We Keep Coding

using backtrack regex in istio

We are migrating from ingress-nginx to istio. While migrating existing ingress definitions to istio VirtualServices, we came across nginx style rewriting and wanted to achieve the same in istio. When researched it was found that istio doesn't support backtrack replacement. There is an open bug regarding the same in istio. People suggest to handle this via enjoy filters. Since I'm new to istio I've tried creating an Envoy filter but still, the URL returns 404.
Here is the sample ingress-nginx definition that we want to convert
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^(/sample)$ $1/ permanent;
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
name: sample-ingress
spec:
tls:
- hosts:
- '*.example.com'
secretName: icog-ssl
rules:
- host: abc.example.com
http:
paths:
- backend:
service:
name: sample-ingress
port:
number: 80
path: /sample(/|$)(.*)
pathType: ImplementationSpecific
Here is the Envoy filter that was created to handle Reference
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: sample-filter
spec:
configPatches:
- applyTo: HTTP_ROUTE
match:
routeConfiguration:
vhost:
name: "inbound|http|80"
patch:
operation: MERGE
value:
route:
regex_rewrite:
pattern:
google_re2:
max_program_size: 100
regex: "^/sample(/|$)(.*)$"
substitution: "/\\2"
workloadSelector:
labels:
app: sample
we also tried the following as well Reference
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: sample-filter
spec:
configPatches:
- applyTo: HTTP_ROUTE
match:
context: ANY
patch:
operation: MERGE
value:
route:
regex_rewrite:
pattern:
google_re2:
max_program_size: 100
regex: "^/sample(/|$)(.*)$"
substitution: "/\\2"
workloadSelector:
labels:
app: sample
Here is the Virtual Service:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: sample-vs
namespace: default
spec:
hosts:
- "*.xyz.com"
gateways:
- sample-gateway
http:
- name: sample
match:
- uri:
regex: /sample(/|$)(.*)
rewrite:
uri: /$2
route:
- destination:
host: sample
port:
number: 80
Gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: sample-gateway
namespace: default
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
hosts:
- "*.xyz.com"
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: sample-ssl
hosts:
- "*.xyz.com"
Api REquests with Both the Envoyfilter returns 404. Not sure how to make this work with istio.

Finally, I was able to crack it down. It's actually simple. We can just use rewrite along with match in virtual service and there is no need to complicate it using filter. Here is the virtual service.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: sample-vs
namespace: default
spec:
hosts:
- "*.xyz.com"
gateways:
- sample-gateway
http:
- name: sample-trailing
match:
- uri:
prefix: /sample
redirect:
uri: /sample/ # This ensures that the trailing slash is added to the path. same as **rewrite ^(/sample)$ $1/ permanent;**
- name: sample
match:
- uri:
prefix: /sample/
rewrite:
uri: / #This ensures that internally it gets routed to **/$2**
route:
- destination:
host: sample
port:
number: 80
We are misguided by rewrite here we think rewrite rewrites the HTTP URL in the browser whereas it actually rewrites and forwards the request to the respective destination.

How to route two grpc services using Istio virtual service and gateway

I have two grpc services (grpc-1 & grpc-2) in my project. I have deployed the grpc services on two different ports in openshift and created necessary configuration in Istio like gateway and virtual services.
I observed that at any time only one grpc service getting invoked as I am using "/" to route to services. I also tried to add context path like "/grpc-1" and "/grpc-2" but it didn't work.
Below is my code snippet from virtual services and gateway
grpc_gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: grpc-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
name: http
number: 80
protocol: HTTP
hosts:
- "*"
grpc-1-vs.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: grpc-1-vs
spec:
hosts:
- "istio-ingressgateway-istio-system.apps.xxxx.zfjb.p1.openshiftapps.com"
gateways:
- grpc-gateway
http:
- match:
- uri:
prefix: "/"
route:
- destination:
port:
number: 9014
host: grpc-1
grpc-2-vs.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: grpc-2-vs
spec:
hosts:
- "istio-ingressgateway-istio-system.apps.xxxx.zfjb.p1.openshiftapps.com"
gateways:
- grpc-gateway
http:
- match:
- uri:
prefix: "/"
route:
- destination:
port:
number: 9015
host: grpc-2
I am not able to route to two grpc services based on request url. Only one grpc service is being routed.

Istio ingress gateway subdomainrouting based

I have three service that I need to expose via istio ingress gateway, i have setup those services dns records to point to the ingress gateway load balancer but i have not succeded to make it work.
The gateway and virtual service config file :
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: test-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.mywebsite.io"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: virtualservice
spec:
hosts:
- "*.mywebsite.io"
gateways:
- test-gateway
http:
- name: "api-gateway"
match:
- uri:
exact: "gateway.mywebsite.io"
route:
- destination:
host: gateway.default.svc.cluster.local
port:
number: 8080
- name: "visitor-service"
match:
- uri:
exact: "visitor-service.mywebsite.io"
route:
- destination:
host: visitor-service.default.svc.cluster.local
port:
number: 8000
- name: "auth-service"
match:
- uri:
exact: "auth-service.mywebsite.io"
route:
- destination:
host: auth-service.default.svc.cluster.local
port:
number: 3004

I guess the URI part of the HttpMatchRequest does not work that way. Try to add VirtualServices for each subdomain, i.e. something like.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: gateway-virtualservice
spec:
hosts:
- "gateway.mywebsite.io"
gateways:
- test-gateway
http:
- name: "api-gateway"
match:
- uri:
exact: "/" #or prefix
route:
- destination:
host: gateway.default.svc.cluster.local
port:
number: 8080
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: visitor-virtualservice
spec:
hosts:
- "visitor-service.mywebsite.io"
gateways:
- test-gateway
http:
- name: "visitor-service"
match:
- uri:
exact: "/"
route:
- destination:
host: visitor-service.default.svc.cluster.local
port:
number: 8000

istio virtual service route destination with context path

I have istio configuration on which the docker container runs jasperreports on tomcat(bitnami jasperreports). the application itself could be accessed with context path at http://IP:8080/jasperserver.
I am planning to use istio in my kubernetes configuration, expose the service using http gateway and virtual service. can I add context path of "jasperserver" in addition to destination host and port number in virtual service configuration?
here is my current virtualservice configuration
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: http-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: jasper-virtual-services
spec:
hosts:
- "*"
gateways:
- http-gateway
http:
- match:
- uri:
exact: /report
route:
- destination:
host: jasperserver.reporting.svc.cluster.local
port:
number: 80

You are probably looking for rewrites
Something like
http:
- match:
- uri:
exact: /report
rewrite:
uri: /jasperserver

istio rules doesn't works from external calls

I want that all ingress traffic for specific service is served by version 8 of this service.
Service is reachable from outside with following host:
my.ciro.it
If I call my.ciro.it I can see that rules works fine.Always respondes with 8 version. If I call my.ciro.it from other service (my2.ciro.it) rules doesn't works and service respondes alternative with version 8 or 9.
This is my virtual service and destination rules:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ciro-service2-destination-rules
spec:
host: ciro-service2.myns.svc.cluster.local
subsets:
- labels:
version: v8
name: v8
- labels:
version: v9
name: v9
trafficPolicy:
tls:
mode: DISABLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ciro-service2-virtual-service
spec:
hosts:
- my.ciro.it
gateways:
- ciro-service2-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
host: ciro-service2.myns.svc.cluster.local
subset: v8
port:
number: 8082
weight: 100
- destination:
host: ciro-service2.myns.svc.cluster.local
subset: v9
port:
number: 8082
weight: 0
add gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ciro-service2-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "my.ciro.it"
---

The hosts in Your yaml files is my.ciro.it. Which does not match with my2.ciro.it. If Your plan is to use these rules on both sub-domains hosts You can use wildcard hosts:
...
spec:
hosts:
- *.ciro.it
...
Otherwise You should have:
...
spec:
hosts:
- my2.ciro.it
...

The solution is very simple.
gateways:
- ciro-service2-gateway
- mesh
Add mesh gateway, the rules also applied on internal calls.