Apigee with Istio

guycrets
Participant IV

Interesting evolution to see how Apigee can integrate with Istio. While working through this new world of Kubernetes and Istio, I gave the apigee istio adapter a try following the instructions.

Used Google's Istio GKE Deployment Manager to create 4 node Kubernetes cluster with Istio installed. Locaten europe-west-1d (Belgium). Unchecked the deploy of the sample bookinfo app, but still gets installed.

Provisioning the Istio adapter from Windows failed. Resolved by switching to Linux.

.\apigee-istio.exe provision -o <myorg> -e <myenv> -u <email> -p <password> > samples\apigee\handler.yaml
error deploying auth proxy: error importing proxy istio-auth: POST https://api.enterprise.apigee.com/v1/o/<myorg>/apis?action=import&name=istio-auth: 400 Bundle is invalid. Empty bundle

Ran into the 404 error as well described, caused by the sample Istio bookinfo application. Easily resolved by executing kubectl delete gateway bookinfo-gateway as described in the docs.

Applied the configuration changes.

kubectl apply -f samples/apigee/definitions.yaml
kubectlapply -f samples/apigee/handler.yaml
kubectl apply -f samples/apigee/rule.yaml

Failure: do not get the expected PERMISSION_DENIED error calling the /hello URL. Stuck.

[vagrant@localhost apigee-istio-adapter]$ curl http://$HELLOWORLD_URL/hello
Hello version: v2, instance: helloworld-v2-857dfd6c45-z7mbq

Some suggestions very welcome!

A bigger architectural picture would also be welcome, still struggling a bit to grasp the big picture and future evolution.

1 4 1,469
4 REPLIES 4

Former Community Member
Not applicable

Thank you for trying this @guycrets

Regarding problem #1 (provisioning on Windows), I have opened a GitHub issue here.

Regarding problem #2, it takes about a minute for the Istio rule to take effect. Here are some tips to debug:

1) Check the istio-policy logs, ensure the call is reaching Mixer.

2) Trace the istio-auth proxy, ensure Mixer calls the proxy.

ps: For future reference, here is the link to the official docs.

guycrets
Participant IV

Some background information between Apigee and Istio is available in the talk "Introduction to Service Management with Istio Service Mesh" from Google conference in July 2018. Good background material.

guycrets
Participant IV

Questions solved:

1) Was using git bash. From Windows command line, the apigee-istio.exe is working OK.

2) One must use the istio-demo.yaml as provided by Apigee in samples/istio and NOT use the install file that comes with the Istio 1.0.0 download. Apigee has changed the image for the mixer. This was not clear from the docs.

containers:
- name: mixer
  # image: "gcr.io/istio-release/mixer:1.0.0"
  image: "gcr.io/apigee-api-management-istio/istio-mixer:1.0.0"

Steps I took to experiment on Google Kubernetes (based on Google Istio docs). Used git bash on Windows 10, except for the apigee-istio commands.

  • Register for free Google cloud account
  • Install gcloud SDK
  • Install kubectl:
    gcloud components install kubectl
  • Configure gcloud:
    gcloud config set project <project>
    gcloud config set gcloud config set compute/zone europe-west1-d
  • Create Kubernetes cluster, went for 2 "standard" nodes:
    container clusters create <project> --num-nodes 2 --machine-type n1-standard-2 --no-enable-legacy-authorization
  • Specific setting required regarding security:
    kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin--user=$(gcloud config get-value core/account)
  • Get credentials, being stored in home-dir/.kube/config
    gcloud container clusters get-credentials <project>

    If you have multiple kubernetes clusters or earlier installs, see https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)

  • Install Istio, using the install as provided by Apigee (!)
    kubectl apply -f samples/istio/istio-demo.yaml
    kubectl get pods -n istio-system 

And continue as described on https://github.com/apigee/istio-mixer-adapter.

Make sure that your product name only contains characters, numbers and hyphens (and not underscores as I initially did).

To view Istio logs, e.g. from Mixer, see here.

Not applicable

Hola, tengo un problema similar, el detalle es que no funciona apigee-istio.exe, trato de hacer todo con la cloud shell de GCP, pero no logro editar handler.yaml