Egress - TheOpenCloudEngine/uEngine-cloud GitHub Wiki

Egress

Let’s see an example of using egress route by deploying a recommendation:v3 version. Egress service entry allow you to apply rules to how internal services interact with external APIs/services.

In this case, we are going to configure Istio to access http://now.httpbin.org from internal service (recommendation:v3).

Important
Before Start

You should have NO virtualservice nor destinationrule (in tutorial namespace) istioctl get virtualservice istioctl get destinationrule if so run:

./scripts/clean.sh

Create recommendation:v3

We can experiment with Egress service entry by making two changes to RecommendationVerticle.java like the following and creating a "v3" docker image.

First change is updating the response string to:

private static final String RESPONSE_STRING_FORMAT = "recommendation v3 from '%s': %d\n";

The "v3" tag during the Docker build is significant.

There is also a third deployment.yml file to label things correctly

The second change is to change the default output to make a call to http://now.httpbin.org.

From:

        router.get("/").handler(this::getRecommendations);
//        router.get("/").handler(this::getNow);

To:

//        router.get("/").handler(this::getRecommendations);
        router.get("/").handler(this::getNow);

Docker build (if you have access to Docker daemon)

cd recommendation/java/vertx
mvn clean package

docker build -t example/recommendation:v3 .

docker images | grep recommendation
example/recommendation                  v3                  0671dfb295df        3 seconds ago       443MB
example/recommendation                  v2                  c31e399a9628        5 seconds ago       438MB
example/recommendation                  v1                  f072978d9cf6        8 minutes ago       438MB

Important: We have a 3rd Deployment to manage the v3 version of recommendation.

oc apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment-v3.yml) -n tutorial
oc get pods -w

or

kubectl apply -f <(istioctl kube-inject -f src/main/kubernetes/Deployment-v3.yml) -n tutorial
kubectl get pods -w

OpenShift S2I strategy (if you DON’T have access to Docker daemon)

mvn clean package -f recommendation/java/vertx
oc new-app -l app=recommendation,version=v3 --name=recommendation-v3 --context-dir=recommendation/java/vertx -e JAEGER_SERVICE_NAME=recommendation JAEGER_ENDPOINT=http://jaeger-collector.istio-system.svc:14268/api/traces JAEGER_PROPAGATION=b3 JAEGER_SAMPLER_TYPE=const JAEGER_SAMPLER_PARAM=1 JAVA_OPTIONS='-Xms128m -Xmx256m -Djava.net.preferIPv4Stack=true' fabric8/s2i-java~https://github.com/redhat-developer-demos/istio-tutorial -o yaml  > recommendation-v3.yml
oc apply -f <(istioctl kube-inject -f recommendation-v3.yml) -n tutorial
oc cancel-build bc/recommendation-v3
oc delete svc/recommendation-v3
oc start-build recommendation-v3 --from-dir=. --follow

Wait for v3 to be deployed

Wait for those pods to show "2/2", the istio-proxy/envoy sidecar is part of that pod

NAME                                  READY     STATUS    RESTARTS   AGE
customer-3600192384-fpljb             2/2       Running   0          17m
preference-243057078-8c5hz           2/2       Running   0          15m
recommendation-v1-60483540-9snd9     2/2       Running   0          12m
recommendation-v2-2815683430-vpx4p   2/2       Running   0          15s
recommendation-v3-7b445dd469-j6rkg   2/2       Running   0          2m
cd ../../..

Istio-ize Egress

Be sure you do not have any previous destination rule nor virtual service installed.

Let’s redirect all traffic to reccomendation:v3.

istioctl create -f istiofiles/destination-rule-recommendation-v1-v2-v3.yml -n tutorial
istioctl create -f istiofiles/virtual-service-recommendation-v3.yml

Then access to the service:

Important
Since no Egress service entry has been registered to access an external site, the timeout error is thrown after 5 seconds of trying to access to the site. .
$ curl -m 5 customer-tutorial.$(minishift ip).nip.io
curl: (28) Operation timed out after 5000 milliseconds with 0 bytes received

Let’s fix it by registering a service entry to allow access to httpbin.

istioctl create -f istiofiles/service-entry-egress-httpbin.yml -n tutorial

istioctl get serviceentry

curl customer-tutorial.$(minishift ip).nip.io
customer => preference => Mon, 16 Jul 2018 12:03:38 GMT recommendation v3 from '7b445dd469-j6rkg': 1

or shell into the pod by getting its name and then using that name with oc exec

oc exec -it $(oc get pods -o jsonpath="{.items[*].metadata.name}" -l app=recommendation,version=v3) -c recommendation /bin/bash

or

kubectl exec -it $(oc get pods -o jsonpath="{.items[*].metadata.name}" -l app=recommendation,version=v3) -c recommendation /bin/bash

curl http://now.httpbin.org

exit

Clean up

istioctl delete -f istiofiles/service-entry-egress-httpbin.yml -n tutorial
istioctl delete -f istiofiles/destination-rule-recommendation-v1-v2-v3.yml -n tutorial
istioctl delete -f istiofiles/virtual-service-recommendation-v3.yml

or you can run:

./scripts/clean.sh
⚠️ **GitHub.com Fallback** ⚠️