Exposing services through Istio Ingress Gateway
Inspecting the Istio Ingress Gateway
The ingress gateway gets exposed as a normal Kubernetes service of type LoadBalancer (or NodePort):
1kubectl get svc istio-ingressgateway -n istio-system -o yaml
Because the Istio Ingress Gateway is an Envoy Proxy you can inspect it using the admin routes. First find the name of the istio-ingressgateway:
1kubectl get pods -n istio-system
Copy and paste your ingress gateway's pod name. Execute:
1kubectl -n istio-system exec -it <istio-ingressgateway-...> bash
You can view the statistics, listeners, routes, clusters and server info for the Envoy proxy by forwarding the local port:
1curl localhost:15000/help2curl localhost:15000/stats3curl localhost:15000/listeners4curl localhost:15000/clusters5curl localhost:15000/server_info
See the admin docs for more details.
Also it can be helpful to look at the log files of the Istio ingress controller to see what request is being routed.
Before we check the logs, let us get out of the container back on the host:
1exit
Now let us find the ingress pod and output the log:
1kubectl logs istio-ingressgateway-... -n istio-system
View Istio Ingress Gateway for Bookinfo
View the Gateway and VirtualServices
Check the created Istio Gateway and Istio VirtualService to see the changes deployed:
1kubectl get gateway2kubectl get gateway -o yaml34kubectl get virtualservices5kubectl get virtualservices -o yaml
Find the external port of the Istio Ingress Gateway by running:
1kubectl get service istio-ingressgateway -n istio-system -o wide
To just get the first port of istio-ingressgateway service, we can run this:
1kubectl get service istio-ingressgateway -n istio-system --template='{{(index .spec.ports 1).nodePort}}'
Create a DNS entry:
Modify you local /etc/hosts file to add an entry for your sample application.
127.0.0.1. bookinfo.meshery.io
The HTTP port is usually 31380.
Or run these commands to retrieve the full URL:
1echo "http://$(kubectl get nodes --selector=kubernetes.io/role!=master -o jsonpath={.items[0].status.addresses[?\(@.type==\"InternalIP\"\)].address}):$(kubectl get svc istio-ingressgateway -n istio-system -o jsonpath='{.spec.ports[1].nodePort}')/productpage"
Docker Desktop users please use http://localhost/productpage to access product page in your browser.
In case you are using a managed kubernetes cluster like AKS, EKS, or GCE please follow the procedure described below:
Get the external IP of the service istio-ingressgateway using the following command:
1kubectl get service istio-ingressgateway -n istio-systemUsing Meshery, navigate to the Custom yaml page, and apply the manifest given below to allow all hosts instead of allowing bookinfo.meshery.io only and you are good to access the page using the following url
http://<external-ip of istio-ingressgateway>/productpage.
1apiVersion: networking.istio.io/v1beta12kind: VirtualService3metadata:4 name: bookinfo5spec:6 gateways:7 - sample-app-gateway8 hosts:9 - "*"10 http:11 - match:12 - uri:13 exact: /productpage14 - uri:15 prefix: /static16 - uri:17 exact: /login18 - uri:19 exact: /logout20 - uri:21 prefix: /api/v1/products22 route:23 - destination:24 host: productpage25 port:26 number: 9080
Apply default destination rules
Before we start playing with Istio's traffic management capabilities we need to define the available versions of the deployed services. They are called subsets, in destination rules.
Using Meshery, navigate to the Custom yaml page, and apply the below to create the subsets for BookInfo:
1apiVersion: networking.istio.io/v1alpha32kind: DestinationRule3metadata:4 name: productpage5spec:6 host: productpage7 subsets:8 - name: v19 labels:10 version: v111---12apiVersion: networking.istio.io/v1alpha313kind: DestinationRule14metadata:15 name: reviews16spec:17 host: reviews18 subsets:19 - name: v120 labels:21 version: v122 - name: v223 labels:24 version: v225 - name: v326 labels:27 version: v328---29apiVersion: networking.istio.io/v1alpha330kind: DestinationRule31metadata:32 name: ratings33spec:34 host: ratings35 subsets:36 - name: v137 labels:38 version: v139 - name: v240 labels:41 version: v242 - name: v2-mysql43 labels:44 version: v2-mysql45 - name: v2-mysql-vm46 labels:47 version: v2-mysql-vm48---49apiVersion: networking.istio.io/v1alpha350kind: DestinationRule51metadata:52 name: details53spec:54 host: details55 subsets:56 - name: v157 labels:58 version: v159 - name: v260 labels:61 version: v2
This creates destination rules for each of the BookInfo services and defines version subsets
In a few seconds we should be able to verify the destination rules created by using the command below:
1kubectl get destinationrules234kubectl get destinationrules -o yaml
Browse to BookInfo
Browse to the website of the Bookinfo. To view the product page, you will have to append
/productpage to the url.
Reload Page
Now, reload the page multiple times and notice how it round robins between v1, v2 and v3 of the reviews service.
Inspect the Istio proxy of the productpage pod
To better understand the istio proxy, let's inspect the details. Let us exec into the productpage pod to find the proxy details. To do so we need to first find the full pod name and then exec into the istio-proxy container:
1kubectl get pods2kubectl exec -it productpage-v1-... -c istio-proxy sh
Once in the container look at some of the envoy proxy details by inspecting it's config file:
1ps aux2ls -l /etc/istio/proxy3cat /etc/istio/proxy/envoy-rev0.json
For more details on envoy proxy please check out their admin docs.
As a last step, lets exit the container:
1exit
Alternative: Manual installation
Follow this if the above steps did not work for youDefault destination rules
Run the following command to create default destination rules for the Bookinfo services:
1kubectl apply -f samples/bookinfo/networking/destination-rule-all-mtls.yaml
Configure the Bookinfo route with the Istio Ingress gateway
We can create a virtualservice & gateway for bookinfo app in the ingress gateway by running the following:
1kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
