All Products
Search
Document Center

Container Service for Kubernetes:Use an ingress gateway to access a gRPC service in an ASM instance

Last Updated:May 30, 2024

You can use a Service Mesh (ASM) ingress gateway to access Google Remote Procedure Call (gRPC) services in an ASM instance. This allows you to implement accurate access control on gRPC services, improve service governance, and ensure the security of service-to-service communication. This topic describes how to use an ingress gateway to access a gRPC service in an ASM instance and how to shift traffic between two versions of a gRPC service.

Prerequisites

Step 1: Deploy the two versions of a gRPC service

Deploy version 1 and version 2 of a gRPC service: istio-grpc-server-v1 and istio-grpc-server-v2.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.

  3. In the upper part of the Deployments page, select a namespace from the Namespace drop-down list and click Create from YAML.

    Note

    The namespace that you select must have the istio-injection=enabled label, which indicates that automatic sidecar proxy injection is enabled for the namespace. For more information, see Enable automatic sidecar proxy injection.

  4. On the Create page, set Sample Template to Custom, copy the following YAML code to the code editor, and then click Create.

    Show the YAML code

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: grpc-helloworld-py-v1
      labels:
        app: grpc-helloworld-py
        version: v1
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: grpc-helloworld-py
          version: v1
      template:
        metadata:
          labels:
            app: grpc-helloworld-py
            version: v1
        spec:
          containers:
            - name: grpc-helloworld-py
              image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-grpc-server:grpc-helloworld-py-v1.0
              imagePullPolicy: Always
              env:
                - name: podname
                  valueFrom:
                    fieldRef:
                      apiVersion: v1
                      fieldPath: metadata.name
              ports:
                - containerPort: 50051
                  name: grpc-port
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: grpc-helloworld-py-v2
      labels:
        app: grpc-helloworld-py
        version: v2
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: grpc-helloworld-py
          version: v2
      template:
        metadata:
          labels:
            app: grpc-helloworld-py
            version: v2
        spec:
          containers:
            - name: grpc-helloworld-py
              image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-grpc-server:grpc-helloworld-py-v1.0
              imagePullPolicy: Always
              env:
                - name: podname
                  valueFrom:
                    fieldRef:
                      apiVersion: v1
                      fieldPath: metadata.name
              ports:
                - containerPort: 50051
                  name: grpc-port
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: grpc-helloworld-py
      labels:
        app: grpc-helloworld-py
    spec:
      ports:
        - port: 50051
          name: grpc-port
      selector:
        app: grpc-helloworld-py

Step 2: Configure routing rules for the ASM instance

Create an Istio gateway, a virtual service, and a destination rule for the ASM instance to route all inbound traffic to istio-grpc-server-v1.

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.

  3. Create an Istio gateway.

    1. On the details page of the ASM instance, choose ASM Gateways > Gateway in the left-side navigation pane. On the page that appears, click Create from YAML.

    2. On the Create page, select default from the Namespace drop-down list, select a template from the Template drop-down list, copy the following YAML content to the code editor, and then click Create.

      apiVersion: networking.istio.io/v1beta1
      kind: Gateway
      metadata:
        name: grpc-gateway
      spec:
        selector:
          istio: ingressgateway
        servers:
        - port:
            number: 8080
            name: grpc
            protocol: GRPC
          hosts:
          - "*"
  4. Create a destination rule.

    1. On the details page of the ASM instance, choose Traffic Management Center > DestinationRule in the left-side navigation pane. On the page that appears, click Create from YAML.

    2. On the Create page, select default from the Namespace drop-down list, select a template from the Template drop-down list, copy the following YAML content to the code editor, and then click Create.

      apiVersion: networking.istio.io/v1beta1
      kind: DestinationRule
      metadata:
        name: dr-istio-grpc-server
      spec:
        host: grpc-helloworld-py
        trafficPolicy:
          loadBalancer:
            simple: ROUND_ROBIN
        subsets:
          - name: v1
            labels:
              version: "v1"
          - name: v2
            labels:
              version: "v2"    
  5. Create a virtual service.

    1. On the details page of the ASM instance, choose Traffic Management Center > VirtualService in the left-side navigation pane. On the page that appears, click Create from YAML.

    2. On the Create page, select default from the Namespace drop-down list, select a template from the Template drop-down list, copy the following YAML content to the code editor, and then click Create.

      Show the YAML code

      apiVersion: networking.istio.io/v1alpha3
      kind: VirtualService
      metadata:
        name: grpc-vs
      spec:
        hosts:
        - "*"
        gateways:
        - grpc-gateway
        http:
          - match:
              - port: 8080
            route:
              - destination:
                  host: grpc-helloworld-py
                  port:
                    number: 50051
                  subset: v1
                weight: 100
              - destination:
                  host: grpc-helloworld-py
                  port:
                    number: 50051
                  subset: v2
                weight: 0        

Step 3: Create an ingress gateway or use an existing ingress gateway

Enable port 8080 on the ingress gateway. If port 8080 does not exist, add port 8080.

Create an ingress gateway

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

  3. On the Ingress Gateway page, click Create, configure the parameters as required, and then click Create.

    The following table describes some of the parameters. For more information, see Ingress gateway parameters.

    Parameter

    Description

    Cluster

    The cluster in which you want to deploy the ingress gateway.

    CLB Instance Type

    The access type of the Classic Load Balancer (CLB) instance. For this example, select Internet Access.

    Create a CLB Instance or Use Existing CLB Instance

    You can choose Create a CLB Instance or Use Existing CLB Instance.

    • Use Existing CLB Instance: Select an existing CLB instance from the drop-down list.

    • Create a CLB Instance: Click Create a CLB Instance and select the CLB instance specifications that you need from the drop-down list.

    Note

    We recommend that you select a CLB instance for each Kubernetes Service. If multiple Kubernetes Services share the same CLB instance, the following risks and limits exist:

    • If you configure a Kubernetes Service to use a CLB instance that is already used by another Kubernetes Service, the existing listeners of the CLB instance are forcibly overwritten. This may interrupt the original Kubernetes Service.

    • If you create a CLB instance when you create a Kubernetes Service, the CLB instance cannot be shared among Kubernetes Services. Only CLB instances that you create in the CLB console or by calling API operations can be shared.

    • Kubernetes Services that share the same CLB instance must use different frontend listening ports. Otherwise, port conflicts may occur.

    • If multiple Kubernetes Services share the same CLB instance, listener names and vServer group names are used as unique identifiers in Kubernetes. Do not modify the names of listeners or vServer groups.

    • You cannot share a CLB instance across clusters.

    Port Mapping

    Set Protocol to TCP and Service Port to 8080.

Add port 8080 to an existing ingress gateway

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

  3. On the Ingress Gateway page, click the name of the desired gateway. In the Basic options section of the Gateway Details page, click the Dingtalk_20230104170049.jpg icon next to Port. In the Port Mapping dialog box, click Add Port, set Protocol to TCP, set Service Port to 8080, and then click Submit.

Step 4: Start the gRPC client

  1. gRPCurl is a command-line tool that you can use to interact with gRPC services. It provides you with an easy method to test and debug a gRPC service, as well as view the definition and metadata of the service. To download and install gRPCurl, visit https://github.com/fullstorydev/grpcurl. Run the following command:

    grpcurl -d '{"name": "Jack"}' -plaintext {IP address of the ingress gateway}:8080 helloworld.Greeter/SayHello
  2. The output indicates that all requests are routed to istio-grpc-server-v1.

     "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
     "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
     "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
     "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
     "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"     

Step 5: Route traffic to the two versions of the gRPC service based on a specific ratio

Route 40% of the traffic to istio-grpc-server-v2 and 60% of the traffic to istio-grpc-server-v1.

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Traffic Management Center > VirtualService.

  3. On the VirtualService page, find the grpc-vs virtual service and click YAML in the Actions column.

  4. In the Edit dialog box, copy the following YAML code to the code editor. Then, click OK.

    ....
          route:
            - destination:
                host: grpc-helloworld-py
                port:
                  number: 50051
                subset: v1
              weight: 60
            - destination:
                host: grpc-helloworld-py
                port:
                  number: 50051
                subset: v2
              weight: 40
  5. Run the following gRPCurl command to access the gRPC service that you deployed in the ASM instance:

    grpcurl -d '{"name": "Jack"}' -plaintext {IP address of the ingress gateway}:8080 helloworld.Greeter/SayHello

    The output indicates that 40% of the traffic is routed to istio-grpc-server-v2.

    Note

    The traffic may not be routed to istio-grpc-server-v1 and istio-grpc-server-v2 at an exact ratio of 60:40. However, the overall traffic distribution is always close to this ratio.

    "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
    "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
    "message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
    "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
    "message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
    "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
    "message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
    "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
    "message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
    "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"