istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add gateway-api instructions to getting-started and bookinfo docs (#12021) 

* Add gateway-api instructions to getting-started and bookinfo docs

* fix lint

* fix cleanup

* regen

* fix lint

* fix setup

* fix include path

* v1alpha2 -> v1beta1

* regen

* install k8s crds

* fix lint

* fix cleanup

* lint

* workaround duplicate crd problem

* fix cmd

* fixes

* lint

* more fixes

* typo

* regen

* uncomment failing snip

* no choice in getting-started

* lint

* typo

* remove duplicate section title
This commit is contained in:
Frank Budinsky 2022-10-03 15:11:48 -04:00 committed by GitHub
parent 2abd01c225
commit 5e89d73d81
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 1426 additions and 276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.spelling
View File

@ -591,6 +591,7 @@ linters
list_by_publishdate
Liu
liveness
LoadBalancer
loadimpact
localhost
log_output_level

6
content/en/boilerplates/external-loadbalancer-support.md Normal file
View File

@ -0,0 +1,6 @@
---
---
{{< warning >}}
These instructions assume that your Kubernetes cluster supports external load balancers (i.e., Services of type `LoadBalancer`).
Refer to [ingress control](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) for details.
{{< /warning >}}

18
content/en/boilerplates/gateway-api-support.md Normal file
View File

@ -0,0 +1,18 @@
---
---
{{< tip >}}
Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management
[in the future](/blog/2022/gateway-api-beta/).
The following instructions allow you to choose to use either the Gateway API or the Istio configuration API when configuring
traffic management in the mesh. Follow instructions under either the `Gateway API` or `Istio classic` tab,
according to your preference.
Note that the Kubernetes Gateway API CRDs do not come installed by default on most Kubernetes clusters, so make sure they are
installed before using the Gateway API:
{{< text bash >}}
$ kubectl get crd gateways.gateway.networking.k8s.io || \
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; }
{{< /text >}}
{{< /tip >}}

26
content/en/boilerplates/snips/gateway-api-support.sh Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# shellcheck disable=SC2034,SC2153,SC2155,SC2164
# Copyright Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
####################################################################################################
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# boilerplates/gateway-api-support.md
####################################################################################################
bpsnip_gateway_api_support__1() {
kubectl get crd gateways.gateway.networking.k8s.io || \
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; }
}

27
content/en/docs/examples/bookinfo/gtwapi_test.sh Normal file
View File

@ -0,0 +1,27 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
source "tests/util/gateway-api.sh"
install_gateway_api_crds
# @setup profile=demo
source "content/en/docs/examples/bookinfo/test.sh"
# TODO fix cleanup approach and remove this temporary hack
# @cleanup
snip_cleanup_1
remove_gateway_api_crds

100
content/en/docs/examples/bookinfo/index.md
View File

@ -16,7 +16,7 @@ to demonstrate various Istio features.
{{< tip >}}
If you installed Istio using the [Getting Started](/docs/setup/getting-started/)
instructions, you already have Bookinfo installed and you can skip most of these steps
and go directly to [Apply Default Destination Rules](/docs/examples/bookinfo/#apply-default-destination-rules).
and go directly to [Define the service versions](/docs/examples/bookinfo/#define-the-service-versions).
{{< /tip >}}
The application displays information about a
@ -51,6 +51,8 @@ for the `reviews` service.
If you haven't already done so, setup Istio by following the instructions
in the [installation guide](/docs/setup/).
{{< boilerplate gateway-api-support >}}
## Deploying the application
To run the sample with Istio requires no changes to the
@ -146,16 +148,23 @@ If you use GKE, please ensure your cluster has at least 4 standard GKE nodes. If
### Determine the ingress IP and port
Now that the Bookinfo services are up and running, you need to make the application accessible from outside of your
Kubernetes cluster, e.g., from a browser. An [Istio Gateway](/docs/concepts/traffic-management/#gateways)
is used for this purpose.
Kubernetes cluster, e.g., from a browser. A gateway is used for this purpose.
1. Define the ingress gateway for the application:
1. Create a gateway for the Bookinfo application:
{{< tabset category-name="config-api" >}}
{{< tab name="Istio classic" category-value="istio-classic" >}}
Create an [Istio Gateway](/docs/concepts/traffic-management/#gateways) using the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/networking/bookinfo-gateway.yaml@
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
{{< /text >}}
1. Confirm the gateway has been created:
Confirm the gateway has been created:
{{< text bash >}}
$ kubectl get gateway
@ -163,7 +172,40 @@ is used for this purpose.
bookinfo-gateway 32s
{{< /text >}}
1. Follow [these instructions](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) to set the `INGRESS_HOST` and `INGRESS_PORT` variables for accessing the gateway. Return here, when they are set.
Follow [these instructions](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) to set the `INGRESS_HOST` and `INGRESS_PORT` variables for accessing the gateway. Return here, when they are set.
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
{{< boilerplate external-loadbalancer-support >}}
Create a [Kubernetes Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/) using the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/gateway-api/bookinfo-gateway.yaml@
gateway.gateway.networking.k8s.io/bookinfo-gateway created
httproute.gateway.networking.k8s.io/bookinfo created
{{< /text >}}
Because creating a Kubernetes `Gateway` resource will also
[deploy an associated proxy service](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment),
run the following command to wait for the gateway to be ready:
{{< text bash >}}
$ kubectl wait --for=condition=ready gtw bookinfo-gateway
{{< /text >}}
Get the gateway address and port from the bookinfo gateway resource:
{{< text bash >}}
$ export INGRESS_HOST=$(kubectl get gtw bookinfo-gateway -o jsonpath='{.status.addresses[*].value}')
$ export INGRESS_PORT=$(kubectl get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
1. Set `GATEWAY_URL`:
@ -186,11 +228,17 @@ see different versions of reviews shown in `productpage`, presented in a round r
stars, black stars, no stars), since we haven't yet used Istio to control the
version routing.
## Apply default destination rules
## Define the service versions
Before you can use Istio to control the Bookinfo version routing, you need to define the available
versions, called *subsets*, in [destination rules](/docs/concepts/traffic-management/#destination-rules).
versions.
{{< tabset category-name="config-api" >}}
{{< tab name="Istio classic" category-value="istio-classic" >}}
Istio uses *subsets*, in [destination rules](/docs/concepts/traffic-management/#destination-rules),
to define versions of a service.
Run the following command to create default destination rules for the Bookinfo services:
{{< text bash >}}
@ -210,6 +258,23 @@ You can display the destination rules with the following command:
$ kubectl get destinationrules -o yaml
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
Unlike the Istio API, which uses `DestinationRule` subsets to define the versions of a service,
the Kubernetes Gateway API uses backend service definitions for this purpose.
Run the following command to create backend service definitions for the three versions of the `reviews` service:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-versions.yaml@
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
## What's next
You can now use this sample to experiment with Istio's features for
@ -221,19 +286,8 @@ is a good place to start for beginners.
## Cleanup
When you're finished experimenting with the Bookinfo sample, uninstall and clean
it up using the following instructions:
it up using the following command:
1. Delete the routing rules and terminate the application pods
{{< text bash >}}
$ @samples/bookinfo/platform/kube/cleanup.sh@
{{< /text >}}
1. Confirm shutdown
{{< text bash >}}
$ kubectl get virtualservices #-- there should be no virtual services
$ kubectl get destinationrules #-- there should be no destination rules
$ kubectl get gateway #-- there should be no gateway
$ kubectl get pods #-- the Bookinfo pods should be deleted
{{< /text >}}
{{< text bash >}}
$ @samples/bookinfo/platform/kube/cleanup.sh@
{{< /text >}}

39
content/en/docs/examples/bookinfo/snips.sh
View File

@ -19,6 +19,7 @@
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# docs/examples/bookinfo/index.md
####################################################################################################
source "content/en/boilerplates/snips/gateway-api-support.sh"
snip_start_the_application_services_1() {
kubectl label namespace default istio-injection=enabled
@ -71,6 +72,11 @@ snip_determine_the_ingress_ip_and_port_1() {
kubectl apply -f samples/bookinfo/networking/bookinfo-gateway.yaml
}
! read -r -d '' snip_determine_the_ingress_ip_and_port_1_out <<\ENDSNIP
gateway.networking.istio.io/bookinfo-gateway created
virtualservice.networking.istio.io/bookinfo created
ENDSNIP
snip_determine_the_ingress_ip_and_port_2() {
kubectl get gateway
}
@ -81,6 +87,24 @@ bookinfo-gateway 32s
ENDSNIP
snip_determine_the_ingress_ip_and_port_3() {
kubectl apply -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml
}
! read -r -d '' snip_determine_the_ingress_ip_and_port_3_out <<\ENDSNIP
gateway.gateway.networking.k8s.io/bookinfo-gateway created
httproute.gateway.networking.k8s.io/bookinfo created
ENDSNIP
snip_determine_the_ingress_ip_and_port_4() {
kubectl wait --for=condition=ready gtw bookinfo-gateway
}
snip_determine_the_ingress_ip_and_port_5() {
export INGRESS_HOST=$(kubectl get gtw bookinfo-gateway -o jsonpath='{.status.addresses[*].value}')
export INGRESS_PORT=$(kubectl get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
}
snip_determine_the_ingress_ip_and_port_6() {
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
}
@ -92,21 +116,18 @@ curl -s "http://${GATEWAY_URL}/productpage" | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
ENDSNIP
snip_apply_default_destination_rules_1() {
snip_define_the_service_versions_1() {
kubectl apply -f samples/bookinfo/networking/destination-rule-all.yaml
}
snip_apply_default_destination_rules_2() {
snip_define_the_service_versions_2() {
kubectl get destinationrules -o yaml
}
snip_define_the_service_versions_3() {
kubectl apply -f samples/bookinfo/platform/kube/bookinfo-versions.yaml
}
snip_cleanup_1() {
samples/bookinfo/platform/kube/cleanup.sh
}
snip_cleanup_2() {
kubectl get virtualservices #-- there should be no virtual services
kubectl get destinationrules #-- there should be no destination rules
kubectl get gateway #-- there should be no gateway
kubectl get pods #-- the Bookinfo pods should be deleted
}

37
content/en/docs/examples/bookinfo/test.sh
View File

@ -21,6 +21,8 @@ set -o pipefail
source "tests/util/samples.sh"
GATEWAY_API="${GATEWAY_API:-false}"
# @setup profile=demo
# remove the injection label to prevent the following command from failing
@ -40,29 +42,40 @@ _verify_like snip_start_the_application_services_5 "$snip_start_the_application_
_verify_contains snip_start_the_application_services_6 "$snip_start_the_application_services_6_out"
snip_determine_the_ingress_ip_and_port_1
if [ "$GATEWAY_API" == "true" ]; then
_verify_like snip_determine_the_ingress_ip_and_port_3 "$snip_determine_the_ingress_ip_and_port_3_out"
snip_determine_the_ingress_ip_and_port_4
snip_determine_the_ingress_ip_and_port_5
else
snip_determine_the_ingress_ip_and_port_1
_verify_like snip_determine_the_ingress_ip_and_port_2 "$snip_determine_the_ingress_ip_and_port_2_out"
_verify_like snip_determine_the_ingress_ip_and_port_2 "$snip_determine_the_ingress_ip_and_port_2_out"
# give config some time to propagate
_wait_for_istio gateway default bookinfo-gateway
_wait_for_istio virtualservice default bookinfo
# give config some time to propagate
_wait_for_istio gateway default bookinfo-gateway
_wait_for_istio virtualservice default bookinfo
# export the INGRESS_ environment variables
_set_ingress_environment_variables
# export the INGRESS_ environment variables
_set_ingress_environment_variables
fi
snip_determine_the_ingress_ip_and_port_3
snip_determine_the_ingress_ip_and_port_6
_verify_contains snip_confirm_the_app_is_accessible_from_outside_the_cluster_1 "$snip_confirm_the_app_is_accessible_from_outside_the_cluster_1_out"
snip_apply_default_destination_rules_1
_verify_lines snip_apply_default_destination_rules_2 "
if [ "$GATEWAY_API" == "true" ]; then
snip_define_the_service_versions_3
else
snip_define_the_service_versions_1
_verify_lines snip_define_the_service_versions_2 "
+ productpage
+ reviews
+ ratings
+ details
"
fi
# @cleanup
snip_cleanup_1
if [ "$GATEWAY_API" != "true" ]; then
snip_cleanup_1
fi

2
content/en/docs/setup/additional-setup/customize-installation/index.md
View File

@ -1,7 +1,7 @@
---
title: Customizing the installation configuration
description: Describes how to customize installation configuration options.
weight: 55
weight: 50
keywords: [profiles,install,helm]
owner: istio/wg-environments-maintainers
test: n/a

349
content/en/docs/setup/additional-setup/getting-started/index.md Normal file
View File

@ -0,0 +1,349 @@
---
title: Getting Started with Istio and Kubernetes Gateway API
description: Try Istios features quickly and easily.
weight: 5
aliases:
- /docs/setup/kubernetes/getting-started/
- /docs/setup/kubernetes/
- /docs/setup/kubernetes/install/kubernetes/
keywords: [getting-started, install, bookinfo, quick-start, kubernetes]
owner: istio/wg-environments-maintainers
test: yes
---
{{< tip >}}
Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management
[in the future](/blog/2022/gateway-api-beta/).
The following instructions allow you get started with Istio using the Gateway API, which is currently a beta feature in Istio.
If you prefer to use the tried-and-proven Istio classic API for traffic management, you should use
[these instructions](/docs/setup/getting-started/) instead.
{{< /tip >}}
{{< warning >}}
The Kubernetes Gateway API CRDs do not come installed by default on most Kubernetes clusters, so make sure they are
installed before using the Gateway API:
{{< text bash >}}
$ kubectl get crd gateways.gateway.networking.k8s.io || \
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; }
{{< /text >}}
{{< /warning >}}
This guide lets you quickly evaluate Istio. If you are already familiar with
Istio or interested in installing other configuration profiles or
advanced [deployment models](/docs/ops/deployment/deployment-models/), refer to our
[which Istio installation method should I use?](/about/faq/#install-method-selection)
FAQ page.
These steps require you to have a {{< gloss >}}cluster{{< /gloss >}} running a
[supported version](/docs/releases/supported-releases#support-status-of-istio-releases) of Kubernetes ({{< supported_kubernetes_versions >}}). You can use any supported platform, for
example [Minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/) or
others specified by the
[platform-specific setup instructions](/docs/setup/platform-setup/).
Follow these steps to get started with Istio:
1. [Download and install Istio](#download)
1. [Deploy the sample application](#bookinfo)
1. [Open the application to outside traffic](#ip)
1. [View the dashboard](#dashboard)
## Download Istio {#download}
1. Go to the [Istio release]({{< istio_release_url >}}) page to
download the installation file for your OS, or download and
extract the latest release automatically (Linux or macOS):
{{< text bash >}}
$ curl -L https://istio.io/downloadIstio | sh -
{{< /text >}}
{{< tip >}}
The command above downloads the latest release (numerically) of Istio.
You can pass variables on the command line to download a specific version
or to override the processor architecture.
For example, to download Istio {{< istio_full_version >}} for the x86_64 architecture,
run:
{{< text bash >}}
$ curl -L https://istio.io/downloadIstio | ISTIO_VERSION={{< istio_full_version >}} TARGET_ARCH=x86_64 sh -
{{< /text >}}
{{< /tip >}}
1. Move to the Istio package directory. For example, if the package is
`istio-{{< istio_full_version >}}`:
{{< text syntax=bash snip_id=none >}}
$ cd istio-{{< istio_full_version >}}
{{< /text >}}
The installation directory contains:
- Sample applications in `samples/`
- The [`istioctl`](/docs/reference/commands/istioctl) client binary in the
`bin/` directory.
1. Add the `istioctl` client to your path (Linux or macOS):
{{< text bash >}}
$ export PATH=$PWD/bin:$PATH
{{< /text >}}
## Install Istio {#install}
1. For this installation, we use the `demo`
[configuration profile](/docs/setup/additional-setup/config-profiles/). It's
selected to have a good set of defaults for testing, but there are other
profiles for production or performance testing.
{{< warning >}}
If your platform has a vendor-specific configuration profile, e.g., Openshift, use
it in the following command, instead of the `demo` profile. Refer to your
[platform instructions](/docs/setup/platform-setup/) for details.
{{< /warning >}}
Unlike [Istio Gateways](/docs/concepts/traffic-management/#gateways), creating
[Kubernetes Gateways](https://gateway-api.sigs.k8s.io/api-types/gateway/) will, by default, also
[deploy associated gateway proxy services](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment).
Therefore, because they won't be used, we disable the deployment of the default Istio gateway services that
are normally installed as part of the `demo` profile.
{{< text bash >}}
$ istioctl install -f @samples/bookinfo/demo-profile-no-gateways.yaml@ -y
✔ Istio core installed
✔ Istiod installed
✔ Installation complete
{{< /text >}}
1. Add a namespace label to instruct Istio to automatically inject Envoy
sidecar proxies when you deploy your application later:
{{< text bash >}}
$ kubectl label namespace default istio-injection=enabled
namespace/default labeled
{{< /text >}}
## Deploy the sample application {#bookinfo}
1. Deploy the [`Bookinfo` sample application](/docs/examples/bookinfo/):
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo.yaml@
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
{{< /text >}}
1. The application will start. As each pod becomes ready, the Istio sidecar will be
deployed along with it.
{{< text bash >}}
$ kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.0.0.212 <none> 9080/TCP 29s
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 25m
productpage ClusterIP 10.0.0.57 <none> 9080/TCP 28s
ratings ClusterIP 10.0.0.33 <none> 9080/TCP 29s
reviews ClusterIP 10.0.0.28 <none> 9080/TCP 29s
{{< /text >}}
and
{{< text bash >}}
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
details-v1-558b8b4b76-2llld 2/2 Running 0 2m41s
productpage-v1-6987489c74-lpkgl 2/2 Running 0 2m40s
ratings-v1-7dc98c7588-vzftc 2/2 Running 0 2m41s
reviews-v1-7f99cc4496-gdxfn 2/2 Running 0 2m41s
reviews-v2-7d79d5bd5d-8zzqd 2/2 Running 0 2m41s
reviews-v3-7dbcdcbc56-m8dph 2/2 Running 0 2m41s
{{< /text >}}
{{< tip >}}
Re-run the previous command and wait until all pods report READY `2/2` and
STATUS `Running` before you go to the next step. This might take a few minutes
depending on your platform.
{{< /tip >}}
1. Verify everything is working correctly up to this point. Run this command to
see if the app is running inside the cluster and serving HTML pages by
checking for the page title in the response:
{{< text bash >}}
$ kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
{{< /text >}}
## Open the application to outside traffic {#ip}
The Bookinfo application is deployed but not accessible from the outside. To make it accessible,
you need to create an ingress gateway, which maps a path to a
route at the edge of your mesh.
1. Create a [Kubernetes Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/) for the Bookinfo application:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/gateway-api/bookinfo-gateway.yaml@
gateway.gateway.networking.k8s.io/bookinfo-gateway created
httproute.gateway.networking.k8s.io/bookinfo created
{{< /text >}}
Because creating a Kubernetes `Gateway` resource will also
[deploy an associated proxy service](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment),
run the following command to wait for the gateway to be ready:
{{< text bash >}}
$ kubectl wait --for=condition=ready gtw bookinfo-gateway
{{< /text >}}
1. Ensure that there are no issues with the configuration:
{{< text bash >}}
$ istioctl analyze
✔ No validation issues found when analyzing namespace: default.
{{< /text >}}
### Determining the ingress IP and ports
1. Set the `INGRESS_HOST` and `INGRESS_PORT` variables for accessing the gateway:
{{< boilerplate external-loadbalancer-support >}}
{{< text bash >}}
$ export INGRESS_HOST=$(kubectl get gtw bookinfo-gateway -o jsonpath='{.status.addresses[*].value}')
$ export INGRESS_PORT=$(kubectl get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
{{< /text >}}
1. Set `GATEWAY_URL`:
{{< text bash >}}
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
{{< /text >}}
1. Ensure an IP address and port were successfully assigned to the environment variable:
{{< text bash >}}
$ echo "$GATEWAY_URL"
169.48.8.37:80
{{< /text >}}
### Verify external access {#confirm}
Confirm that the Bookinfo application is accessible from outside the cluster
by viewing the Bookinfo product page using a browser.
1. Run the following command to retrieve the external address of the Bookinfo application.
{{< text bash >}}
$ echo "http://$GATEWAY_URL/productpage"
{{< /text >}}
1. Paste the output from the previous command into your web browser and confirm that the Bookinfo product page is displayed.
## View the dashboard {#dashboard}
Istio integrates with [several](/docs/ops/integrations) different telemetry applications. These can help you gain
an understanding of the structure of your service mesh, display the topology of the mesh, and analyze the health of your mesh.
Use the following instructions to deploy the [Kiali](/docs/ops/integrations/kiali/) dashboard, along with [Prometheus](/docs/ops/integrations/prometheus/), [Grafana](/docs/ops/integrations/grafana), and [Jaeger](/docs/ops/integrations/jaeger/).
1. Install [Kiali and the other addons]({{< github_tree >}}/samples/addons) and wait for them to be deployed.
{{< text bash >}}
$ kubectl apply -f samples/addons
$ kubectl rollout status deployment/kiali -n istio-system
Waiting for deployment "kiali" rollout to finish: 0 of 1 updated replicas are available...
deployment "kiali" successfully rolled out
{{< /text >}}
{{< tip >}}
If there are errors trying to install the addons, try running the command again. There may
be some timing issues which will be resolved when the command is run again.
{{< /tip >}}
1. Access the Kiali dashboard.
{{< text bash >}}
$ istioctl dashboard kiali
{{< /text >}}
1. In the left navigation menu, select _Graph_ and in the _Namespace_ drop down, select _default_.
{{< tip >}}
{{< boilerplate trace-generation >}}
{{< /tip >}}
The Kiali dashboard shows an overview of your mesh with the relationships
between the services in the `Bookinfo` sample application. It also provides
filters to visualize the traffic flow.
{{< image link="./kiali-example2.png" caption="Kiali Dashboard" >}}
## Next steps
Congratulations on completing the evaluation installation!
These tasks are a great place for beginners to further evaluate Istio's
features using this `demo` installation:
- [Request routing](/docs/tasks/traffic-management/request-routing/)
- [Fault injection](/docs/tasks/traffic-management/fault-injection/)
- [Traffic shifting](/docs/tasks/traffic-management/traffic-shifting/)
- [Querying metrics](/docs/tasks/observability/metrics/querying-metrics/)
- [Visualizing metrics](/docs/tasks/observability/metrics/using-istio-dashboard/)
- [Accessing external services](/docs/tasks/traffic-management/egress/egress-control/)
- [Visualizing your mesh](/docs/tasks/observability/kiali/)
Before you customize Istio for production use, see these resources:
- [Deployment models](/docs/ops/deployment/deployment-models/)
- [Deployment best practices](/docs/ops/best-practices/deployment/)
- [Pod requirements](/docs/ops/deployment/requirements/)
- [General installation instructions](/docs/setup/)
## Join the Istio community
We welcome you to ask questions and give us feedback by joining the
[Istio community](/get-involved/).
## Uninstall
To delete the `Bookinfo` sample application and its configuration, see
[`Bookinfo` cleanup](/docs/examples/bookinfo/#cleanup).
The Istio uninstall deletes the RBAC permissions and all resources hierarchically
under the `istio-system` namespace. It is safe to ignore errors for non-existent
resources because they may have been deleted hierarchically.
{{< text bash >}}
$ kubectl delete -f @samples/addons@
$ istioctl uninstall -y --purge
{{< /text >}}
The `istio-system` namespace is not removed by default.
If no longer needed, use the following command to remove it:
{{< text bash >}}
$ kubectl delete namespace istio-system
{{< /text >}}
The label to instruct Istio to automatically inject Envoy sidecar proxies is not removed by default.
If no longer needed, use the following command to remove it:
{{< text bash >}}
$ kubectl label namespace default istio-injection-
{{< /text >}}

BIN
content/en/docs/setup/additional-setup/getting-started/kiali-example2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 178 KiB

182
content/en/docs/setup/additional-setup/getting-started/snips.sh Normal file
View File

@ -0,0 +1,182 @@
#!/bin/bash
# shellcheck disable=SC2034,SC2153,SC2155,SC2164
# Copyright Istio Authors. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
####################################################################################################
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# docs/setup/additional-setup/getting-started/index.md
####################################################################################################
source "content/en/boilerplates/snips/trace-generation.sh"
snip__1() {
kubectl get crd gateways.gateway.networking.k8s.io || \
{ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0" | kubectl apply -f -; }
}
snip_download_istio_download_1() {
curl -L https://istio.io/downloadIstio | sh -
}
snip_download_istio_download_2() {
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.16.0 TARGET_ARCH=x86_64 sh -
}
snip_download_istio_download_4() {
export PATH=$PWD/bin:$PATH
}
snip_install_istio_install_1() {
istioctl install -f samples/bookinfo/demo-profile-no-gateways.yaml -y
}
! read -r -d '' snip_install_istio_install_1_out <<\ENDSNIP
✔ Istio core installed
✔ Istiod installed
✔ Installation complete
ENDSNIP
snip_install_istio_install_2() {
kubectl label namespace default istio-injection=enabled
}
! read -r -d '' snip_install_istio_install_2_out <<\ENDSNIP
namespace/default labeled
ENDSNIP
snip_deploy_the_sample_application_bookinfo_1() {
kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
}
! read -r -d '' snip_deploy_the_sample_application_bookinfo_1_out <<\ENDSNIP
service/details created
serviceaccount/bookinfo-details created
deployment.apps/details-v1 created
service/ratings created
serviceaccount/bookinfo-ratings created
deployment.apps/ratings-v1 created
service/reviews created
serviceaccount/bookinfo-reviews created
deployment.apps/reviews-v1 created
deployment.apps/reviews-v2 created
deployment.apps/reviews-v3 created
service/productpage created
serviceaccount/bookinfo-productpage created
deployment.apps/productpage-v1 created
ENDSNIP
snip_deploy_the_sample_application_bookinfo_2() {
kubectl get services
}
! read -r -d '' snip_deploy_the_sample_application_bookinfo_2_out <<\ENDSNIP
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
details ClusterIP 10.0.0.212 <none> 9080/TCP 29s
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 25m
productpage ClusterIP 10.0.0.57 <none> 9080/TCP 28s
ratings ClusterIP 10.0.0.33 <none> 9080/TCP 29s
reviews ClusterIP 10.0.0.28 <none> 9080/TCP 29s
ENDSNIP
snip_deploy_the_sample_application_bookinfo_3() {
kubectl get pods
}
! read -r -d '' snip_deploy_the_sample_application_bookinfo_3_out <<\ENDSNIP
NAME READY STATUS RESTARTS AGE
details-v1-558b8b4b76-2llld 2/2 Running 0 2m41s
productpage-v1-6987489c74-lpkgl 2/2 Running 0 2m40s
ratings-v1-7dc98c7588-vzftc 2/2 Running 0 2m41s
reviews-v1-7f99cc4496-gdxfn 2/2 Running 0 2m41s
reviews-v2-7d79d5bd5d-8zzqd 2/2 Running 0 2m41s
reviews-v3-7dbcdcbc56-m8dph 2/2 Running 0 2m41s
ENDSNIP
snip_deploy_the_sample_application_bookinfo_4() {
kubectl exec "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep -o "<title>.*</title>"
}
! read -r -d '' snip_deploy_the_sample_application_bookinfo_4_out <<\ENDSNIP
<title>Simple Bookstore App</title>
ENDSNIP
snip_open_the_application_to_outside_traffic_ip_1() {
kubectl apply -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml
}
! read -r -d '' snip_open_the_application_to_outside_traffic_ip_1_out <<\ENDSNIP
gateway.gateway.networking.k8s.io/bookinfo-gateway created
httproute.gateway.networking.k8s.io/bookinfo created
ENDSNIP
snip_open_the_application_to_outside_traffic_ip_2() {
kubectl wait --for=condition=ready gtw bookinfo-gateway
}
snip_open_the_application_to_outside_traffic_ip_3() {
istioctl analyze
}
! read -r -d '' snip_open_the_application_to_outside_traffic_ip_3_out <<\ENDSNIP
✔ No validation issues found when analyzing namespace: default.
ENDSNIP
snip_determining_the_ingress_ip_and_ports_1() {
export INGRESS_HOST=$(kubectl get gtw bookinfo-gateway -o jsonpath='{.status.addresses[*].value}')
export INGRESS_PORT=$(kubectl get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
}
snip_determining_the_ingress_ip_and_ports_2() {
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
}
snip_determining_the_ingress_ip_and_ports_3() {
echo "$GATEWAY_URL"
}
! read -r -d '' snip_determining_the_ingress_ip_and_ports_3_out <<\ENDSNIP
169.48.8.37:80
ENDSNIP
snip_verify_external_access_confirm_1() {
echo "http://$GATEWAY_URL/productpage"
}
snip_view_the_dashboard_dashboard_1() {
kubectl apply -f samples/addons
kubectl rollout status deployment/kiali -n istio-system
}
! read -r -d '' snip_view_the_dashboard_dashboard_1_out <<\ENDSNIP
Waiting for deployment "kiali" rollout to finish: 0 of 1 updated replicas are available...
deployment "kiali" successfully rolled out
ENDSNIP
snip_view_the_dashboard_dashboard_2() {
istioctl dashboard kiali
}
snip_uninstall_1() {
kubectl delete -f samples/addons
istioctl uninstall -y --purge
}
snip_uninstall_2() {
kubectl delete namespace istio-system
}
snip_uninstall_3() {
kubectl label namespace default istio-injection-
}

83
content/en/docs/setup/additional-setup/getting-started/test.sh Normal file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
set -u
set -o pipefail
source "tests/util/gateway-api.sh"
install_gateway_api_crds
# Download Istio
# Skipping this as we use the istioctl built from istio/istio reference
# Install Istio
# @setup profile=none
snip_install_istio_install_1
_wait_for_deployment istio-system istiod
# Label the namespace
# remove the injection label to prevent the following command from failing
kubectl label namespace default istio-injection-
_verify_same snip_install_istio_install_2 "$snip_install_istio_install_2_out"
# Deploy the sample Application
snip_deploy_the_sample_application_bookinfo_1
# Check the services
_verify_like snip_deploy_the_sample_application_bookinfo_2 "$snip_deploy_the_sample_application_bookinfo_2_out"
# Wait for pods to be ready
for deploy in "productpage-v1" "details-v1" "ratings-v1" "reviews-v1" "reviews-v2" "reviews-v3"; do
_wait_for_deployment default "$deploy"
done
# Check the pods
_verify_like snip_deploy_the_sample_application_bookinfo_3 "$snip_deploy_the_sample_application_bookinfo_3_out"
# Verify connectivity
_verify_like snip_deploy_the_sample_application_bookinfo_4 "$snip_deploy_the_sample_application_bookinfo_4_out"
# Open to outside traffic
_verify_contains snip_open_the_application_to_outside_traffic_ip_1 "$snip_open_the_application_to_outside_traffic_ip_1_out"
snip_open_the_application_to_outside_traffic_ip_2
# Ensure no issues with configuration - istioctl analyze
_verify_contains snip_open_the_application_to_outside_traffic_ip_3 "$snip_open_the_application_to_outside_traffic_ip_3_out"
# Get GATEWAY_URL
snip_determining_the_ingress_ip_and_ports_1
snip_determining_the_ingress_ip_and_ports_2
# Verify external access
get_bookinfo_productpage() {
curl -s "http://${GATEWAY_URL}/productpage" | grep -o "<title>.*</title>"
}
_verify_contains get_bookinfo_productpage "<title>Simple Bookstore App</title>"
# verify Kiali deployment
_verify_contains snip_view_the_dashboard_dashboard_1 'deployment "kiali" successfully rolled out'
# Verify Kiali dashboard
# TODO Verify the browser output
# @cleanup
samples/bookinfo/platform/kube/cleanup.sh
snip_uninstall_1
kubectl delete ns istio-system --ignore-not-found=true
remove_gateway_api_crds

8
content/en/docs/setup/getting-started/index.md
View File

@ -11,6 +11,14 @@ owner: istio/wg-environments-maintainers
test: yes
---
{{< tip >}}
Istio intends to make the Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) the default API for traffic management
[in the future](/blog/2022/gateway-api-beta/).
Although the Gateway API is currently a beta feature in Istio you can still get started with Istio using the
future API if you prefer.
Refer to the [future getting started instructions](/docs/setup/additional-setup/getting-started/) instead of the following.
{{< /tip >}}
This guide lets you quickly evaluate Istio. If you are already familiar with
Istio or interested in installing other configuration profiles or
advanced [deployment models](/docs/ops/deployment/deployment-models/), refer to our

27
content/en/docs/tasks/traffic-management/ingress/ingress-control/gtwapi_test.sh Normal file
View File

@ -0,0 +1,27 @@
#!/usr/bin/env bash
# shellcheck disable=SC1090,SC2154
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
source "tests/util/gateway-api.sh"
install_gateway_api_crds
# @setup profile=default
source "content/en/docs/tasks/traffic-management/ingress/ingress-control/test.sh"
# TODO fix cleanup approach and remove this temporary hack
# @cleanup
snip_cleanup_2
remove_gateway_api_crds

467
content/en/docs/tasks/traffic-management/ingress/ingress-control/index.md
View File

@ -10,9 +10,13 @@ owner: istio/wg-networking-maintainers
test: yes
---
Along with support for Kubernetes [Ingress](/docs/tasks/traffic-management/ingress/kubernetes-ingress/), Istio offers another configuration model, [Istio Gateway](/docs/reference/config/networking/gateway/). A `Gateway` provides more extensive customization and flexibility than `Ingress`, and allows Istio features such as monitoring and route rules to be applied to traffic entering the cluster.
Along with support for Kubernetes [Ingress](/docs/tasks/traffic-management/ingress/kubernetes-ingress/), Istio also allows you to configure ingress traffic
using either an [Istio Gateway](/docs/concepts/traffic-management/#gateways) or [Kubernetes Gateway](https://gateway-api.sigs.k8s.io/api-types/gateway/) resource.
A `Gateway` provides more extensive customization and flexibility than `Ingress`, and allows Istio features such as monitoring and route rules to be applied to traffic entering the cluster.
This task describes how to configure Istio to expose a service outside of the service mesh using an Istio `Gateway`.
This task describes how to configure Istio to expose a service outside of the service mesh using a `Gateway`.
{{< boilerplate gateway-api-support >}}
## Before you begin
@ -22,11 +26,185 @@ This task describes how to configure Istio to expose a service outside of the se
{{< boilerplate start-httpbin-service >}}
* Determine the ingress IP and ports as described in the following subsection.
## Configuring ingress using a gateway
### Determining the ingress IP and ports
An ingress `Gateway` describes a load balancer operating at the edge of the mesh that receives incoming HTTP/TCP connections.
It configures exposed ports, protocols, etc.
but, unlike [Kubernetes Ingress Resources](https://kubernetes.io/docs/concepts/services-networking/ingress/),
does not include any traffic routing configuration. Traffic routing for ingress traffic is instead configured
using routing rules, exactly in the same way as for internal service requests.
Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:
Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
{{< tabset category-name="config-api" >}}
{{< tab name="Istio classic" category-value="istio-classic" >}}
Create an [Istio Gateway](/docs/reference/config/networking/gateway/):
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "httpbin.example.com"
EOF
{{< /text >}}
Configure routes for traffic entering via the `Gateway`:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin.example.com"
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /status
- uri:
prefix: /delay
route:
- destination:
port:
number: 8000
host: httpbin
EOF
{{< /text >}}
You have now created a [virtual service](/docs/reference/config/networking/virtual-service/)
configuration for the `httpbin` service containing two route rules that allow traffic for paths `/status` and
`/delay`.
The [gateways](/docs/reference/config/networking/virtual-service/#VirtualService-gateways) list
specifies that only requests through your `httpbin-gateway` are allowed.
All other external requests will be rejected with a 404 response.
{{< warning >}}
Internal requests from other services in the mesh are not subject to these rules
but instead will default to round-robin routing. To apply these rules to internal calls as well,
you can add the special value `mesh` to the list of `gateways`. Since the internal hostname for the
service is probably different (e.g., `httpbin.default.svc.cluster.local`) from the external one,
you will also need to add it to the `hosts` list. Refer to the
[operations guide](/docs/ops/common-problems/network-issues#route-rules-have-no-effect-on-ingress-gateway-requests)
for more details.
{{< /warning >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
Create a [Kubernetes Gateway](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.Gateway):
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: httpbin-gateway
spec:
gatewayClassName: istio
listeners:
- name: http
hostname: "httpbin.example.com"
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: Same
EOF
{{< /text >}}
{{< tip >}}
In a production environment, a `Gateway` and its corresponding routes are often created in separate namespaces by users
performing different roles. In that case, the `allowedRoutes` field in the `Gateway` would be configured to specify the
namespaces where routes should be created, instead of, as in this example, expecting them to be in the same namespace
as the `Gateway`.
{{< /tip >}}
Because creating a Kubernetes `Gateway` resource will also
[deploy an associated proxy service](/docs/tasks/traffic-management/ingress/gateway-api/#automated-deployment),
run the following command to wait for the gateway to be ready:
{{< text bash >}}
$ kubectl wait --for=condition=ready gtw httpbin-gateway
{{< /text >}}
Configure routes for traffic entering via the `Gateway`:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: httpbin
spec:
parentRefs:
- name: httpbin-gateway
hostnames: ["httpbin.example.com"]
rules:
- matches:
- path:
type: PathPrefix
value: /status
- path:
type: PathPrefix
value: /delay
backendRefs:
- name: httpbin
port: 8000
EOF
{{< /text >}}
You have now created an [HTTP Route](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1beta1.HTTPRoute)
configuration for the `httpbin` service containing two route rules that allow traffic for paths `/status` and
`/delay`.
{{< /tab >}}
{{< /tabset >}}
## Determining the ingress IP and ports
Every `Gateway` is backed by a [service of type LoadBalancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/).
The external load balancer IP and ports for this service are used to access the gateway.
Kubernetes services of type `LoadBalancer` are supported by default in clusters running on most cloud platforms but
in some environments (e.g., test) you may need to do the following:
* `minikube` - start an external load balancer by running the following command in a different terminal:
{{< text syntax=bash snip_id=minikube_tunnel >}}
$ minikube tunnel
{{< /text >}}
* `kind` - follow the [guide for setting up MetalLB](https://kind.sigs.k8s.io/docs/user/loadbalancer/) to get `LoadBalancer` type services to work.
* other platforms - you may be able to use [MetalLB](https://metallb.universe.tf/installation/) to get an `EXTERNAL-IP` for `LoadBalancer` services.
For convenience, we will store the ingress IP and ports in environment variables which will be used in later instructions.
Set the `INGRESS_HOST` and `INGRESS_PORT` environment variables according to the following instructions:
{{< tabset category-name="config-api" >}}
{{< tab name="Istio classic" category-value="istio-classic" >}}
If you are unsure, you can determine if your Kubernetes cluster is running in an environment that supports external load balancers using the following command:
{{< text bash >}}
$ kubectl get svc istio-ingressgateway -n istio-system
@ -36,30 +214,10 @@ istio-ingressgateway LoadBalancer 172.21.109.129 130.211.10.121 ...
If the `EXTERNAL-IP` value is set, your environment has an external load balancer that you can use for the ingress gateway.
If the `EXTERNAL-IP` value is `<none>` (or perpetually `<pending>`), your environment does not provide an external load balancer for the ingress gateway.
In this case, you can access the gateway using the service's [node port](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport).
{{< tip >}}
If you are using minikube, you can easily start an external load balancer (recommended) by running the following command in a different terminal:
{{< text syntax=bash snip_id=minikube_tunnel >}}
$ minikube tunnel
{{< /text >}}
{{< /tip >}}
{{< tip >}}
If you are running Istio using Kind on Linux, follow the [guide for setting up MetalLB](https://kind.sigs.k8s.io/docs/user/loadbalancer/) to get `LoadBalancer` type services to work.
{{< /tip >}}
Choose the instructions corresponding to your environment:
{{< tabset category-name="gateway-ip" >}}
{{< tab name="external load balancer" category-value="external-lb" >}}
**Follow these instructions if you have determined that your environment has an external load balancer.**
Set the ingress IP and ports:
If your environment does not support external load balancers, you can try
[accessing the ingress gateway using node ports](#accessing-the-ingress-gateway-using-node-ports).
Otherwise, set the ingress IP and ports using the following commands:
{{< text bash >}}
$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
@ -82,130 +240,31 @@ $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway
{{< /tab >}}
{{< tab name="node port" category-value="node-port" >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
**Follow these instructions if your environment does not have an external load balancer and choose a node port instead.**
Set the ingress ports:
Get the gateway address and port from the httpbin gateway resource:
{{< text bash >}}
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
$ export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].nodePort}')
$ export INGRESS_HOST=$(kubectl get gtw httpbin-gateway -o jsonpath='{.status.addresses[*].value}')
$ export INGRESS_PORT=$(kubectl get gtw httpbin-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
{{< /text >}}
_GKE:_
{{< tip >}}
You can use similar commands to find other ports on any gateway. For example to access a secure HTTP
port named `https` on a gateway named `my-gateway`:
{{< text bash >}}
$ export INGRESS_HOST=worker-node-address
$ export INGRESS_HOST=$(kubectl get gtw my-gateway -o jsonpath='{.status.addresses[*].value}')
$ export SECURE_INGRESS_PORT=$(kubectl get gtw my-gateway -o jsonpath='{.spec.listeners[?(@.name=="https")].port}')
{{< /text >}}
You need to create firewall rules to allow the TCP traffic to the `ingressgateway` service's ports.
Run the following commands to allow the traffic for the HTTP port, the secure port (HTTPS) or both:
{{< text bash >}}
$ gcloud compute firewall-rules create allow-gateway-http --allow "tcp:$INGRESS_PORT"
$ gcloud compute firewall-rules create allow-gateway-https --allow "tcp:$SECURE_INGRESS_PORT"
{{< /text >}}
_IBM Cloud Kubernetes Service:_
{{< text bash >}}
$ ibmcloud ks workers --cluster cluster-name-or-id
$ export INGRESS_HOST=public-IP-of-one-of-the-worker-nodes
{{< /text >}}
_Docker For Desktop:_
{{< text bash >}}
$ export INGRESS_HOST=127.0.0.1
{{< /text >}}
_Other environments:_
{{< text bash >}}
$ export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
{{< /text >}}
{{< /tip >}}
{{< /tab >}}
{{< /tabset >}}
## Configuring ingress using an Istio gateway
An ingress [Gateway](/docs/reference/config/networking/gateway/) describes a load balancer operating at the edge of the mesh that receives incoming HTTP/TCP connections.
It configures exposed ports, protocols, etc.
but, unlike [Kubernetes Ingress Resources](https://kubernetes.io/docs/concepts/services-networking/ingress/),
does not include any traffic routing configuration. Traffic routing for ingress traffic is instead configured
using Istio routing rules, exactly in the same way as for internal service requests.
Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
1. Create an Istio `Gateway`:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "httpbin.example.com"
EOF
{{< /text >}}
1. Configure routes for traffic entering via the `Gateway`:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "httpbin.example.com"
gateways:
- httpbin-gateway
http:
- match:
- uri:
prefix: /status
- uri:
prefix: /delay
route:
- destination:
port:
number: 8000
host: httpbin
EOF
{{< /text >}}
You have now created a [virtual service](/docs/reference/config/networking/virtual-service/)
configuration for the `httpbin` service containing two route rules that allow traffic for paths `/status` and
`/delay`.
The [gateways](/docs/reference/config/networking/virtual-service/#VirtualService-gateways) list
specifies that only requests through your `httpbin-gateway` are allowed.
All other external requests will be rejected with a 404 response.
{{< warning >}}
Internal requests from other services in the mesh are not subject to these rules
but instead will default to round-robin routing. To apply these rules to internal calls as well,
you can add the special value `mesh` to the list of `gateways`. Since the internal hostname for the
service is probably different (e.g., `httpbin.default.svc.cluster.local`) from the external one,
you will also need to add it to the `hosts` list. Refer to the
[operations guide](/docs/ops/common-problems/network-issues#route-rules-have-no-effect-on-ingress-gateway-requests)
for more details.
{{< /warning >}}
## Accessing ingress services
1. Access the _httpbin_ service using _curl_:
@ -228,15 +287,21 @@ Let's see how you can configure a `Gateway` on port 80 for HTTP traffic.
...
{{< /text >}}
## Accessing ingress services using a browser
### Accessing ingress services using a browser
Entering the `httpbin` service URL in a browser won't work because you can't pass the _Host_ header
to a browser like you did with `curl`. In a real world situation, this is not a problem
because you configure the requested host properly and DNS resolvable. Thus, you use the host's domain name
in the URL, for example, `https://httpbin.example.com/status/200`.
To work around this problem for simple tests and demos, use a wildcard `*` value for the host in the `Gateway`
and `VirtualService` configurations. For example, if you change your ingress configuration to the following:
You can work around this problem for simple tests and demos as follows:
{{< tabset category-name="config-api" >}}
{{< tab name="Istio classic" category-value="istio-classic" >}}
Use a wildcard `*` value for the host in the `Gateway`
and `VirtualService` configurations. For example, change your ingress configuration to the following:
{{< text bash >}}
$ kubectl apply -f - <<EOF
@ -276,6 +341,51 @@ spec:
EOF
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
If you remove the host names from the `Gateway` and `HTTPRoute` configurations, they will apply to any request.
For example, change your ingress configuration to the following:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: httpbin-gateway
spec:
gatewayClassName: istio
listeners:
- name: http
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: Same
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: httpbin
spec:
parentRefs:
- name: httpbin-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /headers
backendRefs:
- name: httpbin
port: 8000
EOF
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}
You can then use `$INGRESS_HOST:$INGRESS_PORT` in the browser URL. For example,
`http://$INGRESS_HOST:$INGRESS_PORT/headers` will display all the headers that your browser sends.
@ -288,6 +398,59 @@ available for edge services.
In the preceding steps, you created a service inside the service mesh
and exposed an HTTP endpoint of the service to external traffic.
## Accessing the ingress gateway using node ports
{{< warning >}}
You should not use these instructions if your Kubernetes environment has an external load balancer supporting
[services of type LoadBalancer](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/).
{{< /warning >}}
If your environment does not support external load balancers, you can still experiment with some of the Istio features by
using the `istio-ingressgateway` service's [node ports](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport).
Set the ingress ports:
{{< text bash >}}
$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
$ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
$ export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].nodePort}')
{{< /text >}}
Setting the ingress IP depends on the cluster provider:
1. _GKE:_
{{< text bash >}}
$ export INGRESS_HOST=worker-node-address
{{< /text >}}
You need to create firewall rules to allow the TCP traffic to the _ingressgateway_ service's ports.
Run the following commands to allow the traffic for the HTTP port, the secure port (HTTPS) or both:
{{< text bash >}}
$ gcloud compute firewall-rules create allow-gateway-http --allow "tcp:$INGRESS_PORT"
$ gcloud compute firewall-rules create allow-gateway-https --allow "tcp:$SECURE_INGRESS_PORT"
{{< /text >}}
1. _IBM Cloud Kubernetes Service:_
{{< text bash >}}
$ ibmcloud ks workers --cluster cluster-name-or-id
$ export INGRESS_HOST=public-IP-of-one-of-the-worker-nodes
{{< /text >}}
1. _Docker For Desktop:_
{{< text bash >}}
$ export INGRESS_HOST=127.0.0.1
{{< /text >}}
1. _Other environments:_
{{< text bash >}}
$ export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
{{< /text >}}
## Troubleshooting
1. Inspect the values of the `INGRESS_HOST` and `INGRESS_PORT` environment variables. Make sure
@ -311,10 +474,14 @@ they have valid values, according to the output of the following commands:
{{< /text >}}
1. If you have an external load balancer and it does not work for you, try to
[access the gateway using its node port](/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports).
[access the gateway using its node port](#accessing-the-ingress-gateway-using-node-ports).
## Cleanup
{{< tabset category-name="config-api" >}}
{{< tab name="Istio classic" category-value="istio-classic" >}}
Delete the `Gateway` and `VirtualService` configuration, and shutdown the [httpbin]({{< github_tree >}}/samples/httpbin) service:
{{< text bash >}}
@ -322,3 +489,19 @@ $ kubectl delete gateway httpbin-gateway
$ kubectl delete virtualservice httpbin
$ kubectl delete --ignore-not-found=true -f @samples/httpbin/httpbin.yaml@
{{< /text >}}
{{< /tab >}}
{{< tab name="Gateway API" category-value="gateway-api" >}}
Delete the `Gateway` and `HTTPRoute` configuration, and shutdown the [httpbin]({{< github_tree >}}/samples/httpbin) service:
{{< text bash >}}
$ kubectl delete gtw httpbin-gateway
$ kubectl delete httproute httpbin
$ kubectl delete --ignore-not-found=true -f @samples/httpbin/httpbin.yaml@
{{< /text >}}
{{< /tab >}}
{{< /tabset >}}

214
content/en/docs/tasks/traffic-management/ingress/ingress-control/snips.sh
View File

@ -19,61 +19,10 @@
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
# docs/tasks/traffic-management/ingress/ingress-control/index.md
####################################################################################################
source "content/en/boilerplates/snips/gateway-api-support.sh"
source "content/en/boilerplates/snips/start-httpbin-service.sh"
snip_determining_the_ingress_ip_and_ports_1() {
kubectl get svc istio-ingressgateway -n istio-system
}
! read -r -d '' snip_determining_the_ingress_ip_and_ports_1_out <<\ENDSNIP
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 172.21.109.129 130.211.10.121 ... 17h
ENDSNIP
snip_minikube_tunnel() {
minikube tunnel
}
snip_determining_the_ingress_ip_and_ports_3() {
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].port}')
}
snip_determining_the_ingress_ip_and_ports_4() {
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
}
snip_determining_the_ingress_ip_and_ports_5() {
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].nodePort}')
}
snip_determining_the_ingress_ip_and_ports_6() {
export INGRESS_HOST=worker-node-address
}
snip_determining_the_ingress_ip_and_ports_7() {
gcloud compute firewall-rules create allow-gateway-http --allow "tcp:$INGRESS_PORT"
gcloud compute firewall-rules create allow-gateway-https --allow "tcp:$SECURE_INGRESS_PORT"
}
snip_determining_the_ingress_ip_and_ports_8() {
ibmcloud ks workers --cluster cluster-name-or-id
export INGRESS_HOST=public-IP-of-one-of-the-worker-nodes
}
snip_determining_the_ingress_ip_and_ports_9() {
export INGRESS_HOST=127.0.0.1
}
snip_determining_the_ingress_ip_and_ports_10() {
export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
}
snip_configuring_ingress_using_an_istio_gateway_1() {
snip_configuring_ingress_using_a_gateway_1() {
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
@ -92,7 +41,7 @@ spec:
EOF
}
snip_configuring_ingress_using_an_istio_gateway_2() {
snip_configuring_ingress_using_a_gateway_2() {
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
@ -117,21 +66,102 @@ spec:
EOF
}
snip_configuring_ingress_using_an_istio_gateway_3() {
snip_configuring_ingress_using_a_gateway_3() {
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: httpbin-gateway
spec:
gatewayClassName: istio
listeners:
- name: http
hostname: "httpbin.example.com"
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: Same
EOF
}
snip_configuring_ingress_using_a_gateway_4() {
kubectl wait --for=condition=ready gtw httpbin-gateway
}
snip_configuring_ingress_using_a_gateway_5() {
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: httpbin
spec:
parentRefs:
- name: httpbin-gateway
hostnames: ["httpbin.example.com"]
rules:
- matches:
- path:
type: PathPrefix
value: /status
- path:
type: PathPrefix
value: /delay
backendRefs:
- name: httpbin
port: 8000
EOF
}
snip_minikube_tunnel() {
minikube tunnel
}
snip_determining_the_ingress_ip_and_ports_2() {
kubectl get svc istio-ingressgateway -n istio-system
}
! read -r -d '' snip_determining_the_ingress_ip_and_ports_2_out <<\ENDSNIP
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
istio-ingressgateway LoadBalancer 172.21.109.129 130.211.10.121 ... 17h
ENDSNIP
snip_determining_the_ingress_ip_and_ports_3() {
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].port}')
}
snip_determining_the_ingress_ip_and_ports_4() {
export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
}
snip_determining_the_ingress_ip_and_ports_5() {
export INGRESS_HOST=$(kubectl get gtw httpbin-gateway -o jsonpath='{.status.addresses[*].value}')
export INGRESS_PORT=$(kubectl get gtw httpbin-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
}
snip_determining_the_ingress_ip_and_ports_6() {
export INGRESS_HOST=$(kubectl get gtw my-gateway -o jsonpath='{.status.addresses[*].value}')
export SECURE_INGRESS_PORT=$(kubectl get gtw my-gateway -o jsonpath='{.spec.listeners[?(@.name=="https")].port}')
}
snip_accessing_ingress_services_1() {
curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
}
! read -r -d '' snip_configuring_ingress_using_an_istio_gateway_3_out <<\ENDSNIP
! read -r -d '' snip_accessing_ingress_services_1_out <<\ENDSNIP
HTTP/1.1 200 OK
server: istio-envoy
...
ENDSNIP
snip_configuring_ingress_using_an_istio_gateway_4() {
snip_accessing_ingress_services_2() {
curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
}
! read -r -d '' snip_configuring_ingress_using_an_istio_gateway_4_out <<\ENDSNIP
! read -r -d '' snip_accessing_ingress_services_2_out <<\ENDSNIP
HTTP/1.1 404 Not Found
...
ENDSNIP
@ -174,6 +204,68 @@ spec:
EOF
}
snip_accessing_ingress_services_using_a_browser_2() {
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: httpbin-gateway
spec:
gatewayClassName: istio
listeners:
- name: http
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: Same
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: httpbin
spec:
parentRefs:
- name: httpbin-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /headers
backendRefs:
- name: httpbin
port: 8000
EOF
}
snip_accessing_the_ingress_gateway_using_node_ports_1() {
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].nodePort}')
}
snip_accessing_the_ingress_gateway_using_node_ports_2() {
export INGRESS_HOST=worker-node-address
}
snip_accessing_the_ingress_gateway_using_node_ports_3() {
gcloud compute firewall-rules create allow-gateway-http --allow "tcp:$INGRESS_PORT"
gcloud compute firewall-rules create allow-gateway-https --allow "tcp:$SECURE_INGRESS_PORT"
}
snip_accessing_the_ingress_gateway_using_node_ports_4() {
ibmcloud ks workers --cluster cluster-name-or-id
export INGRESS_HOST=public-IP-of-one-of-the-worker-nodes
}
snip_accessing_the_ingress_gateway_using_node_ports_5() {
export INGRESS_HOST=127.0.0.1
}
snip_accessing_the_ingress_gateway_using_node_ports_6() {
export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')
}
snip_troubleshooting_1() {
kubectl get svc -n istio-system
echo "INGRESS_HOST=$INGRESS_HOST, INGRESS_PORT=$INGRESS_PORT"
@ -192,3 +284,9 @@ kubectl delete gateway httpbin-gateway
kubectl delete virtualservice httpbin
kubectl delete --ignore-not-found=true -f samples/httpbin/httpbin.yaml
}
snip_cleanup_2() {
kubectl delete gtw httpbin-gateway
kubectl delete httproute httpbin
kubectl delete --ignore-not-found=true -f samples/httpbin/httpbin.yaml
}

66
content/en/docs/tasks/traffic-management/ingress/ingress-control/test.sh
View File

@ -21,6 +21,8 @@ set -o pipefail
source "tests/util/samples.sh"
GATEWAY_API="${GATEWAY_API:-false}"
# @setup profile=default
kubectl label namespace default istio-injection=enabled --overwrite
@ -28,41 +30,47 @@ kubectl label namespace default istio-injection=enabled --overwrite
# start the httpbin sample
startup_httpbin_sample
# check for external load balancer
CMP_MATCH_IP_PENDING=true # TODO(https://github.com/istio/istio.io/issues/8353)
_verify_like snip_determining_the_ingress_ip_and_ports_1 "$snip_determining_the_ingress_ip_and_ports_1_out"
unset CMP_MATCH_IP_PENDING
if [ "$GATEWAY_API" == "true" ]; then
# create the gateway and routes
snip_configuring_ingress_using_a_gateway_3
snip_configuring_ingress_using_a_gateway_4
snip_configuring_ingress_using_a_gateway_5
# set INGRESS_HOST, INGRESS_PORT, SECURE_INGRESS_PORT, and TCP_INGRESS_PORT environment variables
if [[ "$out" != *"<none>"* && "$out" != *"<pending>"* ]]; then
# external load balancer
snip_determining_the_ingress_ip_and_ports_3
else
# node port
# set INGRESS_HOST and INGRESS_PORT environment variables
snip_determining_the_ingress_ip_and_ports_5
snip_determining_the_ingress_ip_and_ports_10
else
# create the gateway and routes
snip_configuring_ingress_using_a_gateway_1
snip_configuring_ingress_using_a_gateway_2
# wait for rules to propagate
_wait_for_istio gateway default httpbin-gateway
_wait_for_istio virtualservice default httpbin
# check for external load balancer
_verify_like snip_determining_the_ingress_ip_and_ports_2 "$snip_determining_the_ingress_ip_and_ports_2_out"
# set INGRESS_HOST, INGRESS_PORT, SECURE_INGRESS_PORT, and TCP_INGRESS_PORT environment variables
snip_determining_the_ingress_ip_and_ports_3
fi
# create the gateway and routes
snip_configuring_ingress_using_an_istio_gateway_1
snip_configuring_ingress_using_an_istio_gateway_2
# wait for rules to propagate
_wait_for_istio gateway default httpbin-gateway
_wait_for_istio virtualservice default httpbin
# access the httpbin service
_verify_elided snip_accessing_ingress_services_1 "$snip_accessing_ingress_services_1_out"
# access the httpbin service
_verify_elided snip_configuring_ingress_using_an_istio_gateway_3 "$snip_configuring_ingress_using_an_istio_gateway_3_out"
_verify_elided snip_accessing_ingress_services_2 "$snip_accessing_ingress_services_2_out"
# access the httpbin service
_verify_elided snip_configuring_ingress_using_an_istio_gateway_4 "$snip_configuring_ingress_using_an_istio_gateway_4_out"
if [ "$GATEWAY_API" == "true" ]; then
# configure for web browser
snip_accessing_ingress_services_using_a_browser_2
else
# configure for web browser
snip_accessing_ingress_services_using_a_browser_1
# configure for web browser
snip_accessing_ingress_services_using_a_browser_1
# wait for rules to propagate
_wait_for_istio gateway default httpbin-gateway
_wait_for_istio virtualservice default httpbin
# wait for rules to propagate
_wait_for_istio gateway default httpbin-gateway
_wait_for_istio virtualservice default httpbin
fi
# helper function
curl_httpbin_headers() {
@ -73,4 +81,6 @@ curl_httpbin_headers() {
_verify_contains curl_httpbin_headers "HTTP/1.1 200 OK"
# @cleanup
snip_cleanup_1
if [ "$GATEWAY_API" != "true" ]; then
snip_cleanup_1
fi

20
pkg/test/istioio/framework.go
View File

@ -140,12 +140,11 @@ func checkFile(path string) (*TestCase, error) {
cleanupScript := splitScript[1]
// copy the files sourced by test to cleanup
re := regexp.MustCompile("(?m)^source \".*\\.sh\"$")
sources := re.FindAllString(testScript, -1)
sources := getNonTestSources(testScript, shortPath)
cleanupScript = strings.Join(sources, "\n") + cleanupScriptPrefix + cleanupScript
// find setup configuration
re = regexp.MustCompile(fmt.Sprintf("(?m)^%v (.*)$", setupSpec))
re := regexp.MustCompile(fmt.Sprintf("(?m)^%v (.*)$", setupSpec))
setups := re.FindAllStringSubmatch(testScript, -1)
if numSetups := len(setups); numSetups != 1 {
@ -269,3 +268,18 @@ func getTemplateScript(template, testPath string) string {
snipsPath := strings.Join(splitPath, "/")
return fmt.Sprintf(template, defaultPath, snipsPath)
}
// getNonTestSources returns test source commands that are not test files.
func getNonTestSources(testScript string, testPath string) []string {
re := regexp.MustCompile("(?m)^source \".*\\.sh\"$")
sources := re.FindAllString(testScript, -1)
testDir := testPath[:strings.LastIndex(testPath, "/")]
re = regexp.MustCompile(fmt.Sprintf("source \"%s/%s/.*test\\.sh\"", defaultPath, testDir))
for i := 0; i < len(sources); i++ {
if re.MatchString(sources[i]) {
sources = append(sources[:i], sources[i+1:]...)
i--
}
}
return sources
}

30
tests/util/gateway-api.sh Normal file
View File

@ -0,0 +1,30 @@
#!/usr/bin/env bash
# shellcheck disable=SC2034
# Copyright Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
K8S_GATEWAY_API_CRDS="github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.5.0"
GATEWAY_API="true"
function install_gateway_api_crds() {
kubectl kustomize "${K8S_GATEWAY_API_CRDS}" | kubectl apply -f -
}
function remove_gateway_api_crds() {
kubectl kustomize "${K8S_GATEWAY_API_CRDS}" | kubectl delete -f -
kubectl get gateways.gateway.networking.k8s.io >/dev/null 2>&1 || true
# TODO ^^^ remove this kludge which forces the name "gateway" to not stay bound to the deleted crd
}