Egress

Let’s see an example of using egress route by deploying a recommendation:v3 version. Egress service entry allow you to apply rules to how internal services interact with external APIs/services.

In this case, we are going to configure Istio to access http://worldclockapi.com/api/json/cet/now from internal service (recommendation:v3).

Before StartYou should have NO virtualservice nor destinationrule (in tutorial namespace) kubectl get virtualservice kubectl get destinationruleif so run:
  1. ./scripts/clean.sh
We have a 3rd Deployment to manage the v3 version of recommendation.
You will deploy docker images that were previously built for this tutorial. If you want to build recommendation V3 with Quarkus visit: Create Recommendation V3
You will deploy docker images that were previously built for this tutorial. If you want to build recommendation V3 with Spring Boot visit: Create Recommendation V3 Spring Boot

If you have not built the images on your own then let’s deploy the customer pod with its sidecar using the already built images for this tutorial:

  1. oc apply -f <(istioctl kube-inject -f recommendation/kubernetes/Deployment-v3.yml) -n tutorial
  2. oc get pods -w
  4. or
  6. kubectl apply -f <(istioctl kube-inject -f recommendation/kubernetes/Deployment-v3.yml) -n tutorial
  7. kubectl get pods -w -n

Wait for v3 to be deployed

Wait for those pods to show "2/2", the istio-proxy/envoy sidecar is part of that pod

  1. NAME                                  READY     STATUS    RESTARTS   AGE
  2. customer-3600192384-fpljb             2/2       Running   0          17m
  3. preference-243057078-8c5hz           2/2       Running   0          15m
  4. recommendation-v1-60483540-9snd9     2/2       Running   0          12m
  5. recommendation-v2-2815683430-vpx4p   2/2       Running   0          15s
  6. recommendation-v3-7b445dd469-j6rkg   2/2       Running   0          2m

Istio-ize Egress

Configure Istio to allow only registered traffic:

  1. kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f -

Be sure you do not have any previous destination rule nor virtual service installed.

Let’s redirect all traffic to reccomendation:v3.

  1. kubectl create -f istiofiles/destination-rule-recommendation-v1-v2-v3.yml -n tutorial
  2. kubectl create -f istiofiles/virtual-service-recommendation-v3.yml

Then access to the service:

Since no Egress service entry has been registered to access an external site, the service will return a 500 error.
  1. $ curl customer-tutorial.$(minishift ip).nip.io
  2. customer => Error: 503 - preference => Error: 500 - <html><head><title>Error</title></head><body>Internal Server Error</body></html>

Let’s fix it by registering a service entry to allow access to worldclockapi.

  1. kubectl create -f istiofiles/service-entry-egress-worldclockapi.yml -n tutorial
  3. kubectl get serviceentry
  5. curl customer-tutorial.$(minishift ip).nip.io
  6. customer => preference => recommendation v3 2019-03-28T00:24+01:00 from '57cd88c95d-jp546': 1

or shell into the pod by getting its name and then using that name with oc exec

  1. oc exec -it -n tutorial $(oc get pods -n tutorial -o jsonpath="{.items[*].metadata.name}" -l app=recommendation,version=v3) -c recommendation /bin/bash
  2. or
  4. kubectl exec -it -n tutorial $(oc get pods -n tutorial -o jsonpath="{.items[*].metadata.name}" -l app=recommendation,version=v3) -c recommendation /bin/bash
  6. curl http://worldclockapi.com/api/json/cet/now
  8. exit

Clean up

  1. kubectl delete -f istiofiles/service-entry-egress-worldclockapi.yml -n tutorial
  2. kubectl delete -f istiofiles/destination-rule-recommendation-v1-v2-v3.yml -n tutorial
  3. kubectl delete -f istiofiles/virtual-service-recommendation-v3.yml

or you can run:

  1. ./scripts/clean.sh

Undeploy recommendation:v3:

  1. oc delete all -n tutorial -l app=recommendation,version=v3
  2. or
  3. kubectl delete all -n tutorial -l app=recommendation,version=v3