mandarjog

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  labels:
    istio.io/rev: default
    operator.istio.io/version: 1.4.8
  name: ext-authz-1
  namespace: istio-system
spec:
  configPatches:

mandarjog

+ install_istio_with_istioctl                                                                                                                                                         [23/1924]
+ local CR_PATH=/mnt/disks/sdb/go/src/istio.io/tools/perf/istio-install/istioctl_profiles/default.yaml
+ pushd /mnt/disks/sdb/go/src/istio.io/tools/perf/istio-install/tmp/1.5-alpha.c086a1cc8247d22c0778ba8f40ad95cf6797b0e2
/mnt/disks/sdb/go/src/istio.io/tools/perf/istio-install/tmp/1.5-alpha.c086a1cc8247d22c0778ba8f40ad95cf6797b0e2 /mnt/disks/sdb/go/src/istio.io/tools/perf/istio-install
+ ./istioctl manifest apply -f /mnt/disks/sdb/go/src/istio.io/tools/perf/istio-install/istioctl_profiles/default.yaml --set meshConfig.rootNamespace=istio-system --force=true
proto: tag has too few fields: "-"
- Applying manifest for component SidecarInjector...
- Applying manifest for component Base...
✔ Finished applying manifest for component SidecarInjector.
✔ Finished applying manifest for component Base.

mandarjog

Updating pilot envvars is not possible with istio-on-gke add-on because of the reconciliation loop.

The following steps can update pilot environment variables.

1. Create a config map with the delegation script

kubectl -n istio-system apply -f https://gist.githubusercontent.com/mandarjog/c5fd7201e0d0618d562d0b18cbeebfd8/raw/ae52fb362a5578530e38fe01ee3e40fa2f4b9a8c/istio-pilot-config-map.yaml

The script unsets PILOT_DISABLE_XDS_MARSHALING_TO_ANY env var.

mandarjog

apiVersion: v1
kind: ConfigMap
metadata:
  name: script
data:
  run.sh: |
    #!/bin/bash
    set -ex
    WD=$(dirname $0)
    WD=$(cd $WD;pwd)

mandarjog

  # Note that listener.trafficDirection should match "stackdriver_${traffic_direction}"
  # https://github.com/envoyproxy/envoy-wasm/blob/master/api/envoy/config/wasm/v2/wasm.proto
  # INBOUND
      filters:
        - name: envoy.http_connection_manager
          typed_config:
            '@type': type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
            forward_client_cert_details: APPEND_FORWARD
            generate_request_id: true
            http_filters:

mandarjog

{
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": "-- Grafana --",
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",

mandarjog

# Source: twoPodTest/templates/als.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app: accesslog-grpc
  name: accesslog-grpc
spec:
  selector:
    matchLabels:

mandarjog

[2019-06-11 04:01:16.200][196][debug][filter] [src/envoy/http/mixer/filter.cc:162] Called Mixer::Filter : check complete OK
[2019-06-11 04:01:16.200][196][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:833] [C2165][S12105457795138984540] decode headers called: filter=0x5145770 status=0
[2019-06-11 04:01:16.200][196][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:833] [C2165][S12105457795138984540] decode headers called: filter=0x538d270 status=0
[2019-06-11 04:01:16.200][196][trace][http] [external/envoy/source/common/http/conn_manager_impl.cc:833] [C2165][S12105457795138984540] decode headers called: filter=0x5266c30 status=0
[2019-06-11 04:01:16.200][196][debug][router] [external/envoy/source/common/router/router.cc:332] [C2165][S12105457795138984540] cluster 'outbound|8080||fortioclient.twopods.svc.cluster.local' match for URL '/lgraph2'
[2019-06-11 04:01:16.200][196][debug][router] [external/envoy/source/common/router/router.cc:393] [C2165][S12105457795138984540

mandarjog

Istio 1.1.3 Istio-add-on does not support a NodePort option for gateway.
We therefore clone the istio-ingressgateway as istio-ingressgateway-private 

1. Clone istio-ingressgateway service 
a. Modify name
b. Remove all unnecessary config

%> kubectl -n istio-system get svc istio-ingressgateway -o yaml | sed -e 's/istio-ingressgateway/istio-ingressgateway-private/g' -e '/clusterIP/d' -e '/nodePort/d' -e '/targetPort/d' -e 's/type: LoadBalancer/type: NodePort/g' -e '/addonmanager.kubernetes.io/d' -e  '/kubernetes.io\/cluster-service/d'  > private-svc.yaml

2. Clone istio-ingressgateway deployment

mandarjog

# The following solution is used to enable GCLB with 1.0.x istio-on-gke add on.
#
# Ingress gateway in gke-add-on cannot be modified because it is reconciled.
#
# 1. Create a new ilgateway deployment with `--statusPort 15020`.
# 2. Create a new service of type 'NodePort` to point to the above deployment
# 3. In the target namespace, create a `gateway` resource to point to the ilbgateway by using 
#    `selector: { "istio": "ilgateway" }
# 4. Point k8s (GCLB) ingress resource to ilgateway
# 5. Add advanced health-check for GCLB