The components deployed on the service mesh by default are not exposed outside the cluster. External access to individual services so far has been provided by creating an external load balancer on each service.
An ingress gateway service is deployed as a LoadBalancer service. For making Bookinfo accessible from outside, we have to create an Istio Gateway for the service and also define an Istio VirtualService for Bookinfo with the routes we need.
The ingress gateway gets expossed as a normal kubernetes service load balancer:
kubectl get svc istio-ingressgateway -n istio-system -o yamlBecause the Istio Ingress Gateway is an Envoy Proxy you can inspect it using the admin routes. First find the name of the istio-ingressgateway:
kubectl get pods -n istio-systemCopy and paste your ingress gateway's pod name. Execute:
kubectl -n istio-system exec -it <istio-ingressgateway-...> bashYou can view the statistics, listeners, routes, clusters and server info for the Envoy proxy by forwarding the local port:
curl localhost:15000/help
curl localhost:15000/stats
curl localhost:15000/listeners
curl localhost:15000/routes
curl localhost:15000/clusters
curl localhost:15000/server_infoSee the admin docs for more details.
Also it can be helpful to look at the log files of the Istio ingress controller to see what request is being routed. We should also be able to view the curl calls we just made from inside the ingressgateway. Let us first find the ingress pod and output the log files:
kubectl logs istio-ingressgateway-... -n istio-systemWe can create a virtualservice & gateway for bookinfo app in the ingress gateway by running the following:
curl https://raw.githubusercontent.com/leecalcote/istio-service-mesh-workshop/master/deployment_files/istio-0.8.0/bookinfo-gateway.yaml | istioctl create -f - Check the created Istio Gateway and Istio VirtualService to see the changes deployed:
istioctl get gateway
istioctl get gateway -o yaml
istioctl get virtualservices
istioctl get virtualservices -o yamlkubectl get service istio-ingressgateway -n istio-system -o wideTo just get the first port of istio-ingressgateway service, we can run this:
kubectl get service istio-ingressgateway -n istio-system --template='{{(index .spec.ports 0).nodePort}}'Browse to the website of the Bookinfo: On PWK the exposed ingress ports are available as hyperlinks at the top of the page. Clicking on a valid ingress port will open a page.
To view the product page, you will have to append
/productpage to the url.
Now, reload the page multiple times and notice how it round robins between v1, v2 and v3 of the reviews service.
To better understand the istio proxy, let's inspect the details. Let us exec into the productpage pod to find the proxy details. To do so we need to first find the full pod name and then exec into the istio-proxy container:
kubectl get pods
kubectl exec -it productpage-v1-... -c istio-proxy shOnce in the container look at some of the envoy proxy details by inspecting it's config file:
ps aux
ls -l /etc/istio/proxy
cat /etc/istio/proxy/envoy-rev0.jsonFor more details on envoy proxy please check out their admin docs for more details.