--- title: Traffic Management Part 1 - Istio and Envoy basics tags: Istio, Envoy, Basics description: Introduce Istio and Envoy API and Envoy configuration basics --- # Traffic Management Part 1 - Istio and Envoy basics ## Agenda * Explore Istio Traffic Mgmt API * Understand basic Envoy concepts and the resulting Envoy configuration * Introduce Envoy filters ## Request flow ([Bookinfo](https://istio.io/latest/docs/examples/bookinfo/)) ### Without Istio ![](https://istio.io/latest/docs/examples/bookinfo/noistio.svg) ### With Istio ![](https://istio.io/latest/docs/examples/bookinfo/withistio.svg) --- ## Istio Traffic Management API Let's go to a football match... ![](https://i2-prod.mirror.co.uk/incoming/article7360764.ece/ALTERNATES/s615b/Manchester-United.jpg) ### Ingress Gateway Where is the football match happening? ### Gateway Where do I enter the stadium from? (Not to be confused with ingress gateway!) ### VirtualService Me: OK, I've entered. Now where do I go now? Staff (VS): Hello, Mr. Cassidy, your seat is located in `Block E333`. Here's your swag! ### ServiceEntry This is `Block E333` ### DestinationRule So many seats...where do I sit? --- ### Let's get our hands dirty! Let's create Istio config to allow public access to our bookinfo app #### Create an entrypoint into the cluster ``` apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: bookinfo-gateway spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" ``` #### Connect the entrypoint to a destination ``` apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo spec: hosts: - "*" gateways: - bookinfo-gateway http: - name: productpage-route match: - uri: exact: /productpage - uri: prefix: /static - uri: exact: /login - uri: exact: /logout - uri: prefix: /api/v1/products route: - destination: host: productpage.bookinfo.svc.cluster.local port: number: 9080 - name: reviews-route match: - uri: prefix: /reviews route: - destination: host: reviews.bookinfo.svc.cluster.local port: number: 9080 ``` #### Let's introduce a new service within the cluster ``` apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: name: httpbin spec: hosts: - httpbin.local location: MESH_INTERNAL ports: - number: 80 name: http protocol: HTTP resolution: DNS workloadSelector: labels: app: httpbin ``` *Exercise: expose this service publicly* Note: we're skipping exploring `DestinationRule` for today. The [Istio doc page](https://istio.io/latest/docs/reference/config/networking/destination-rule/) for it has some nice examples you can try. ### The resulting Envoy configuration But first, we need to understand some basic Envoy terminology #### Listener As the name suggests, represents a port accepting connections ``` istioctl proxy-config listener $(kubectl get pods --output=jsonpath={.items[0].metadata.name} -l istio=ingressgateway -n istio-system) -o json -n istio-system ``` #### Route Helps Envoy decide where to forward a request to ``` istioctl proxy-config route $(kubectl get pods --output=jsonpath={.items[0].metadata.name} -l istio=ingressgateway -n istio-system) -o json -n istio-system ``` #### Cluster Represents a service or a grouping of pods (or even VMs/ext. services) that provide the same functionality. In other words, a service. A cluster contains `endpoints` ``` istioctl proxy-config cluster $(kubectl get pods --output=jsonpath={.items[0].metadata.name} -l istio=ingressgateway -n istio-system) -o json -n istio-system ``` #### Endpoint Tangible resources that provide actual functionality e.g., pods, VMs ``` istioctl proxy-config endpoints $(kubectl get pods --output=jsonpath={.items[0].metadata.name} -l istio=ingressgateway -n istio-system) -o json -n istio-system ``` #### To recap... ![](https://learning.oreilly.com/api/v2/epubs/urn:orm:book:9781492043775/files/assets/iuar_0506.png) Sounds familiar? | Envoy | Istio | | ----------- | --------------- | | Listener | Gateway | | Route | VirtualService | | Cluster | ServiceEntry | | Endpoint | --- | Istio `DestinationRule` is configuration that helps determine which endpoint to forward a request to *after* the destination cluster is determined --- Let's switch :gear: :gear: :gear: a bit --- ## Envoy Filters ### Why? * To access Envoy functionality not exposed by the Istio API * To add custom logic in Envoy ### A simple Envoy filter #### Request flow ![](https://miro.medium.com/max/2000/0*RM-Rif51UiVlZmYC) For a detailed description: https://www.envoyproxy.io/docs/envoy/latest/intro/life_of_a_request #### A fault-injection example * if we see a header `user=omicron`, we return a 403 * for the /reviews endpoint, if we see a header `urgency=low`, we inject a delay We will use [Envoy's fault-injection filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/fault_filter#config-http-filters-fault-injection-http-header) to achieve this. Here's an envoy filter that achieves the above: ``` apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: example-fault-inject namespace: istio-system spec: workloadSelector: labels: istio: ingressgateway configPatches: - applyTo: HTTP_FILTER match: context: GATEWAY patch: operation: INSERT_BEFORE value: name: envoy.filters.http.fault typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault headers: - name: user exact_match: omicron abort: http_status: 403 percentage: numerator: 100 - applyTo: HTTP_ROUTE match: context: GATEWAY routeConfiguration: vhost: route: name: reviews-route patch: operation: MERGE value: typed_per_filter_config: envoy.filters.http.fault: "@type": type.googleapis.com/envoy.extensions.filters.http.fault.v3.HTTPFault headers: - name: urgency exact_match: low delay: fixed_delay: 3s percentage: numerator: 100 ``` --- ### Wrap up * a simple mental model for the Istio Traffic Mgmt API (hopeully!) * basic Envoy concepts * when to use an Envoy filter and how to write a simple one ### Interesting talks * https://youtu.be/cB611FtjHcQ