Search code examples
devopsistioistio-gateway

Can I use Istio VirtualService without a Gateway?

As shown in the virtual service docs, I should not have to create a gateway to use a virtual service. However, when I try to inject a header or reroute a request, nothing happens.

# virtual-service.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx-vs
  namespace: default
spec:
  hosts:
  - nginx-web
  http:
  - headers:
      response:
        add:
          My-Custom-Header1: "abc-123"
    route:
    - destination:
        host: nginx-web
        port:
          number: 80

I see that the virtual service has been picked up and is applied to the pod I expect it to.

> istioctl x describe pod nginx-deployment-689cbb8758-5s9ss
Pod: nginx-deployment-689cbb8758-5s9ss
   Pod Ports: 15090 (istio-proxy), 80 (nginx-web)
Suggestion: add 'version' label to pod for Istio telemetry.
--------------------
Service: nginx-web
   Port: http-nginxweb 80/HTTP targets pod port 80
VirtualService: nginx-vs
   1 HTTP route(s)
--------------------
Effectve PeerAuthentication:
   Workload mTLS: PERMISSIVE
Skipping Gateway information (no ingress gateway pods)

But when I curl I don't see the added header:

> curl -v myapp.com
...
< x-envoy-upstream-service-time: 3
< server: istio-envoy
< x-envoy-decorator-operation: nginx-web.default.svc.cluster.local:80/*
< Via: 1.1 google

I have also tried rerouting and a few other tasks from the virtual service but nothing is applying. Do I have to use a gateway for this to work, or is it not actually connecting to the service like I think it is?

This deployment works already with Kubernetes Ingress and Kuberenetes Service handling routing. I want to add in a virtual service to handle retries.

SOLUTION: As other have stated, you do have to use the Istio Gateway for any external requests to get to a virutal service. If you have issues setting up and Istio Gateway, make sure your istio: label is correct. If you're installing with helm the label won't necessarily be the default.

Solution

  • Can I use Istio VirtualService without a Gateway?

    Istio gateway object would be required for routing the external traffic to application pod inside the kubernetes cluster. Once gateway object is created it sets up a proxy to act as a load balancer for ports and protocol for ingress. Please refer istio gateway document for configuring the same. Below is sample gateway

    apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com