Use an ingress gateway to access a gRPC service in an ASM instance - Alibaba Cloud Service Mesh

You can use a Service Mesh (ASM) ingress gateway to access Google Remote Procedure Call (gRPC) services in an ASM instance. This allows you to implement accurate access control on gRPC services, improve service governance, and ensure the security of service-to-service communication. This topic describes how to use an ingress gateway to access a gRPC service in an ASM instance and how to shift traffic between two versions of a gRPC service.

Prerequisites

An ingress gateway is deployed. For more information, see Create an ingress gateway.
An ASM instance of the latest version is created and the instance edition is Enterprise or Ultimate. An application is deployed in a Container Service for Kubernetes (ACK) cluster that is added to the ASM instance. For more information, see Deploy an application in a cluster that is associated with an ASM instance.

Step 1: Deploy the two versions of a gRPC service

Deploy version 1 and version 2 of a gRPC service: istio-grpc-server-v1 and istio-grpc-server-v2.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.
In the upper part of the Deployments page, select a namespace from the Namespace drop-down list and click Create from YAML.
Note
The namespace that you select must have the istio-injection=enabled label, which indicates that automatic sidecar proxy injection is enabled for the namespace. For more information, see Enable automatic sidecar proxy injection.

On the Create page, set Sample Template to Custom, copy the following YAML code to the code editor, and then click Create.

Show the YAML code

apiVersion: apps/v1
kind: Deployment
metadata:
  name: grpc-helloworld-py-v1
  labels:
    app: grpc-helloworld-py
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grpc-helloworld-py
      version: v1
  template:
    metadata:
      labels:
        app: grpc-helloworld-py
        version: v1
    spec:
      containers:
        - name: grpc-helloworld-py
          image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-grpc-server:grpc-helloworld-py-v1.0
          imagePullPolicy: Always
          env:
            - name: podname
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
          ports:
            - containerPort: 50051
              name: grpc-port
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grpc-helloworld-py-v2
  labels:
    app: grpc-helloworld-py
    version: v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grpc-helloworld-py
      version: v2
  template:
    metadata:
      labels:
        app: grpc-helloworld-py
        version: v2
    spec:
      containers:
        - name: grpc-helloworld-py
          image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-grpc-server:grpc-helloworld-py-v1.0
          imagePullPolicy: Always
          env:
            - name: podname
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
          ports:
            - containerPort: 50051
              name: grpc-port
---
apiVersion: v1
kind: Service
metadata:
  name: grpc-helloworld-py
  labels:
    app: grpc-helloworld-py
spec:
  ports:
    - port: 50051
      name: grpc-port
  selector:
    app: grpc-helloworld-py

Step 2: Configure routing rules for the ASM instance

Create an Istio gateway, a virtual service, and a destination rule for the ASM instance to route all inbound traffic to istio-grpc-server-v1.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
Create an Istio gateway.
1. On the details page of the ASM instance, choose ASM Gateways > Gateway in the left-side navigation pane. On the page that appears, click Create from YAML.
2. On the Create page, select default from the Namespace drop-down list, select a template from the Template drop-down list, copy the following YAML content to the code editor, and then click Create.
```
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: grpc-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 8080
      name: grpc
      protocol: GRPC
    hosts:
    - "*"
```
Create a destination rule.
1. On the details page of the ASM instance, choose Traffic Management Center > DestinationRule in the left-side navigation pane. On the page that appears, click Create from YAML.
2. On the Create page, select default from the Namespace drop-down list, select a template from the Template drop-down list, copy the following YAML content to the code editor, and then click Create.
```
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dr-istio-grpc-server
spec:
  host: grpc-helloworld-py
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
  subsets:
    - name: v1
      labels:
        version: "v1"
    - name: v2
      labels:
        version: "v2"    
```

Create a virtual service.

On the details page of the ASM instance, choose Traffic Management Center > VirtualService in the left-side navigation pane. On the page that appears, click Create from YAML.

On the Create page, select default from the Namespace drop-down list, select a template from the Template drop-down list, copy the following YAML content to the code editor, and then click Create.

Show the YAML code

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grpc-vs
spec:
  hosts:
  - "*"
  gateways:
  - grpc-gateway
  http:
    - match:
        - port: 8080
      route:
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v1
          weight: 100
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v2
          weight: 0

Step 3: Create an ingress gateway or use an existing ingress gateway

Enable port 8080 on the ingress gateway. If port 8080 does not exist, add port 8080.

Create an ingress gateway

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

On the Ingress Gateway page, click Create, configure the parameters as required, and then click Create.

The following table describes some of the parameters. For more information, see Ingress gateway parameters.

Parameter	Description
Cluster	The cluster in which you want to deploy the ingress gateway.
CLB Instance Type	The access type of the Classic Load Balancer (CLB) instance. For this example, select Internet Access.
Create a CLB Instance or Use Existing CLB Instance	You can choose Create a CLB Instance or Use Existing CLB Instance. Use Existing CLB Instance: Select an existing CLB instance from the drop-down list. Create a CLB Instance: Click Create a CLB Instance and select the CLB instance specifications that you need from the drop-down list. Note We recommend that you select a CLB instance for each Kubernetes Service. If multiple Kubernetes Services share the same CLB instance, the following risks and limits exist: If you configure a Kubernetes Service to use a CLB instance that is already used by another Kubernetes Service, the existing listeners of the CLB instance are forcibly overwritten. This may interrupt the original Kubernetes Service. If you create a CLB instance when you create a Kubernetes Service, the CLB instance cannot be shared among Kubernetes Services. Only CLB instances that you create in the CLB console or by calling API operations can be shared. Kubernetes Services that share the same CLB instance must use different frontend listening ports. Otherwise, port conflicts may occur. If multiple Kubernetes Services share the same CLB instance, listener names and vServer group names are used as unique identifiers in Kubernetes. Do not modify the names of listeners or vServer groups. You cannot share a CLB instance across clusters.
Port Mapping	Set Protocol to TCP and Service Port to `8080`.

Add port 8080 to an existing ingress gateway

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, click the name of the desired gateway. In the Basic options section of the Gateway Details page, click the icon next to Port. In the Port Mapping dialog box, click Add Port, set Protocol to TCP, set Service Port to 8080, and then click Submit.

Step 4: Start the gRPC client

gRPCurl is a command-line tool that you can use to interact with gRPC services. It provides you with an easy method to test and debug a gRPC service, as well as view the definition and metadata of the service. To download and install gRPCurl, visit https://github.com/fullstorydev/grpcurl. Run the following command:
```
grpcurl -d '{"name": "Jack"}' -plaintext {IP address of the ingress gateway}:8080 helloworld.Greeter/SayHello
```

The output indicates that all requests are routed to istio-grpc-server-v1.

 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"

Step 5: Route traffic to the two versions of the gRPC service based on a specific ratio

Route 40% of the traffic to istio-grpc-server-v2 and 60% of the traffic to istio-grpc-server-v1.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Traffic Management Center > VirtualService.
On the VirtualService page, find the grpc-vs virtual service and click YAML in the Actions column.

In the Edit dialog box, copy the following YAML code to the code editor. Then, click OK.

....
      route:
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v1
          weight: 60
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v2
          weight: 40

Run the following gRPCurl command to access the gRPC service that you deployed in the ASM instance:

grpcurl -d '{"name": "Jack"}' -plaintext {IP address of the ingress gateway}:8080 helloworld.Greeter/SayHello

The output indicates that 40% of the traffic is routed to istio-grpc-server-v2.

Note

The traffic may not be routed to istio-grpc-server-v1 and istio-grpc-server-v2 at an exact ratio of 60:40. However, the overall traffic distribution is always close to this ratio.

"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"