• Install Istio for Google Cloud Endpoints Services
    • Before you begin
    • HTTP endpoints service
    • HTTPS endpoints service using secured Ingress

    Install Istio for Google Cloud Endpoints Services

    This document shows how to manually integrate Istio with existingGoogle Cloud Endpoints services.

    Before you begin

    If you don’t have an Endpoints service and want to try it out, you can followthe instructionsto setup an Endpoints service on GKE.After setup, you should be able to get an API key and store it in ENDPOINTS_KEY environment variable and the external IP address EXTERNAL_IP.You may test the service using the following command:

    1. $ curl --request POST --header "content-type:application/json" --data '{"message":"hello world"}' "http://${EXTERNAL_IP}/echo?key=${ENDPOINTS_KEY}"

    To install Istio for GKE, follow our Quick Start with Google Kubernetes Engine.

    HTTP endpoints service

    • Inject the service and the deployment into the mesh using —includeIPRanges by following theinstructionsso that Egress is allowed to call external services directly.Otherwise, ESP will not be able to access Google cloud service control.

    • After injection, issue the same test command as above to ensure that calling ESP continues to work.

    • If you want to access the service through Istio ingress, create the following networking definitions:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: networking.istio.io/v1alpha3
    3. kind: Gateway
    4. metadata:
    5.   name: echo-gateway
    6. spec:
    7.   selector:
    8.     istio: ingressgateway # use Istio default gateway implementation
    9.   servers:
    10.   - port:
    11.       number: 80
    12.       name: http
    13.       protocol: HTTP
    14.     hosts:
    15.     - "*"
    16. ---
    17. apiVersion: networking.istio.io/v1alpha3
    18. kind: VirtualService
    19. metadata:
    20.   name: echo
    21. spec:
    22.   hosts:
    23.   - "*"
    24.   gateways:
    25.   - echo-gateway
    26.   http:
    27.   - match:
    28.     - uri:
    29.         prefix: /echo
    30.     route:
    31.     - destination:
    32.         port:
    33.           number: 80
    34.         host: esp-echo
    35. ---
    36. EOF
    • Get the ingress gateway IP and port by following the instructions.You can verify accessing the Endpoints service through Istio ingress:
    1. $ curl --request POST --header "content-type:application/json" --data '{"message":"hello world"}' "http://${INGRESS_HOST}:${INGRESS_PORT}/echo?key=${ENDPOINTS_KEY}"

    HTTPS endpoints service using secured Ingress

    The recommended way to securely access a mesh Endpoints service is through an ingress configured with TLS.

    • Install Istio with strict mutual TLS enabled. Confirm that the following command outputs either STRICT or empty:
    1. $ kubectl get meshpolicy default -n istio-system -o=jsonpath='{.spec.peers[0].mtls.mode}'

    • Re-inject the service and the deployment into the mesh using —includeIPRanges by following theinstructionsso that Egress is allowed to call external services directly.Otherwise, ESP will not be able to access Google cloud service control.

    • After this, you will find access to ENDPOINTS_IP no longer works because the Istio proxy only accepts secure mesh connections.Accessing through Istio ingress should continue to work since the ingress proxy initiates mutual TLS connections within the mesh.

    • To secure the access at the ingress, follow the instructions.