Hello,
I have an istio injected service which is exposed through a LB (GKE) to the internet. Thus, the LB cannot have an istio-proxy.
Is there a way (maybe using EnvoyFilters) to make use of circuit breaking on server side? Has anyone succeeded in doing this?
Thanks!
PS: I know that maybe the right way to do it is using an istio-ingress-gateway that routes to my service, but this is not possible in my use case.
If you are running a traditional K8S ingress behind a Layer 7 GKE LB, you can absolutely run an Istio-ingress-gateway as the backend service of your K8S ingress. Try it, it works.
You will run into issues with your GKE LB health check port because Google is persnickety about the health check port being the same as your service, but you can handle that with a virtual service, something like this:
Name: health-check-rewrite
Namespace: your-namespace
Labels: <none>
Annotations: <none>
API Version: networking.istio.io/v1beta1
Kind: VirtualService
Spec:
Gateways:
yourgateway-gateway
Hosts:
*
Http:
Match:
Headers:
User - Agent:
Prefix: GoogleHC
Method:
Exact: GET
Uri:
Exact: /
Rewrite:
Authority: your-ingressgateway.your-namespace.svc.cluster.local:15021
Uri: /healthz/ready
Route:
Destination:
Host: your-ingressgateway.your-namespace.svc.cluster.local
Port:
Number: 15021
This is a known solution, I did not write it, but I have implemented it successfully… Grep the internet for more info.
Hello @yeti ,
I can’t use the istio-ingress-gateway, I must have the GKE LB hit my service directly.
I tried changing the inbound| cluster of my service with EnvoyFilter (with workloadSelector), but it seems that proto.Merge only adds to circuitbreakers.thresholds array instead of overwriting.