And here are all the resources:
\napiVersion: gateway.networking.k8s.io/v1\nkind: Gateway\nmetadata:\n name: foo-gateway\nspec:\n gatewayClassName: istio\n listeners:\n - name: foo-grpc\n hostname: \"localhost\"\n port: 50051\n protocol: HTTP\n---\napiVersion: networking.istio.io/v1\nkind: VirtualService\nmetadata:\n name: foo-route\nspec:\n gateways:\n - foo-gateway\n hosts:\n - \"localhost\"\n http:\n - name: foo-route\n route:\n - destination:\n host: foo-service.default.svc.cluster.local\n---\napiVersion: networking.istio.io/v1\nkind: DestinationRule\nmetadata:\n name: reviews-destination\nspec:\n host: foo-service.default.svc.cluster.local\n---\napiVersion: v1\nkind: Service\nmetadata:\n name: foo-service\n labels:\n app: foo-app\nspec:\n ports:\n - name: grpc\n port: 50051\n appProtocol: k8s.io/grpc\n selector:\n app: foo-app\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: foo-deployment\n labels:\n app: foo-app\nspec:\n replicas: 1\n selector:\n matchLabels:\n app: foo-app\n template:\n metadata:\n labels:\n app: foo-app\n spec:\n containers:\n - name: foo-container\n image: 'docker.io/grpc/java-example-hostname'\n imagePullPolicy: IfNotPresent\n ports:\n - containerPort: 50051I can invoke the service directly:
\nkubectl port-forward svc/foo-service 9090:50051\ngrpcurl -plaintext -format text -d 'name: \"Jimbo\"' localhost:9090 helloworld.Greeter/SayHelloBut when I instead port-forward to svc/foo-gateway-istio, I get this error:
ERROR:\n Code: Unimplemented\n Message: \nI tried checking things out with Kubeshark and found the matching gRPC request, from foo-gateway-istio-77bc48898f-4b98h/envoy to itself (src and dst are the same). All the headers look right. Interestingly, the request's body (it says \"text/plain\" for some reason) is {\"field_1\":\"Jimbo\"} which almost seems to suggest there's some automatic gRPC-JSON transcoding going on, which would be super confusing.
I would very much appreciate tips on debugging problems like this in general. It seems like Istio issues can be difficult to debug in general. Kubeshark is not providing much help here and the logs for the gateway pod (foo-gateway-istio-77bc48898f-4b98h) are stuck at Envoy proxy is ready. It will save me quite a bit of hair if anybody could also point out the small edit(s) to these resource definitions that I'm sure I'm naively missing.
Figured it out. I had to change the name of the port in the Service to either http2 or grpc. I figured specifying the appProtocol should have been enough, and was using \"new standard protocol\" names from kubernetes/enhancements#3727 i.e. k8s.io/grpc. Apparently this was confusing the gateway, because it wouldn't work until I removed the appProtocol field. I guess Istio doesn't support that KEP?
Edit: should have dug a little deeper: kubernetes/kubernetes#116866
","upvoteCount":0,"url":"https://github.com/istio/istio/discussions/53877#discussioncomment-11249262"}}}
-
|
I apologize in advance for this long plea. I know that people have asked similar versions of this question before. I've read them. I've been searching the docs and SO and GitHub and even trying to read through test files for days but cannot seem to get it to work. There are so many different variables and API versions and I'm struggling to pinpoint the problem. I'm looking for the absolute minimal example to invoke this example gRPC server through an Istio Gateway using a VirtualService on Minikube. Here's what I've got: Setup: # Use enough resources for Istio.
minikube start --memory=16384 --cpus=4
# Set up Istio in Ambient mode.
istioctl install --set profile=ambient --skip-confirmation
# Set up Gateway API.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yamlAnd here are all the resources: apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: foo-gateway
spec:
gatewayClassName: istio
listeners:
- name: foo-grpc
hostname: "localhost"
port: 50051
protocol: HTTP
---
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: foo-route
spec:
gateways:
- foo-gateway
hosts:
- "localhost"
http:
- name: foo-route
route:
- destination:
host: foo-service.default.svc.cluster.local
---
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: reviews-destination
spec:
host: foo-service.default.svc.cluster.local
---
apiVersion: v1
kind: Service
metadata:
name: foo-service
labels:
app: foo-app
spec:
ports:
- name: grpc
port: 50051
appProtocol: k8s.io/grpc
selector:
app: foo-app
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: foo-deployment
labels:
app: foo-app
spec:
replicas: 1
selector:
matchLabels:
app: foo-app
template:
metadata:
labels:
app: foo-app
spec:
containers:
- name: foo-container
image: 'docker.io/grpc/java-example-hostname'
imagePullPolicy: IfNotPresent
ports:
- containerPort: 50051I can invoke the service directly: kubectl port-forward svc/foo-service 9090:50051
grpcurl -plaintext -format text -d 'name: "Jimbo"' localhost:9090 helloworld.Greeter/SayHelloBut when I instead port-forward to I tried checking things out with Kubeshark and found the matching gRPC request, from I would very much appreciate tips on debugging problems like this in general. It seems like Istio issues can be difficult to debug in general. Kubeshark is not providing much help here and the logs for the gateway pod ( |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
The issue here seems to be mixing Istio Virtual service with Kubernetes Gateway. You can either use: Istio Gateway + VirtualService |
Beta Was this translation helpful? Give feedback.
-
|
BTW, while destination rule can be used with either, your config does nothing so it could be skipped |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the tips! I'm still a bit confused. According to the docs, "Istio supports the Kubernetes Gateway API and intends to make it the default API for traffic management in the future", so I'm going to try to make it work with that. But I also tried using a apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: foo-gateway
spec:
gatewayClassName: istio
listeners:
- name: foo-grpc
hostname: "localhost"
port: 50051
protocol: HTTP
allowedRoutes:
kinds:
- kind: GRPCRoute
---
apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
name: foo-route
spec:
parentRefs:
- name: foo-gateway
rules:
- backendRefs:
- name: foo-service
port: 50051
---
apiVersion: v1
kind: Service
metadata:
name: foo-service
labels:
app: foo-app
spec:
ports:
- name: grpc
port: 50051
appProtocol: k8s.io/grpc
selector:
app: foo-app
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: foo-deployment
spec:
replicas: 1
selector:
matchLabels:
app: foo-app
template:
metadata:
labels:
app: foo-app
spec:
containers:
- name: foo-container
image: 'docker.io/grpc/java-example-hostname'
imagePullPolicy: IfNotPresent
ports:
- containerPort: 50051This results in a different error (using kubectl port-forward svc/foo-gateway-istio 8080:50051
grpcurl -plaintext -proto helloworld.proto -format text -d 'name: "Jimbo"' localhost:8080 helloworld.Greeter/SayHello
# ERROR:
# Code: Unavailable
# Message: upstream connect error or disconnect/reset before headers. reset reason: protocol errorI still see the same request in Kubeshark, though (with the different response) and it doesn't seem to be forwarded anywhere outside the gateway's Envoy pod. |
Beta Was this translation helpful? Give feedback.
-
|
Well, I was able to narrow it down a bit thanks to |
Beta Was this translation helpful? Give feedback.
-
|
Figured it out. I had to change the name of the port in the Edit: should have dug a little deeper: kubernetes/kubernetes#116866 |
Beta Was this translation helpful? Give feedback.
-
|
The kep is not updated to meet reality unfortunately it seems. Istio
supports all the real ones that are approved:
https://github.com/kubernetes/kubernetes/blob/475ee33f698334e5b00c58d3bef4083840ec12c5/pkg/apis/discovery/types.go#L173
…On Wed, Nov 13, 2024, 9:34 PM Will ***@***.***> wrote:
Figured it out. I had to change the name of the port in the Service to
either http2 or grpc. I figured specifying the appProtocol should have
been enough, and was using "new standard protocol" names from
kubernetes/enhancements#3727
<kubernetes/enhancements#3727> i.e. k8s.io/grpc.
Apparently this was confusing the gateway, because it wouldn't work until I
removed the appProtocol field. I guess Istio doesn't support that KEP?
—
Reply to this email directly, view it on GitHub
<#53877 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXOBI52SST76EDNSCUL2AQR6FAVCNFSM6AAAAABRV2X7Q2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCMRUHEZDMMQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
Figured it out. I had to change the name of the port in the
Serviceto eitherhttp2orgrpc. I figured specifying theappProtocolshould have been enough, and was using "new standard protocol" names from kubernetes/enhancements#3727 i.e.k8s.io/grpc. Apparently this was confusing the gateway, because it wouldn't work until I removed theappProtocolfield. I guess Istio doesn't support that KEP?Edit: should have dug a little deeper: kubernetes/kubernetes#116866