Ingress, egress, ServiceEntry DATA Flow issues for ISTIO API Gateway?

lewiseliu · October 18, 2022, 8:49am

Question:
ISTIO ingress gateway to proxy internal backend service works well.
ISTIO ingress gateway + ServiceEntry to proxy request from external client to external backend service can works well.
ISTIO egress gateway + ServiceEntry to proxy request from internal service to external service can works well.
But seems the data flow did NOT go through egress gateway, in case that ISTIO ingress gateway + egress gateway + ServiceEntry together. Any feedback on the data flow order as below diagram? Any feedback on the YAML configuration?

Background:
ISTIO acts as API Gateway for backend data service, which is outside of k8s/istio Cluster.
ISTIO ingress, Egress and ServiceEntry are involved. The data flow can be referenced as below architecture diagram.

Architecture:

Access Test:
$ kubectl port-forward svc/istio-ingress 8080:8080 -n istio-ingress
$ curl -v -H"host:www.baidu.com" --resolve www.baidu.com:8080:127.0.0.1 http://www.baidu.com:8080/ -o /dev/null -w “%{http_code}\n”

* Added www.baidu.com:8080:127.0.0.1 to DNS cache
* Hostname www.baidu.com was found in DNS cache
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.baidu.com (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host:www.baidu.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< accept-ranges: bytes
< cache-control: private, no-cache, no-store, proxy-revalidate, no-transform
< content-length: 2381
< content-type: text/html
< date: Tue, 18 Oct 2022 07:52:43 GMT
< etag: "588604c1-94d"
< last-modified: Mon, 23 Jan 2017 13:27:29 GMT
< pragma: no-cache
< server: istio-envoy
< set-cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
< x-envoy-upstream-service-time: 36
<
{ [2381 bytes data]
100  2381  100  2381    0     0   7044      0 --:--:-- --:--:-- --:--:--  7044
* Connection #0 to host www.baidu.com left intact
200

$ kubectl logs -l istio=ingress -c istio-proxy -n istio-ingress
[2022-10-18T07:52:43.410Z] "GET / HTTP/1.1" 200 - via_upstream - "-" 0 2381 36 36 "172.28.8.131" "curl/7.68.0" "bf507274-53e3-4b43-ac5a-3bc36cef2ddc" "www.baidu.com" "110.242.68.3:80" outbound|8080||www.baidu.com 172.28.8.131:50536 127.0.0.1:8080 127.0.0.1:33802 - -

$ kubectl logs -l istio=egress -c istio-proxy -n istio-egress
NO ACCESS LOG
Meantime, the data flow did NOT go through egress.

YAML Configuration:
#Ingress

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: data-gateway
spec:
  selector:
    istio: ingress  # use istio default controller
  servers:
  - port:
      number: 8080
      name: http
      protocol: HTTP
    hosts:
    - "www.baidu.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: data
spec:
  hosts:
  - "www.baidu.com"
  gateways:
  - data-gateway
  http:
  - match:
    - uri:
        exact: /sample
    - uri:
        prefix: /
    route:
    - destination:
        host: www.baidu.com
        port:
          number: 8080
        # host: data-se
        # port:
        #   number: 80
---
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: mesh-default
  namespace: istio-ingress
spec:
  accessLogging:
    - providers:
        - name: envoy

egress

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egress
  servers:
  - port:
      number: 8080
      name: http
      protocol: HTTP
    hosts:
    - www.baidu.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-cnn-through-egress-gateway
spec:
  hosts:
    - www.baidu.com
  gateways:
    - istio-egressgateway
    - mesh
    #- data-gateway
  http:
    - match:
        - gateways:
            - mesh
          #  - data-gateway
          port: 8080
      route:
        - destination:
            host: istio-egress.istio-egress.svc.cluster.local
            subset: data-se
            port:
              number: 8080
          weight: 100
    - match:
        - gateways:
            - istio-egressgateway
          port: 8080
      route:
        - destination:
            host: www.baidu.com
            port:
              number: 80
          weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-cnn
spec:
  host: istio-egress.istio-egress.svc.cluster.local
  subsets:
  - name: data-se
---
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: mesh-default
  namespace: istio-egress
spec:
  accessLogging:
    - providers:
        - name: envoy

#serviceEntry

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: data-se
spec:
  hosts:
    - www.baidu.com
  # addresses:
  #   - 192.168.10.10
  location: MESH_EXTERNAL
  ports:
    - number: 80
      targetPort: 80
      name: http-port
      protocol: HTTP
    # - number: 443
    #   name: https
    #   protocol: HTTPS
  resolution: DNS
  # endpoints:
  #   - address: www.baidu.com
  #     ports:
  #       http: 80

kebe7jun · October 18, 2022, 10:19am

This is because your incoming traffic from the ingress gateway goes directly to www.baidu.com and you need to change his destination to istio-egress

maybe:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: data
spec:
  hosts:
  - "www.baidu.com"
  gateways:
  - data-gateway
  http:
  - match:
    - uri:
        exact: /sample
    - uri:
        prefix: /
    route:
    - destination:
        host: istio-egress.istio-egress.svc.cluster.local
        port:
          number: 8080

lewiseliu · October 18, 2022, 3:01pm

@kebe7jun
You are definitely correct !!!
After changing the destination Host of Ingress VirtualServer to istio-egress.istio-egress.svc.cluster.local, everything works well. Http code is 200 and access log is generated in egress.

As below:
$ kubectl logs -l istio=egress -c istio-proxy -n istio-egress
[2022-10-18T14:26:38.817Z] "GET / HTTP/2" **200** - via_upstream - "-" 0 2381 37 36 "172.28.8.131,172.28.8.131" "curl/7.68.0" "7bf0579c-fe1f-4594-9827-5b09ab542137" "www.baidu.com" "110.242.68.4:80" outbound|8080||www.baidu.com 172.28.8.132:59160 172.28.8.132:8080 172.28.8.131:46436 - -

Topic		Replies	Views
What is the data flow in case ISTIO ingress gateway + egress gateway + ServiceEntry together Site Feedback	0	388	October 18, 2022
Routing directly from ingress gateway to an external service via egress gateway Networking	3	1623	June 10, 2020
ServiceEntry not routing the traffic back to the cluster	0	411	July 18, 2021
403 Forbidden incase differen domain names between ingress gateway and external Service	0	159	October 21, 2022
403 Forbidden incase differen domain names between ingress gateway and external Service	1	1053	October 21, 2022

Ingress, egress, ServiceEntry DATA Flow issues for ISTIO API Gateway?

egress

Related Topics