Let’s see an example of using egress route by deploying a recommendation:v3 version. Egress service entry allow you to apply rules to how internal services interact with external APIs/services.
In this case, we are going to configure Istio to access http://worldclockapi.com/api/json/cet/now from internal service (recommendation:v3).
|
Important
|
Before Start
You should have NO virtualservice nor destinationrule (in ./scripts/clean.sh |
We can experiment with Egress service entry by making two changes to RecommendationResource.java like the following and creating a "v3" docker image.
Change the default output to make a call to http://worldclockapi.com/api/json/cet/now.
From:
return Response.ok(String.format(RESPONSE_STRING_FORMAT, HOSTNAME, count)).build();
// return Response.ok(String.format(RESPONSE_STRING_NOW_FORMAT, getNow(), HOSTNAME, count)).build();To:
// return Response.ok(String.format(RESPONSE_STRING_FORMAT, HOSTNAME, count)).build();
return Response.ok(String.format(RESPONSE_STRING_NOW_FORMAT, getNow(), HOSTNAME, count)).build();The "v3" tag during the Docker build is significant.
cd recommendation/java/quarkus
mvn clean package -DskipTests
docker build -t example/recommendation:v3 .
docker images | grep recommendation
example/recommendation v3 0671dfb295df 3 seconds ago 443MB
example/recommendation v2 c31e399a9628 5 seconds ago 438MB
example/recommendation v1 f072978d9cf6 8 minutes ago 438MBImportant: We have a 3rd Deployment to manage the v3 version of recommendation.
oc apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment-v3.yml) -n tutorial
oc get pods -w
or
kubectl apply -f <(istioctl kube-inject -f ../../kubernetes/Deployment-v3.yml) -n tutorial
kubectl get pods -w -nWait for those pods to show "2/2", the istio-proxy/envoy sidecar is part of that pod
NAME READY STATUS RESTARTS AGE
customer-3600192384-fpljb 2/2 Running 0 17m
preference-243057078-8c5hz 2/2 Running 0 15m
recommendation-v1-60483540-9snd9 2/2 Running 0 12m
recommendation-v2-2815683430-vpx4p 2/2 Running 0 15s
recommendation-v3-7b445dd469-j6rkg 2/2 Running 0 2mcd ../../..Be sure you do not have any previous destination rule nor virtual service installed.
Let’s redirect all traffic to reccomendation:v3.
kubectl create -f istiofiles/destination-rule-recommendation-v1-v2-v3.yml -n tutorial
kubectl create -f istiofiles/virtual-service-recommendation-v3.ymlThen access to the service:
|
Important
|
Since no Egress service entry has been registered to access an external site, the service will return a 500 error . |
$ curl customer-tutorial.$(minishift ip).nip.io
customer => Error: 503 - preference => Error: 500 - <html><head><title>Error</title></head><body>Internal Server Error</body></html>Let’s fix it by registering a service entry to allow access to worldclockapi.
kubectl create -f istiofiles/service-entry-egress-worldclockapi.yml -n tutorial
kubectl get serviceentry
curl customer-tutorial.$(minishift ip).nip.io
customer => preference => recommendation v3 2019-03-28T00:24+01:00 from '57cd88c95d-jp546': 1or shell into the pod by getting its name and then using that name with oc exec
oc exec -it -n tutorial $(oc get pods -n tutorial -o jsonpath="{.items[*].metadata.name}" -l app=recommendation,version=v3) -c recommendation /bin/bash
or
kubectl exec -it -n tutorial $(oc get pods -n tutorial -o jsonpath="{.items[*].metadata.name}" -l app=recommendation,version=v3) -c recommendation /bin/bash
curl http://worldclockapi.com/api/json/cet/now
exitkubectl delete -f istiofiles/service-entry-egress-worldclockapi.yml -n tutorial
kubectl delete -f istiofiles/destination-rule-recommendation-v1-v2-v3.yml -n tutorial
kubectl delete -f istiofiles/virtual-service-recommendation-v3.ymlor you can run:
./scripts/clean.shUndeploy recommendation:v3:
oc delete all -n tutorial -l app=recommendation,version=v3
or
kubectl delete all -n tutorial -l app=recommendation,version=v3