在使用 VirtualService 时遇到了问题，具体来说，当我使用 Traefik LoadBalancer 的 IP 时，我收到此错误：

我正在使用通用的 helloworld 应用程序对其进行测试。下面我复制各种设置：

部署 helloworld-v1:

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations: 
    env: prod
  labels:
    app: helloworld
    version: v1
  name: helloworld-v1
  namespace: university
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helloworld
      version: v1
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: helloworld
        version: v1
    spec:
      containers:
      - args:
        - -text=banana
        image: hashicorp/http-echo
        imagePullPolicy: IfNotPresent
        name: helloworld
        ports:
        - containerPort: 80
          protocol: TCP
        resources:
          limits:
            cpu: 50m
            memory: 128Mi

部署 helloworld-v2：与 helloworld-v1 相同，但 text=apple 和不同的标签版本

服务

apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: helloworld
  namespace: university
spec:
  ports:
  - name: http-helloworld
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: helloworld
  sessionAffinity: None
  type: ClusterIP

虚拟服务

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: helloworld
  namespace: university
spec:
  hosts:
  - helloworld
  http:
  - route:
    - destination:
        host: helloworld
        subset: v1
      weight: 90
    - destination:
        host: helloworld
        subset: v2
      weight: 10

目的地规则

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
  name: helloworld
  namespace: university
spec:
  host: helloworld
  subsets:
  - labels:
      version: v1
    name: v1
  - labels:
      version: v2
    name: v2

入口

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
  name: helloworld
  namespace: university
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: helloworld
          servicePort: http-helloworld
        path: /

我从 pod 中获取了一些日志，并得到了以下信息：

2021-01-04T15:33:48.733757Z     warning envoy runtime   Unable to use runtime singleton for feature envoy.http.headermap.lazy_map_min_size
2021-01-04T15:33:48.771547Z     info    xdsproxy        Envoy ADS stream established
2021-01-04T15:33:48.771879Z     info    xdsproxy        connecting to upstream XDS server: istiod.istio-system.svc:15012
2021-01-04T15:33:48.772087Z     warning envoy main      there is no configured limit to the number of allowed active connections. Set a limit via the runtime key overload.global_downstream_max_connections
2021-01-04T15:33:48.867949Z     info    sds     resource:ROOTCA new connection
2021-01-04T15:33:48.868040Z     info    sds     Skipping waiting for gateway secret
2021-01-04T15:33:48.868347Z     info    sds     resource:default new connection
2021-01-04T15:33:48.868394Z     info    sds     Skipping waiting for gateway secret
2021-01-04T15:33:49.123541Z     info    cache   Root cert has changed, start rotating root cert for SDS clients
2021-01-04T15:33:49.123574Z     info    cache   GenerateSecret default
2021-01-04T15:33:49.123987Z     info    sds     resource:default pushed key/cert pair to proxy
2021-01-04T15:33:49.468337Z     info    cache   Loaded root cert from certificate ROOTCA
2021-01-04T15:33:49.468588Z     info    sds     resource:ROOTCA pushed root cert to proxy
2021-01-04T15:33:49.724483Z     warning envoy filter    mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2021-01-04T15:33:49.726036Z     warning envoy filter    mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2021-01-04T15:33:51.398713Z     info    Envoy proxy is ready
[2021-01-04T15:34:41.103Z] "GET /favicon.ico HTTP/1.1" 503 UF "-" 0 91 0 - "127.0.0.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" "7bcaf3da-8fc3-958f-8907-a83d2dedf274" "10.128.252.134" "127.0.0.1:80" inbound|80|| - 10.28.252.77:80 127.0.0.1:0 
- default
**[2021-01-04T15:34:46.232Z] "GET /favicon.ico HTTP/1.1" 503 UF "-" 0 91 0 - "127.0.0.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" "0e7f0815-d3d1-9b6c-82b3-ae171aafd8fd" "10.128.252.134" "127.0.0.1:80" inbound|80|| - 10.28.252.77:80 127.0.0.1:0 **
- default
[2021-01-04T15:38:04.023Z] "GET / HTTP/1.1" 503 UF "-" 0 91 0 - "127.0.0.1" "curl/7.65.1" "210c09e2-20e2-9a0e-9241-ec662fb260d0" "10.128.252.134" "127.0.0.1:80" inbound|80|| - 10.28.252.77:80 127.0.0.1:0 - default
[2021-01-04T15:38:10.014Z] "GET /favicon.ico HTTP/1.1" 503 UF "-" 0 91 0 - "127.0.0.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" "b571e684-c15c-90b1-8d7d-d0dc52f9e71d" "10.128.252.134" "127.0.0.1:80" inbound|80|| - 10.28.252.77:80 127.0.0.1:0 
- default

你有什么想法吗？

感谢您的帮助

注意：命名空间已正确注入