Egress

Let’s see an example of using egress route by deploying a recommendation:v3 version. Egress service entry allow you to apply rules to how internal services interact with external APIs/services.

In this case, we are going to configure Istio to access http://worldclockapi.com/api/json/cet/now from internal service (recommendation:v3).

Before Start

You should have NO virtualservice nor destinationrule (in tutorial namespace) kubectl get virtualservice kubectl get destinationrule if so run:

./scripts/clean.sh
We have a 3rd Deployment to manage the v3 version of recommendation.
You will deploy docker images that were previously built for this tutorial. If you want to build recommendation V3 with Quarkus visit: Create Recommendation V3
You will deploy docker images that were previously built for this tutorial. If you want to build recommendation V3 with Spring Boot visit: Create Recommendation V3 Spring Boot

If you have not built the images on your own then let’s deploy the customer pod with its sidecar using the already built images for this tutorial:

kubectl apply -f <(istioctl kube-inject -f recommendation/kubernetes/Deployment-v3.yml) -n tutorial
kubectl get pods -w -n

Wait for v3 to be deployed

Wait for those pods to show "2/2", the istio-proxy/envoy sidecar is part of that pod

NAME                                  READY     STATUS    RESTARTS   AGE
customer-3600192384-fpljb             2/2       Running   0          17m
preference-243057078-8c5hz           2/2       Running   0          15m
recommendation-v1-60483540-9snd9     2/2       Running   0          12m
recommendation-v2-2815683430-vpx4p   2/2       Running   0          15s
recommendation-v3-7b445dd469-j6rkg   2/2       Running   0          2m

Istio-ize Egress

Configure Istio to allow only registered traffic:

kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: ALLOW_ANY/mode: REGISTRY_ONLY/g' | kubectl replace -n istio-system -f -
You might need to wait some tenths of seconds until the configuration takes effect.

Be sure you do not have any previous destination rule nor virtual service installed.

Let’s redirect all traffic to reccomendation:v3.

Then access to the service:

Since no Egress service entry has been registered to access an external site, the service will return a 500 error
curl $GATEWAY_URL/customer
customer => Error: 503 - preference => Error: 500 - <html><head><title>Error</title></head><body>Internal Server Error</body></html>

Let’s fix it by registering a service entry to allow access to worldclockapi.

kubectl get serviceentry
curl $GATEWAY_URL/customer
customer => preference => recommendation v3 2019-03-28T00:24+01:00 from '57cd88c95d-jp546': 1

or shell into the pod by getting its name and then using that name with kubectl exec:

kubectl exec -it -n tutorial $(kubectl get pods -n tutorial -o jsonpath="{.items[*].metadata.name}" -l app=recommendation,version=v3) -c recommendation /bin/bash

Clean up

kubectl delete -f istiofiles/service-entry-egress-worldclockapi.yml -n tutorial
kubectl delete -f istiofiles/destination-rule-recommendation-v1-v2-v3.yml -n tutorial
kubectl delete -f istiofiles/virtual-service-recommendation-v3.yml

or you can run:

./scripts/clean.sh

Undeploy recommendation:v3:

kubectl delete all -n tutorial -l app=recommendation,version=v3

And get back to allow any output traffic:

kubectl get configmap istio -n istio-system -o yaml | sed 's/mode: REGISTRY_ONLY/mode: ALLOW_ANY/g' | kubectl replace -n istio-system -f -