You can use a Service Mesh (ASM) ingress gateway to access Google Remote Procedure Call (gRPC) services in an ASM instance. This allows you to implement accurate access control on gRPC services, improve service governance, and ensure the security of service-to-service communication. This topic describes how to use an ingress gateway to access a gRPC service in an ASM instance and how to shift traffic between two versions of a gRPC service.
Prerequisites
An ingress gateway is deployed. For more information, see Create an ingress gateway.
An ASM instance of the latest version is created and the instance edition is Enterprise or Ultimate. An application is deployed in a Container Service for Kubernetes (ACK) cluster that is added to the ASM instance. For more information, see Deploy an application in a cluster that is associated with an ASM instance.
Step 1: Deploy the two versions of a gRPC service
Deploy version 1 and version 2 of a gRPC service: istio-grpc-server-v1 and istio-grpc-server-v2.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
In the upper part of the Deployments page, select a namespace from the Namespace drop-down list and click Create from YAML.
NoteThe namespace that you select must have the istio-injection=enabled label, which indicates that automatic sidecar proxy injection is enabled for the namespace. For more information, see Enable automatic sidecar proxy injection.
On the Create page, set Sample Template to Custom, copy the following YAML code to the code editor, and then click Create.
Step 2: Configure routing rules for the ASM instance
Create an Istio gateway, a virtual service, and a destination rule for the ASM instance to route all inbound traffic to istio-grpc-server-v1.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
Create an Istio gateway.
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
On the Create page, select default from the Namespace drop-down list, select a template from the Template drop-down list, copy the following YAML content to the code editor, and then click Create.
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: grpc-gateway spec: selector: istio: ingressgateway servers: - port: number: 8080 name: grpc protocol: GRPC hosts: - "*"
Create a destination rule.
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
On the Create page, select default from the Namespace drop-down list, select a template from the Template drop-down list, copy the following YAML content to the code editor, and then click Create.
apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: dr-istio-grpc-server spec: host: grpc-helloworld-py trafficPolicy: loadBalancer: simple: ROUND_ROBIN subsets: - name: v1 labels: version: "v1" - name: v2 labels: version: "v2"
Create a virtual service.
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
On the Create page, select default from the Namespace drop-down list, select a template from the Template drop-down list, copy the following YAML content to the code editor, and then click Create.
Step 3: Create an ingress gateway or use an existing ingress gateway
Enable port 8080 on the ingress gateway. If port 8080 does not exist, add port 8080.
Create an ingress gateway
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click Create, configure the parameters as required, and then click Create.
The following table describes some of the parameters. For more information, see Ingress gateway parameters.
Parameter
Description
Cluster
The cluster in which you want to deploy the ingress gateway.
CLB Instance Type
The access type of the Classic Load Balancer (CLB) instance. For this example, select Internet Access.
Create a CLB Instance or Use Existing CLB Instance
You can choose Create a CLB Instance or Use Existing CLB Instance.
Use Existing CLB Instance: Select an existing CLB instance from the drop-down list.
Create a CLB Instance: Click Create a CLB Instance and select the CLB instance specifications that you need from the drop-down list.
NoteWe recommend that you select a CLB instance for each Kubernetes Service. If multiple Kubernetes Services share the same CLB instance, the following risks and limits exist:
If you configure a Kubernetes Service to use a CLB instance that is already used by another Kubernetes Service, the existing listeners of the CLB instance are forcibly overwritten. This may interrupt the original Kubernetes Service.
If you create a CLB instance when you create a Kubernetes Service, the CLB instance cannot be shared among Kubernetes Services. Only CLB instances that you create in the CLB console or by calling API operations can be shared.
Kubernetes Services that share the same CLB instance must use different frontend listening ports. Otherwise, port conflicts may occur.
If multiple Kubernetes Services share the same CLB instance, listener names and vServer group names are used as unique identifiers in Kubernetes. Do not modify the names of listeners or vServer groups.
You cannot share a CLB instance across clusters.
Port Mapping
Set Protocol to TCP and Service Port to 8080.
Add port 8080 to an existing ingress gateway
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click the name of the desired gateway. In the Basic options section of the Gateway Details page, click the icon next to Port. In the Port Mapping dialog box, click Add Port, set Protocol to TCP, set Service Port to 8080, and then click Submit.
Step 4: Start the gRPC client
gRPCurl is a command-line tool that you can use to interact with gRPC services. It provides you with an easy method to test and debug a gRPC service, as well as view the definition and metadata of the service. To download and install gRPCurl, visit https://github.com/fullstorydev/grpcurl. Run the following command:
grpcurl -d '{"name": "Jack"}' -plaintext {IP address of the ingress gateway}:8080 helloworld.Greeter/SayHello
The output indicates that all requests are routed to istio-grpc-server-v1.
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
Step 5: Route traffic to the two versions of the gRPC service based on a specific ratio
Route 40% of the traffic to istio-grpc-server-v2 and 60% of the traffic to istio-grpc-server-v1.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the VirtualService page, find the grpc-vs virtual service and click YAML in the Actions column.
In the Edit dialog box, copy the following YAML code to the code editor. Then, click OK.
.... route: - destination: host: grpc-helloworld-py port: number: 50051 subset: v1 weight: 60 - destination: host: grpc-helloworld-py port: number: 50051 subset: v2 weight: 40
Run the following gRPCurl command to access the gRPC service that you deployed in the ASM instance:
grpcurl -d '{"name": "Jack"}' -plaintext {IP address of the ingress gateway}:8080 helloworld.Greeter/SayHello
The output indicates that 40% of the traffic is routed to istio-grpc-server-v2.
NoteThe traffic may not be routed to istio-grpc-server-v1 and istio-grpc-server-v2 at an exact ratio of 60:40. However, the overall traffic distribution is always close to this ratio.
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!" "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"