askmeegs

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: frontend
spec:
  host: frontend
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
  subsets:

askmeegs

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: frontend-dr
spec:
  host: frontend
  trafficPolicy:
    connectionPool:  #client connections to frontend 
      tcp:
        maxConnections: 1 # num. clients envoy will allow to frontend at any time 

askmeegs

# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,

askmeegs

apiVersion: apps/v1
kind: Deployment
metadata:
  name: currencyservice
spec:
  selector:
    matchLabels:
      app: currencyservice
  template:
    metadata:

askmeegs

Before applying the virtualservice, I curl my service via the Ingresgateway...

HTTP/1.1 200 OK
set-cookie: shop_session-id=41d03447-b622-44b5-b9a3-6cfda72b4754; Max-Age=172800
date: Tue, 17 Sep 2019 17:26:26 GMT
content-type: text/html; charset=utf-8
x-envoy-upstream-service-time: 1091
x-envoy-peer-metadata: ChwKDElOU1RBTkNFX0lQUxIMGgoxMC4xMi4xLjM3Ci8KBE5BTUUSJxolaXN0aW8taW5ncmVzc2dhdGV3YXktNzlmZjRmNjY5Ni1qcWxicQobCglOQU1FU1BBQ0USDhoMaXN0aW8tc3lzdGVtClwKBU9XTkVSElMaUWt1YmVybmV0ZXM6Ly9hcGkvYXBwcy92MS9uYW1lc3BhY2VzL2lzdGlvLXN5c3RlbS9kZXBsb3ltZW50cy9pc3Rpby1pbmdyZXNzZ2F0ZXdheQp/ChFQTEFURk9STV9NRVRBREFUQRJqKmgKJAoUZ2NwX2NsdXN0ZXJfbG9jYXRpb24SDBoKdXMtZWFzdDEtYgomChBnY3BfY2x1c3Rlcl9uYW1lEhIaEGlzdGlvLW1lZXR1cC1ueWMKGAoLZ2NwX3Byb2plY3QSCRoHbW9rZWVmZQo5Cg9TRVJWSUNFX0FDQ09VTlQSJhokaXN0aW8taW5ncmVzc2dhdGV3YXktc2VydmljZS1hY2NvdW50CicKDVdPUktMT0FEX05BTUUSFhoUaXN0aW8taW5ncmVzc2dhdGV3YXk=
x-envoy-peer-metadata-id: router~10.12.1.37~istio-ingressgateway-79ff4f6696-jqlbq.istio-system~istio-system.svc.cluster.local

askmeegs

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: frontend
  namespace: default
spec:
  hosts:
  - frontend.default.svc.cluster.local
  http:
  - route:

askmeegs

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "adservice"
  namespace: onlineboutique
spec:
  targets:
  - name: adservice
  peers:
  - mtls: {}

askmeegs

format

[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n

examples

askmeegs

release-1.2-20190618-09-15

increasing connections, 1000 qps (latency)

python runner/runner.py 1,2,4,8,16,32,64 1000 240 --serversidecar --baseline 

python runner/runner.py 1,2,4,8,16,32,64 1000 240  --serversidecar --labels=nomixer

askmeegs

reported behavior: on GKE cluster upgrade to 1.13.6-gke.0, Istio is auto-upgraded to 1.1, and

1. istio-policy and istio-telemetry (mixer) entered CrashLoopBackOff
2. galley has TLS Handshake errors
3. istio-gateway (ingress?) has TLS handshake errors

hypothesis: race condition between pilot and mixer (istio-policy) when all pods are down?

---