istio-official-translation
istio-official-translation copied to clipboard
Published
20 hours ago •
servicemesher
servicemesher
/docs/tasks/traffic-management/egress/egress-gateway/index.md
Source File: /docs/tasks/traffic-management/egress/egress-gateway/index.md Diff:
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
index cd8caeb4b..7fc1880a5 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
@@ -115,59 +115,6 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
1. Create an egress `Gateway` for _edition.cnn.com_, port 80, and a destination rule for
traffic directed to the egress gateway.
- Choose the instructions corresponding to whether or not you have
- [mutual TLS Authentication](/docs/tasks/security/authentication/mutual-tls/) enabled in Istio.
-
- {{< tabset category-name="mtls" >}}
-
- {{< tab name="mutual TLS enabled" category-value="enabled" >}}
-
- {{< text bash >}}
- $ kubectl apply -f - <<EOF
- apiVersion: networking.istio.io/v1alpha3
- kind: Gateway
- metadata:
- name: istio-egressgateway
- spec:
- selector:
- istio: egressgateway
- servers:
- - port:
- number: 80
- name: https
- protocol: HTTPS
- hosts:
- - edition.cnn.com
- tls:
- mode: MUTUAL
- serverCertificate: /etc/certs/cert-chain.pem
- privateKey: /etc/certs/key.pem
- caCertificates: /etc/certs/root-cert.pem
- ---
- apiVersion: networking.istio.io/v1alpha3
- kind: DestinationRule
- metadata:
- name: egressgateway-for-cnn
- spec:
- host: istio-egressgateway.istio-system.svc.cluster.local
- subsets:
- - name: cnn
- trafficPolicy:
- loadBalancer:
- simple: ROUND_ROBIN
- portLevelSettings:
- - port:
- number: 80
- tls:
- mode: ISTIO_MUTUAL
- sni: edition.cnn.com
- EOF
- {{< /text >}}
-
- {{< /tab >}}
-
- {{< tab name="mutual TLS disabled" category-value="disabled" >}}
-
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
@@ -196,10 +143,6 @@ First create a `ServiceEntry` to allow direct traffic to an external service.
EOF
{{< /text >}}
- {{< /tab >}}
-
- {{< /tabset >}}
-
1. Define a `VirtualService` to direct traffic from the sidecars to the egress gateway and from the egress gateway
to the external service:
@@ -323,94 +266,6 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
1. Create an egress `Gateway` for _edition.cnn.com_, a destination rule and a virtual service
to direct the traffic through the egress gateway and from the egress gateway to the external service.
- Choose the instructions corresponding to whether or not you have
- [mutual TLS Authentication](/docs/tasks/security/authentication/mutual-tls/) enabled in Istio.
-
- {{< tabset category-name="mtls" >}}
-
- {{< tab name="mutual TLS enabled" category-value="enabled" >}}
-
- {{< text bash >}}
- $ kubectl apply -f - <<EOF
- apiVersion: networking.istio.io/v1alpha3
- kind: Gateway
- metadata:
- name: istio-egressgateway
- spec:
- selector:
- istio: egressgateway
- servers:
- - port:
- number: 443
- name: tls-cnn
- protocol: TLS
- hosts:
- - edition.cnn.com
- tls:
- mode: MUTUAL
- serverCertificate: /etc/certs/cert-chain.pem
- privateKey: /etc/certs/key.pem
- caCertificates: /etc/certs/root-cert.pem
- ---
- apiVersion: networking.istio.io/v1alpha3
- kind: DestinationRule
- metadata:
- name: egressgateway-for-cnn
- spec:
- host: istio-egressgateway.istio-system.svc.cluster.local
- subsets:
- - name: cnn
- trafficPolicy:
- loadBalancer:
- simple: ROUND_ROBIN
- portLevelSettings:
- - port:
- number: 443
- tls:
- mode: ISTIO_MUTUAL
- sni: edition.cnn.com
- ---
- apiVersion: networking.istio.io/v1alpha3
- kind: VirtualService
- metadata:
- name: direct-cnn-through-egress-gateway
- spec:
- hosts:
- - edition.cnn.com
- gateways:
- - mesh
- - istio-egressgateway
- tls:
- - match:
- - gateways:
- - mesh
- port: 443
- sni_hosts:
- - edition.cnn.com
- route:
- - destination:
- host: istio-egressgateway.istio-system.svc.cluster.local
- subset: cnn
- port:
- number: 443
- tcp:
- - match:
- - gateways:
- - istio-egressgateway
- port: 443
- route:
- - destination:
- host: edition.cnn.com
- port:
- number: 443
- weight: 100
- EOF
- {{< /text >}}
-
- {{< /tab >}}
-
- {{< tab name="mutual TLS disabled" category-value="disabled" >}}
-
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
@@ -477,10 +332,6 @@ You need to specify port 443 with protocol `TLS` in a corresponding `ServiceEntr
EOF
{{< /text >}}
- {{< /tab >}}
-
- {{< /tabset >}}
-
1. Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics).
The output should be the same as before.
@@ -660,39 +511,6 @@ external service.
1. Create the same destination rule as for the `sleep` pod in the `default` namespace to direct the traffic through the egress gateway:
- Choose the instructions corresponding to whether or not you have
- [mutual TLS Authentication](/docs/tasks/security/authentication/mutual-tls/) enabled in Istio.
-
- {{< tabset category-name="mtls" >}}
-
- {{< tab name="mutual TLS enabled" category-value="enabled" >}}
-
- {{< text bash >}}
- $ kubectl apply -n test-egress -f - <<EOF
- apiVersion: networking.istio.io/v1alpha3
- kind: DestinationRule
- metadata:
- name: egressgateway-for-cnn
- spec:
- host: istio-egressgateway.istio-system.svc.cluster.local
- subsets:
- - name: cnn
- trafficPolicy:
- loadBalancer:
- simple: ROUND_ROBIN
- portLevelSettings:
- - port:
- number: 443
- tls:
- mode: ISTIO_MUTUAL
- sni: edition.cnn.com
- EOF
- {{< /text >}}
-
- {{< /tab >}}
-
- {{< tab name="mutual TLS disabled" category-value="disabled" >}}
-
{{< text bash >}}
$ kubectl apply -n test-egress -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
@@ -706,10 +524,6 @@ external service.
EOF
{{< /text >}}
- {{< /tab >}}
-
- {{< /tabset >}}
-
1. Send an HTTPS request to [https://edition.cnn.com/politics](https://edition.cnn.com/politics). Now it should succeed
since the traffic flows to `istio-egressgateway` in the `istio-system` namespace, which is allowed by the
Network Policy you defined. `istio-egressgateway` forwards the traffic to `edition.cnn.com`.
@@ -719,13 +533,17 @@ external service.
200
{{< /text >}}
-1. Check the statistics of the egress gateway's proxy and see a counter that corresponds to our
- requests to _edition.cnn.com_. If Istio is deployed in the `istio-system` namespace, the command to print the
- counter is:
+1. Check the log of the egress gateway's proxy. If Istio is deployed in the `istio-system` namespace, the command to
+ print the log is:
{{< text bash >}}
- $ kubectl exec $(kubectl get pod -l istio=egressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}') -c istio-proxy -n istio-system -- pilot-agent request GET stats | grep edition.cnn.com.upstream_cx_total
- cluster.outbound|443||edition.cnn.com.upstream_cx_total: 2
+ $ kubectl logs -l istio=egressgateway -n istio-system
+ {{< /text >}}
+
+ You should see a line similar to the following:
+
+ {{< text plain >}}
+ [2020-03-06T18:12:33.101Z] "- - -" 0 - "-" "-" 906 1352475 35 - "-" "-" "-" "-" "151.101.193.67:443" outbound|443||edition.cnn.com 172.30.223.53:39460 172.30.223.53:443 172.30.223.58:38138 edition.cnn.com -
{{< /text >}}
### Cleanup network policies
@@ -745,12 +563,7 @@ external service.
## Troubleshooting
-1. Check if you have [mutual TLS Authentication](/docs/tasks/security/authentication/mutual-tls/) enabled in Istio, following the
- steps in [Verify mutual TLS configuration](/docs/tasks/security/authentication/mutual-tls/#verify-mutual-tls-configuration).
- If mutual TLS is enabled, make sure you create the configuration
- items accordingly (note the remarks _If you have mutual TLS Authentication enabled in Istio, you must create..._).
-
-1. If [mutual TLS Authentication](/docs/tasks/security/authentication/mutual-tls/) is enabled, verify the correct certificate of the
+1. If [mutual TLS Authentication](/docs/tasks/security/authentication/authn-policy/) is enabled, verify the correct certificate of the
egress gateway:
{{< text bash >}}
